Securing Personally identifiable information in Android using Jetpack Security

Source : Photo by Franck on Unsplash

Submitting your app for VAPT only to get back a report card full of warnings in Red, recommending you to secure the user data you store in Shared Preferences as plain text? Let’s see how we can fix them!

Preface

To start with, we normally store data as a key-value pair in SharedPreferences and if we take a look at the file, it would look something like this 👇

Normal shared preferences

As you can see the plain text can be easily extracted by a malicious party and thereby result in the loss of precious user data!

Thus, we will be securing it and our end result will look something like this to the malicious party 👇

Encrypted shared preferences

Let’s begin

We need to add the Jetpack security dependency to build.gradle like this 👇

Please note 1.0.0-rc04 is the latest version at the time of writing this article. However, you can check if there are any new releases here.

Once you’ve added this and synced the Gradle project, let's initialize the Encrypted preferences using 👇

A few key points to note here:

• There should be a singleton instance of encryptedSharedPreferences object. Having multiple instances will lead to you app becoming laggy due to frame drops. 😰
• Jetpack Security uses a master key, which encrypts all subkeys that are used for each cryptographic operation. JetpackSecurity provides a recommended default master key in the MasterKeys class. Here we use a basic AES256-GCM key which is generated and stored in the AndroidKeyStore. The AndroidKeyStore is a container that stores cryptographic keys at the hardware level, making them hard to extract.
• Subkeys are stored in a configurable SharedPreferences object.

Encrypt and store the data!

To encrypt and store the data we just need to store the data like we do using normal Shared Preferences.

Voila, we are done! We don't have to write a single line of extra code than what we would normally do and all of it is handled by the Jetpack Security library.

My app is freezing, how to fix it?

Your app is probably skipping a lot of frames due to having multiple initializations of the Jetpack Security library. To solve this, we only need to maintain one single instance of the library so that initialization is only done once.

If you’re unsure about how to maintain a single instance, let’s go through an example

Step 1 : Create a singleton class like CryptoPref which will hold the reference to our encryptedSharedPreference instance.

Then the next step is to use it in any activity or fragment as you want like

Voila! Your app is now super smooth! 😄

That’s all for now. Thanks for sticking till the end.

If I was able to provide some useful information to you, please don’t forget to hit the 👏 button.

Recommended Reading:

Android Context in Dire Straits ?— Part 1

Please check out my Github for more cool content. 😎