securing Shared Preferences ofAndroid applications
- Code Shoppy
- Mar 6, 2020
- 3 min read
Programmers found the solution to this problem with the encryption. All the values can be encrypted just before storing to SharedPreferences. There are open source librarieslike EncryptedPreferences [11]. These libraries allow generating SharedPreferences, which are encrypted. However, EncryptedPreferences requires a password to encrypt text. Even if we implement AES encryption, there is often the need for a “secret.”If this password or “secret” is hard-coded into the appor uses some system value like MAC address, anyone looking through a decompiled version of the code can easily decipher what it takes to decrypt the Strings. We could generate a random long password, but if we put it in regular SharedPreferences, it will get persisted in plain text in a while. Approach took to hide password or secret key which is used to encrypt SharedPreference data is with the Obfuscation technique.Obfuscation makes it difficult for a reverse engineer, but as Obfuscation can only make it difficult, and not impossible to guess the secret key, the threat still exists.To solve the problem of data getting leaked from Androidphone’s internal memory, we propose the Hybrid Encryption Approach.Table 1 shows the threat, previous approached, and the proposed Hybrid Encryption Approach. Hybrid Encryption Approach uses Android KeyStore System to minimize drawback of encryption approach.D. Android Keystore SystemThe Android Keystore system[6]allows storingcryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the Keystore, they can be used for cryptographic operations with the key material remaining non-exportable. Moreover, it offers facilities to restrict when and how keys can be used, such as requiring the user authentication for key use or restricting keys to be used only in certain cryptographic modes. Android Keystore system protects the key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from the application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes.The Keystore itself is encrypted using the user’s own lockscreen pin/password, hence, when the device screen is locked the Keystore is unavailable.CodeShoppy
Key material may be bound to the secure hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)) of the Android device. When this feature is enabled for a key, its key material is never exposed outside of secure hardware. If the Android OS is compromised or an attacker can read the device's internal storage, the attacker may be able to use any app's Android Keystore keys on the Android device, but not extract them from the device. This feature is enabled only if the device's secure hardware supports the particular combination of key algorithm, block modes, padding schemes, and digests with which the key is authorized to be used.
but as they are encrypted, user’s privacy is not compromised. If a user changes these encrypted values, the application cannot decrypt these values in the original format, resulting in malfunctioning of the application. In Fig. 8 and Fig. 9, we can see that as both key and value pairs are encrypted, thusit makes more difficult for an attacker to understand these key-value pairs. These values now cannot be decrypted easily, as the key which was used to encrypt the data relies on AndroidKeystore. And, it was generated at the runtime and not storedThis paper discussed the security leaks of an Androidapplication due to XML files generated within the internal memory of application. This paper demonstrated the leak of the encrypted confidential data on internal memory with SharedPreference interface. We proposed a Hybrid Encryption approach for SharedPreferences combining encryption approach with Android Keystore system to protect the leaking confidential information from the Android device.The test results indicated that proposed Hybrid Encryption approach enables to secure local data on the device.
Comments