0

I have 2 apps, that are signed with same keystore.

I wan't to share sensitive data between those apps.

For example I encrypt a string in application A. Put result in Context.MODE_WORLD_READABLE) SharedPreferences and read that data in application B and decrypt it.

Is that a reasonable scenario? Or should I approach this problem in some other way?

I could create key pars in application A, but if I understand KeyStore correctly, then application B won't know anything about that?

Martynas Jurkus
  • 9,231
  • 13
  • 59
  • 101
  • 1
    `MODE_WORLD_*` are no longer supported on Android N. – CommonsWare Apr 05 '16 at 11:18
  • True. Any suggestions? Best practices? – Martynas Jurkus Apr 05 '16 at 11:22
  • 1
    Well, ideally, they would be just one app. Otherwise, use one of the available IPC mechanisms (e.g., service, broadcast receiver, content provider) with a custom `signature` permission. That too [has problems prior to Android 5.0](https://github.com/commonsguy/cwac-security/blob/master/PERMS.md). – CommonsWare Apr 05 '16 at 11:44
  • But increasing permission protection level to `signature` would solve that? – Martynas Jurkus Apr 05 '16 at 12:06
  • 1
    No. The problem -- as is described in the white paper that I linked to -- is that whoever defines the `` first wins, and they can hold the permission without the user being informed about it. So, they can downgrade the `signature` permission to `normal` and hold that permission, before your apps get installed. In this case, Android 5.0+ would prevent your apps from being installed, as 2+ apps cannot have the same `` unless they are signed by the same keystore. Prior to that, you have to detect this situation yourself and warn the user. – CommonsWare Apr 05 '16 at 12:10

0 Answers0