Hyrje
Android offers several storage options and each has different security properties; many apps pick the wrong one and leak sensitive data.
Teoria
Internal storage (/data/data/) is private to the app by default and is the correct choice for sensitive data. SharedPreferences, SQLite databases and plain files in internal storage are protected by Android's app sandbox — other apps cannot read them unless the device is rooted. External storage (/sdcard) was historically world-readable and is still accessible to any app with READ_EXTERNAL_STORAGE; putting secrets there is a mistake.
For particularly sensitive data — API keys, session tokens, encryption keys — apps should use the Android Keystore, which stores cryptographic keys in a hardware-backed keystore on modern devices. The keys never leave the secure element and are usable only by the app that created them, even if the device is rooted. EncryptedSharedPreferences and EncryptedFile (from androidx.security.crypto) build on top of Keystore and provide encrypted storage with a simple API.
During security testing, pull the app's data directory from a rooted test device and inspect every file: SharedPreferences XML, SQLite DBs, log files, cached responses. Any plaintext credential, API token or PII is a finding. A modern app should pass a manual grep for common secrets keywords (token, secret, password) without any hits in its on-disk storage.
Mjetet
Ku ruhen sekretet gabimisht:
- SharedPreferences pa enkriptim.
- Files në
/sdcard/(external storage world-readable në versione të vjetra). - SQLite pa enkriptim (SQLCipher është zgjidhja).
- Log-e (
Log.d) që ngelin në logcat.
Praktika
EncryptedSharedPreferences:
val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()
val prefs = EncryptedSharedPreferences.create(
context, "secure_prefs", masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM) Ushtrime
- Zbulon një aplikacion ku Session Token ruhet në SharedPreferences të thjeshtë.
- Rishkruaje për të përdorur Android Keystore + EncryptedSharedPreferences.
Burime
- Android — Data and file storage security.
- OWASP MASVS-STORAGE.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re