Reputation: 4614
How to Securely store application private files?
After reading some articles & threads on stackoverflow. I found out that even files stored with Context.MODE_PRIVATE can be read after rooting the device.
Then what are the options I have to store a file privately, which are only readable to my app.
Is encryption is only option I have ? I will keep file encrypted & only my app knows how to decrypt.
Does android platform provides any other mechanism for this purpose ?
Upvotes: 2
Views: 1173
Answers (4)
Reputation: 261
Short answer: You cannot, although I see some suggestions for making it slightly more annoying for people to find your secret among the current answers.
Longer answer: You cannot 100% guarantee the security of any data, but this is particularly true if it's on a physical device in someone else's hands.
It's also true that APK code itself isn't all that secure from reverse engineering(link to online apk decompiler).
That being said, you have a much better chance of securing data on a server which can only be accessed by authenticated users.
This is probably many levels of overkill, but Payment Cards Industry (PCI) compliance standards for data handling (random link with an overview) might be a good place to start from, and then you can decide for yourself how much security you actually want to implement. These are the data security standards required for payment processors who store payment card numbers(BINs).
There are also a lot of smaller payment processors who outsource the PCI-compliant part of their data handling to companies who already have the infrastructure in place, rather than invest in building to the standard themselves, due to the high requirements.
I know about all this PCI stuff from engineering experience in the FinTech industry. :)
Upvotes: 1
Reputation: 3979
Apart from the mentioned solutions (encryption) , another solution is Cloud Storage from Firebase (if you do NOT save files locally and use Firestore cache instead):
https://firebase.google.com/products/storage
If your data can be saved in db (like shared preferences data) its even better to use Cloud Firestore:
https://firebase.google.com/products/firestore
Upvotes: 0
Reputation: 481
There are some libs that provide Secure Share Pref like Hawk that enough to serve your purpose.
Upvotes: 2
Reputation: 764
Indeed, encrypting your files seems like a good defense against unbidden access to your data.
Android offers you a range of tools to safely encrypt and decrypt your data:
- Biometrics API is ideal if you would like to protect data using the user's biometric characteristics (such as fingerprints, or iris scans (the different biometric characteristics come with different level of security, at the moment)). Using the Biometrics API, you can ask the user for his or her fingerprint/iris. Once the user has authenticated, you can encrypt some data and store the encrypted text (and the cipher initialization vector), instead of the clear text (for example, in your shared preferences, or in a file). See here how to use it.
- If you would like to store cryptographic keys, certificates, or similar PKI-related data securely, you can use key stores. A key store is an encrypted file, where each entry can be protected by a different password. See here how to use it.
Android offers methods to generate new key pairs and secret keys.
Upvotes: 2
Related Questions
- Private file for an app
- Protecting a file in an apk
- saving, reading and securing data of apps directory in android
- Encrypting app's local files
- What is the best way to store a file within an Android app?
- Android - secure app data on external storage
- File Storage with security in Android
- Android - Secure place to store sensitive files inside the same project
- Android File encryption
- protect a file