38

First, a bit of my background. I have been working on large web systems for over a decade, Android is something I have been looking at for the past two months; as you can imagine, the gap is quite wide :)

Looking at Android's Security and Permissions and Data Storage part of documentation, talking directly to developers, reading books and tutorials, it is pretty clear how entire model works. However, I was unable to find an answer whether SQLite and SharedPreferences files are secure enough to store delicate non-encrypted information (for example, OAuth tokens). Is it possible for someone to grab them in any way? Quoting Android's documentation:

Any data stored by an application will be assigned that application's user ID, and not normally accessible to other packages.

It's the not normally accessible part giving me additional grey hair :)

Thank you, helpful answers are appreciated :)

David Kuridža
  • 7,026
  • 5
  • 26
  • 25
  • I don't know the answer, but I don't _think_ the data is encrypted in any way. – Thomas Mueller Aug 31 '10 at 12:32
  • 1
    No, it is not. The only protection mechanism is through access permissions on the file system level. By rooting your phone, however, any application can access these XML files. See also: http://www.androiddiscuss.com/1-android-discuss/1671.html – Paul Lammertsma May 20 '11 at 21:08

2 Answers2

43

Is it possible for someone to grab them in any way?

That depends on the someone. As Mr. Burov indicates, users of rooted phones can get at whatever they want. Ordinary users and other applications can't, by default.

It's the not normally accessible part giving me additional grey hair :)

By default, files are secure. You can make them world-readable or world-writable if you choose.

Wouldn't it be possible to decompile apk file and find encryption key as well in that case?

That depends on who you are defending against. If you are defending against other apps, have the user supply the encryption key. If you are defending against the user, you're screwed, just as all implementations of DRM are screwed.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • 1
    There will always be someone trying to figure out how something is done, and there is no 100% protection possible. Encrypting the data should prevent most attempts from being successful, hopefully. I guess we have to settle with it for now. – David Kuridža Sep 01 '10 at 05:28
  • @DavidKuridža How about generating the key at runtime, for example with timestamp? Then the key won't be shown in the file. Is it possible? – ninbit Aug 19 '18 at 13:15
1

Well, there is a bunch of SharedPreferences editor apps on the market, so they're definitely not secure. Also on rooted devices database can pull off easily, since user have full access to the phones filesystem. Hence, if you want your app be totally secured, encrypt your data.

Konstantin Burov
  • 68,980
  • 16
  • 115
  • 93
  • Wouldn't it be possible to decompile apk file and find encryption key as well in that case? – David Kuridža Aug 31 '10 at 12:42
  • 9
    "Well, there is a bunch of SharedPreferences editor apps on the market, so they're definitely not secure." -- please name some, as a search of the Market comes up with none. – CommonsWare Aug 31 '10 at 12:59
  • @David well you can obtain the key through encrypted connection from some server in web. Probably not best solution, but ensures higher level of security. – Konstantin Burov Aug 31 '10 at 14:26
  • 2
    @CommonsWare: oh, scratch that, I was fooled with all the profile editing apps on the market (you know, those chaning volume, brightness etc.). Shame on me :) – Konstantin Burov Aug 31 '10 at 14:28
  • It's something worth thinking about, thanks for mentioning it. – David Kuridža Sep 01 '10 at 05:25
  • @CommonsWare In case you are interested, I just found this app https://play.google.com/store/apps/details?id=com.felixheller.sharedprefseditor called Cheat Droid. It allows you to edit sharedprefs of any app on your phone as long as you have root access. Just used it to cheat on my own game... ;) – Twice Circled Apr 17 '13 at 19:30
  • @TwiceCircled: My comment was with respect to this answer's first sentence. Given the second sentence goes on to discuss rooting, the first sentence must be for non-root solutions. Your solution requires root. Root users can pretty much access anything they want. Non-root users should not be able to manipulate `SharedPreferences`, barring stupid moves on the developer's part (e.g., making them world-writeable). – CommonsWare Apr 17 '13 at 19:34
  • Your answer really intrigued me because I thought those apps are not possible and it turns out that's correct. Although as many people mentioned here if rooted you can access ALL data on the phone so there will probably be plenty of apps making that easier but root is a prerequisite. – Igor Čordaš Feb 25 '14 at 14:53