How is Facebook Conceal secure if it just stores the key in SharedPreferences?

Question

I want to secure some user data that's being stored in SharedPreferences, so I looked to Facebook Conceal.

The inherent issue with storing in SharedPreferences is that there are ways to access it and view the data, so naturally one would think about encrypting it so that looking at it is of no use, but if Facebook Conceal also stores the key in SharedPreferences how is it secure? It seems like viewing the data in this scenario now just requires two extra steps -- getting the key and using it to decrypt the data.

I imagine I'm missing something here, so I'm just looking for clarification on why Facebook Conceal is secure if it stores the keys used to decrypt the data in the same place where the data was insecure in the first place.

Answer 1

Well Shared Prefs can be public or private. But all that means is the security group assigned to the xml file that stores the key/value pairs and location of it.

If you want something to be secure you can use a SecureSharedPreference implementation. This will ensure no one can steal your information (well never a guarantee for a super hacker haha) but it will be like stealing a foreign language and goodluck cracking it.

However, if you want to ensure that it is not stolen and not touched then using a local database is better. This is also susceptible to talented hackers though, so you could use SQLCipher if it really matters to ensure that it is encrypted in the database as well as stored privately for your app.

So your architecture and security needs are up to you and what is acceptable to your security team. Here is an open source securePref file I use for data that needs to be securely stored and accessed, but isn't the end of the world if someone steals my mumble jumble as they can't do anything with it.

 /*
Copyright (C) 2012 Sveinung Kval Bakken, sveinung.bakken@gmail.com
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */

import android.content.Context;
import android.content.SharedPreferences;
import android.util.Base64;

import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;


public class SecuredPreferences {

    public static class SecurePreferencesException extends RuntimeException {

        public SecurePreferencesException(Throwable e) {
            super(e);
        }

    }

        private static final String TRANSFORMATION = "AES/CBC/PKCS5Padding";
        private static final String KEY_TRANSFORMATION = "AES/ECB/PKCS5Padding";
        private static final String SECRET_KEY_HASH_TRANSFORMATION = "SHA-256";
        private static final String CHARSET = "UTF-8";

        private final boolean encryptKeys;
        private final Cipher writer;
        private final Cipher reader;
        private final Cipher keyW

riter;
    private final SharedPreferences preferences;

    /**
     * This will initialize an instance of the SecurePreferences class
     * @param context your current context.
     * @param preferenceName name of preferences file (preferenceName.xml)
     * @param secureKey the key used for encryption, finding a good key scheme is hard.
     * Hardcoding your key in the application is bad, but better than plaintext preferences. Having the user enter the key upon application launch is a safe(r) alternative, but annoying to the user.
     * @param encryptKeys settings this to false will only encrypt the values,
     * true will encrypt both values and keys. Keys can contain a lot of information about
     * the plaintext value of the value which can be used to decipher the value.
     * @throws SecurePreferencesException
     */
    public SecuredPreferences(Context context, String preferenceName, String secureKey, boolean encryptKeys) throws SecurePreferencesException {
        try {
            this.writer = Cipher.getInstance(TRANSFORMATION);
            this.reader = Cipher.getInstance(TRANSFORMATION);
            this.keyWriter = Cipher.getInstance(KEY_TRANSFORMATION);

            initCiphers(secureKey);

            this.preferences = context.getSharedPreferences(preferenceName, Context.MODE_PRIVATE);

            this.encryptKeys = encryptKeys;
        }
        catch (GeneralSecurityException e) {
            throw new SecurePreferencesException(e);
        }
        catch (UnsupportedEncodingException e) {
            throw new SecurePreferencesException(e);
        }
    }

    protected void initCiphers(String secureKey) throws UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException,
            InvalidAlgorithmParameterException {
        IvParameterSpec ivSpec = getIv();
        SecretKeySpec secretKey = getSecretKey(secureKey);

        writer.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec);
        reader.init(Cipher.DECRYPT_MODE, secretKey, ivSpec);
        keyWriter.init(Cipher.ENCRYPT_MODE, secretKey);
    }

    protected IvParameterSpec getIv() {
        byte[] iv = new byte[writer.getBlockSize()];
        System.arraycopy("fldsjfodasjifudslfjdsaofshaufihadsf".getBytes(), 0, iv, 0, writer.getBlockSize());
        return new IvParameterSpec(iv);
    }

    protected SecretKeySpec getSecretKey(String key) throws UnsupportedEncodingException, NoSuchAlgorithmException {
        byte[] keyBytes = createKeyBytes(key);
        return new SecretKeySpec(keyBytes, TRANSFORMATION);
    }

    protected byte[] createKeyBytes(String key) throws UnsupportedEncodingException, NoSuchAlgorithmException {
        MessageDigest md = MessageDigest.getInstance(SECRET_KEY_HASH_TRANSFORMATION);
        md.reset();
        byte[] keyBytes = md.digest(key.getBytes(CHARSET));
        return keyBytes;
    }

    public void put(String key, String value) {
        if (value == null) {
            preferences.edit().remove(toKey(key)).commit();
        }
        else {
            putValue(toKey(key), value);
        }
    }

    public boolean containsKey(String key) {
        return preferences.contains(toKey(key));
    }

    public void removeValue(String key) {
        preferences.edit().remove(toKey(key)).commit();
    }

public String getString(String key) throws SecurePreferencesException {
    if (preferences.contains(toKey(key))) {
        String securedEncodedValue = preferences.getString(toKey(key), "");
        return decrypt(securedEncodedValue);
    }
    return null;
}

public void clear() {
    preferences.edit().clear().commit();
}

private String toKey(String key) {
    if (encryptKeys)
        return encrypt(key, keyWriter);
    else return key;
}

private void putValue(String key, String value) throws SecurePreferencesException {
    String secureValueEncoded = encrypt(value, writer);

    preferences.edit().putString(key, secureValueEncoded).commit();
}

protected String encrypt(String value, Cipher writer) throws SecurePreferencesException {
    byte[] secureValue;
    try {
        secureValue = convert(writer, value.getBytes(CHARSET));
    }
    catch (UnsupportedEncodingException e) {
        throw new SecurePreferencesException(e);
    }
    String secureValueEncoded = Base64.encodeToString(secureValue, Base64.NO_WRAP);
    return secureValueEncoded;
}

protected String decrypt(String securedEncodedValue) {
    byte[] securedValue = Base64.decode(securedEncodedValue, Base64.NO_WRAP);
    byte[] value = convert(reader, securedValue);
    try {
        return new String(value, CHARSET);
    }
    catch (UnsupportedEncodingException e) {
        throw new SecurePreferencesException(e);
    }
}

private static byte[] convert(Cipher cipher, byte[] bs) throws SecurePreferencesException {
    try {
            return cipher.doFinal(bs);
        }
        catch (Exception e) {
            throw new SecurePreferencesException(e);
        }
    }
}

Hope this helps. For the secure key just make your own random salt but keep it fixed so it doesn't change.