How the SharedPreferences works and is it safe

Question

I'm going to use the SharedPreferences Keys to store my app informations so when I open the app again after onDestroy the information will still the same.

I'm just wondering is it safe to use SharePreferences ? I mean is there a way to hack or get the KEYS from the SharePreferences ?
and does all Android Platforms have the SharePreferences ?

thanks .

Your answer may be found here: http://stackoverflow.com/questions/9244318/android-sharedpreference-security — Taylor Frey, Aug 18 '14 at 22:43

Alexander Sidikov Pfeif · Accepted Answer · 2014-08-18T23:27:10.093

3

sharedPreferences arent safe.. sharedPreferences should just store config/setting-data not encrypted..

if u want to store critical data - you have to write it encrypted in a dataBase/sharedPrefs

btw .. http://android-developers.blogspot.de/2013/02/using-cryptography-to-store-credentials.html

edited Aug 18 '14 at 23:27

answered Aug 18 '14 at 22:50

Alexander Sidikov Pfeif

2,418
1
20
35

This makes a good point, but you could also technically encrypt your data and store it as a shared preference. – zgc7009 Aug 18 '14 at 23:03
1

If I encrypt the private data of my app then store it in sharePref is it ok ? sorry but so far I only know this sharedPref and I feel its the easiest way to store the data – Aug 18 '14 at 23:10
Quoting your link: "This essentially obfuscates the key so that it's not readily visible to attackers. However, a skilled attacker would be able to easily see around this strategy. We don't recommend it. The fact is, Android's existing security model already provides plenty of protection for this kind of data. User credentials should be stored with the MODE_PRIVATE flag set". Which basically says that saving the keys in plain-text is not that worse than this. – Vitor Hugo Schwaab Mar 22 '19 at 15:26
Shared preferences are safe enough. Just don't take them for granted. Avoid saving sensitive data and if your service really needs to be bank-account-like-safe, add the possibility for the user to drop the session remotely, invalidating your tokens, or don't save the session at all. – Vitor Hugo Schwaab Mar 22 '19 at 15:29

score 3 · Answer 2 · answered Aug 18 '14 at 22:57

3

You shouldn't store any unencrypted valuable information(passwords, private user information etc.) in SharedPreferences. SharedPreferences are just plain XML files in app directory on internal storage. If you need to store smth private - you definitely need to encrypt it first.

answered Aug 18 '14 at 22:57

yunik

53
1
3

Encrypting the data is not that safe, definitely not fail-proof. An entity with root access can see the encrypted data. If the encryption key is stored in the app, or compiled with it, the malicious entity can figure that out as well. – Vitor Hugo Schwaab Mar 22 '19 at 15:22

How the SharedPreferences works and is it safe

2 Answers2