Reputation: 33973
Safe to store Oauth2 access/refresh tokens in Shared Preferences in Android?
I know that I can set the values to be 'MODE_PRIVATE' and only my application/userId will be able to access them, however, is there any way for the user to access these at any point? So is it 'safe' to store these in Shared Preferences, or is there a better place?
Furthermore, if I later decide to expose some preferences for setting by the user, would I be able to hide these values?
Thank you.
Edit: I know about Internal Storage as well, but am wondering if I can achieve something simpler with Shared Preferences.
Upvotes: 7
Views: 2698
Answers (3)
Reputation: 958
Even if you store access tokens in the secure location on the device, you should think it can be revealed. That's why you shouldn't have client secret in your mobile application code. For access tokens, you can try to keep them secure, but you can't make it 100% secure. So you shouldn't get unnecessary scopes or unnecessarily long lifetime tokens.
ps. In general, mobile device uses "response_type=token (implicit grant)" and it shouldn't get refresh tokens. It depends on the authentication server's policy though..
Upvotes: 3
Reputation: 30168
Shared Preferences are just a plain-text XML file stored in the application's data folder. This is not a secure location, by any means. It's quite easy to view these files and extract the tokens. You can still use the Shared Preferences but you need to encrypt the information you are storing. As for "Internal Storage", those share the same location with the "Shared Preferences", so they're still easy to view.
Your unencrypted data is safe from OTHER applications running in the phone, but not from malicious users.
Upvotes: 3
Reputation: 31493
If you want to show some preferences to the user you won't have to worry about these showing up. I think shared_preferences would probably be the 'safest' place to store these things. Unless the user has a rooted phone and they give a malicious app root permission to go read your data files then there is nothing to worry about as far as I know. Although I am looking forward to others responses. starred!
Upvotes: 2
Related Questions
- How to securely store access token and secret in Android?
- Shared Preferences in Android?
- Android: Is it a good idea to store Authentication Token in Shared Preferences?
- Save access_token via shared preferences android
- should I store user object with authentication token attribute in SharedPreferences?
- Use `SharedPreferences` to store authentication token
- Shared Prefrences to save a authentication token in android
- What is the standard / recommended / as secure as possible practice for storing a user's OAuth token on Android?
- Best practice in storing and using a OAuth2 Token in Android?
- How store credential from OAuth2 in shared preferences