CODEWITHSUNDEEP
javaandroid
Tobias Moe Thorstensen
Tobias Moe Thorstensen

Reputation: 8981

Security issues regarding a configuration xml file

In my application I have a config.xml file which is being parsed,. In this configuration file, there is some data that I don't what the end-user to see in plaintext. In this particular case, a password for a mail account. The config.xml file is saved to a folder with the path

/mnt/sdcard/my_application_folder/config.xml

I have looked up some methods which is provided by the class File

I tried to apply these methods this way:

String path = folder.getPathToNode() + "/config.xml";
configFile = new File(path);

if(configFile.exists()) {
    configFile.setReadable(false);
    configFile.setExecutable(true);
    configFile.setWritable(false);
}

I guess that some of you would suggest that I store this data in SharedPreferences, but my application has two user groups, the end-user and an administrator which will edit the config.xml on his computer, and transfer the file over to the phone.

I can open Astro File Manager and see the config.xml in plain text, but I should not because the file is not readable?

Can I parse this config.xml if I apply the values above? Can anybody suggest another solution to this "security issue"?

Upvotes: 0

Views: 91

Answers (2)

Bertjan Broeksema
Bertjan Broeksema

Reputation: 1551

In addition to Nikolay, storing a password in plain text is never a good idea. I'm not an android expert, but I'm sure they provide api's to [en/de]crypt data.

Upvotes: 0

Nikolay Elenkov
Nikolay Elenkov

Reputation: 52956

Don't save sensitive data on the SD card/external storage. Any application can read it, even without special permissions. Find another way to update settings (via the UI, server push, etc.) or at least think of some way to encrypt or obfuscate sensitive information. External storage is generally VFAT (or emulates it), so you cannot set file permissions.

Upvotes: 2

Related Questions