1

When saving part of the UI state using SavedStateHandle, the data in the state is persisted (on disk) on app process death. For various domain/business reasons, this data might contain sensitive information. Where and how is this data persisted? And how secure is this persistence? And does the Android (device/target/compile) version matter for this?

The Android developer website provides a lot of information about saving UI state, storage and security, but they are large and separate topics that are hard to integrate (at least for me). So I'm unsure about what is stored where and how.

Erik
  • 4,305
  • 3
  • 36
  • 54
  • "the data in the state is persisted (on disk)" -- where is your proof of this? The saved instance state `Bundle` has been held in RAM of a core OS process since Android 1.0, and AFAIK `SavedStateHandle` is merely an abstraction around that `Bundle`. – CommonsWare Oct 27 '21 at 14:13
  • Thanks for your comment. My statement might be incorrect. It's likely my misunderstanding. (Like I said: some of the documentation topics that I thought were relevant didn't help me find an answer.) But it is precisely what my question is about: where the saved state handle data is stored. I agree that it seems like a bundle wrapper. But you also are unsure if it's truly kept in memory like a bundle. What would be an approach to find a more definitive answer? – Erik Oct 27 '21 at 19:18
  • 1
    To determine where `SavedStateHandle` goes, since it's a library, look at the implementation. In terms of where the `Bundle` goes, it can't be stored on disk, for the simple reason that the data inside the `Bundle` is not designed for on-disk storage. There is a separate `PersistableBundle` for that. If `SavedStateHandle` is using the `PersistableBundle` path, then you would need to consider that the data is stored on disk. – CommonsWare Oct 27 '21 at 19:33
  • 2
    Technically speaking, you have no guarantees regarding the security of any of this, even the simple `Bundle`, because there are tens of thousands of device models and who knows what kind of screwy changes manufacturers might have made. So, from my standpoint, "this data might contain sensitive information" is inadvisable. It is guaranteed that the data is leaving your process; I recommend that you try to avoid passing sensitive information outside of your process. – CommonsWare Oct 27 '21 at 19:35
  • That's reasonable answer. Thanks for responding. – Erik Oct 27 '21 at 19:55

0 Answers0