What I need:
For Android: I need to save data permanently, but also be able to edit (and obviously read) it. This data should NOT be accessible by the user - it can contain things like a highscore, which must not be edited by the user.
My Problem
I would have (and have already) used Internal Storage, but I´m not sure how safe it actually is. Here it says:
You can save files directly on the device's internal storage. By
default, files saved to the internal storage are private to your
application and other applications cannot access them (nor can the
user). When the user uninstalls your application, these files are
removed.
That´s basicly exactly what I need - but is it really safe? Can it be accessed (maybe only read?) through a rooted device? (Or any other way?)
What about SQLite-Databases or Shared Memory? Are they better suited for saving (small amounts of) data?
Also: is it generally recommended to handle "secret" data in a different way internally? (like not saving it (internally) as Integer/String but some kind of encrypted)
Can it be accessed (maybe only read?) through a rooted device?
It can be read from and written to.
it can contain things like a highscore, which must not be edited by the user.
It is the user's data, not yours. It is the user's device, not yours. Hence, the user can edit that data if the user wants, so long as their data is stored on their device.
Now, if you wanted to prevent somebody else from editing that data, then encryption, with a user-supplied password, is a reasonable measure. That would seem unnecessary for a game high score.
Otherwise, if you do not want them editing that data, do not store it on their device.
Using SharedPreferences is what you may want. It saves data in an XML file deep in the caverns of the /data/ directory. The user or other apps can't get there unless the phone has root permissions.
http://developer.android.com/reference/android/content/SharedPreferences.html
No it's not safe, user can modify files on rooted devices and emulator. It's better to use Encryption, but encryption is not 100% safe, In fact experienced geeks can crack your encryption. I suggest saving critical data which should not accessed or manipulate by user on your webserver not on user's devices.
Related
What could be used instead of Shared Preferences for storing user information? People say Shared Preference is not Secure.
You can use SQLCipher library for encrypted database or encrypt/decrypt values yourself with some key and store result in SharedPreferences. To store keys use Android keystone system.
If you are storing information in the users' device, no approach is 100% secure. You can hide the information in some ways (eg. encoding, encryption, etc) but still won't be 100% secure.
In order to make your information secure, you will need to store the information in a remote server.
Shared Preferences are stored as a file in the filesystem on the device. They are, by default, stored within the app's data directory with filesystem premissions set that only allow the UID that the specific application runs with to access them. So, they are private in so much as Linux file permissions restrict access to them, the same as on any Linux/Unix system.
Anyone with root level access to the device will be able to see them, as root has access to everything on the filesystem. Also, any application that runs with the same UID as the creating app would be able to access them (this is not usually done and you need to take specific action to make two apps runs with the same UID, so this is probably not a big concern). Finally, if someone was able to mount your device's filesystem without using the installed Android OS, they could also bypass the permissions that restrict access.
If you're concerned about such access to your preferences (or any data written by your application), then you will want to encrypt it. If you are that concerned about them, you're going to need to figure out exactly how much protection is necessary for the level of risk you see.
You can also use Database with encryption like whatsapp. Its a best way for security point of view. If you want you can hide the Database also.
I need to save some URL that could change later in my app. I want that no-one can see them and find these URLs.
I tried SharedPrefences and database but they are easily accessible by any one who has a rooted phone.
Is there anyway to encode this data and save them in SharedPrefences so that I can decrypt it in the app?
encrypted-userprefs is a good library that allows you to encrypt the saved preferences. However, keep in mind that through reverse engineering, it might still be possible to retrieve the encryption keys from your APK and since you're using a URL, your app is likely to request it at some point where a network tool such as WireShark can observe it.
You can make it difficult, but you can't make it impossible.
Think about it: you want the information to be accessible to your app (you didn't say that, but I'm assuming it), but inaccessible to everyone else. That means your app has to have more information than anyone else, even a human who has root access to the phone.
Anyone who has that level of access to your phone has access to the app's bytecode. They can use this to see what your app does, down to the finest detail. In other words, what information does your app have that a human can't gain access to? None. Anything your app can do, a determined human with root access can also do.
Sensitive information should always be stored server-side. Even then, anyone with root access to your server can get at that information (for the same reasons as above); but the idea is that everyone and their mother can download the app, but people you trust (employees, etc) can get at the server.
I want to save downloaded images from a server. I want these images to be accessible only from within the application itself. I don't want the images accessible from anywhere else, i.e. someone can just delete/modify it like if it was on the SD card or from another different application. I'm thinking it would be best if I were to use internal storage, as it is private to my app.
http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
are there better options out there?
Internal storage is the best option if you want to keep your files private.
However, on most devices, internal storage is very limited and the users might uninstall your app if you use too much of it (images can be pretty big).
You should look into using the external storage to save images, and possibly encrypting them if you really want to keep them private.
As already mentioned by Raghav this would be a good option, and as said the internal storage is very limited (mostly on older devices), however if you are on a rooted device it will be possible to delete your files anyway. Take into account the limited storage, as people is also making "swap partitions" on their SD cards because internal storage is very limited.
This is is the simplest solution. The other typical solution is to store the image as a blob in the application's database. This will make it completely inaccessable outside of your application. You can do it using the method shown here:
How to store and retrieve a byte array (image data) to and from a SQLite database?
The draw back to this is the relatively small memory space you will be given for your DB (<60MB), so this only works if you have a small number of images.
I am writing an SDK for Android that will be used by many different apps. Each app needs to know if there is a previous installation of another app that uses the SDK; the first one will create a random id (a cookie) and store it, all later apps have to read it and reuse it. Note that the cookie will be created anew for every device.
I have searched for a long time for the answer; please read thoroughly before answering because I have read lots of different StackOverflow answers and have scoured the internet reading random blogs; I have tried a lot of things but none worked (I will save you the links).
A ContentProvider is definitely overkill. Also it needs to intrude an app's AndroidManifest.xml, something I am trying to avoid.
Likewise for a service: needs to be defined in the AndroidManifest.xml, which I do not control and do not want to require changes to.
Using external storage would perhaps be an option, but I don't want to require additional permissions.
Using SharedPreferences directly with getSharedPreferences() does not work because apps can only access their own preferences.
I can get a common preferences object using createPackageContext(package, MODE).getSharedPreferences(). This would work beautifully if I had a main package and many clients of the data, but in fact I don't know the package of the app that will be installed first -- it can be any of them. I don't even have a list of package names to search. Passing a package name which has not been installed fails.
Following the approach above, I have tried to piggyback on some standard Android app which I can count on, and store my preferences there -- say:
createPackageContext(
"com.android.browser",
Context.CONTEXT_RESTRICTED)
.getSharedPreferences(
"GLOBAL_PREFS",
Context.MODE_WORLD_READABLE);
but it does not work: the error reads
Couldn't create directory for SharedPreferences file
/data/data/com.android.browser/shared_prefs/GLOBAL_PREFS.xml
So, to recap: I need to store a piece of data (a short string) in some standard location, so that any other app can go there and read it if present, and it should work if at all possible without doing any magic in the AndroidManifest.xml or requesting any permissions.
There probably isn't any perfect answer, so perhaps the best solution is to write to external storage; then so be it. To put things into context, apparently it is trivial to do this on iOS using a keychain, designed to store secure data.
Unfortunately there really isn't a great answer for this that I know of. You've come up with a pretty good outline of your options and the best way may well be with external storage.
Just to throw something out there, I suppose it's possible you could use a flat file with a fixed name and world readable (and possibly writable) permissions. You'd have to then iterate through all applications' directories and check for this known-named file in each folder and attempt to open it.
While this might work theoretically, consider the case where the app that contains the "cookie" is uninstalled. Then you're left cookie-less. You might want to create the cookie in every app, copying over the value of the previous cookies to new cookies.
I haven't actually tried this, but I imagine it should work.
The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app?
Please help I am newbie and stuck at this point.
On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.
Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).
You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.
Have a look at those resources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://developer.android.com/reference/javax/crypto/package-summary.html
You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.
This is how to make a new folder:
String SaveFolder = "/Save";
String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
File mySaveFolder = new File(extStorageDirectory + SaveFolder);
mySaveFolder.mkdir();
Got this code in the public void onCreate
Now it makes a folder with the name "Save".
Edit:
I looked there is not a way to set a password or something.
Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.