Android Hacking Part 12: reinforce Shared Preferences with a third-party library

Android Hacking Part 12: reinforce Shared Preferences with a third-party library

In the previous few issues, we introduced the implementation of Shared Preference during Android Application Development, and demonstrated how to steal Shared Preferences saved by apps with insufficient security protection. In this section, we will learn how to use a third-party library named "Secure Preferences" to protect data stored in Shared Preferences. Even if the device is root, this library cannot fully guarantee application security, but it is better protected than common Shared Preferences.

"Secure Preferences" is a Shared preferences encryption package library that encrypts Shared Prefereces data stored in XML files and is open-source.

This article will teach you step by step how to use the "Secure Prefereces" library in the development process to protect data security.

Android Secure Preferences

1. Download the "Secure Prefereces" library. The address is as follows:

 

2. Create a new project in Eclipse.

 

3. Add the library we just downloaded to the Project for future use. This process is similar to connecting other libraries to our Android app. If you do not know how to perform the operation, the simple step is: Right-click, select Properties, check "is Library", and connect it to the application we created.

4. To use Secure Prefereces, We need to initialize Secure Prefereces in the class.

5. Now we can create an "Editor" object like common Shared Preferences to insert data into XML.

As shown in, we use the putString method of the Editor object to insert data.

6. Use getString with necessary parameters to read data.

The code in reads a value whose key value is "PASSWORD" and is displayed in a textview.

 

This is the usage of "Secure Preferences" in application development.

 

Now, we will take a deeper look at the work behind "Secure Preferences", how it reduces the risk of data theft.

The APK and code used here can be downloaded from the above connection.

The Activity layout of the application we developed in this article contains an editing box, two buttons, one text box, and one button used to encrypt and save the data in the editing box, the other is used to decrypt and display data in the text box. For example:

When we enter data in the input box and click the "encrypt and save" button, the code in step 5 of the previous course will be executed to encrypt and save the data entered by the user:

When we click "Decrypt and Display", the data stored in Shared Preferences will be read and decrypted.

Now let's take a look at how data is stored in xml files and why it makes it more difficult for the hacker to steal information.

In the previous few installments, we already know that the Shared Prefercences data is stored in an XML file. Now, let's download this file to a local computer. You can use the following command:

 

Adb pull/data/com. isi. secureprefs/shared_prefs/com. isi. secureprefs_preferences.xml

 

You can run the cat command to view the file content:

Cat com. isi. secureprefs_preferences.xml

For example, you can see that the xml file does store data, but it is encrypted data.

How does "SecurePreferences" work?

Secure Preferences uses AES to encrypt data. When Secure Preferences is initialized for the first time, the pseudo-random number is used to generate a random key and the key-value pair is encrypted and saved, the encrypted result is added to base64 and saved to the XML file. Because AES is an encryption algorithm, decryption also uses the same key.

 

Summary

 

This topic describes how to Encrypt Key-value pairs stored in Shared Preferences. This method can greatly improve the security of the data stored in the device. However, this is not ideal when the device is root. A better solution is to use a password-based encryption method and a more user-Entered password to generate a key for encryption and decryption.