Ruajtje e Pasigurt e të Dhënave

Mesatar 13 min Siguria Mobile

Hyrje

Android offers several storage options and each has different security properties; many apps pick the wrong one and leak sensitive data.

Teoria

Internal storage (/data/data/) is private to the app by default and is the correct choice for sensitive data. SharedPreferences, SQLite databases and plain files in internal storage are protected by Android's app sandbox — other apps cannot read them unless the device is rooted. External storage (/sdcard) was historically world-readable and is still accessible to any app with READ_EXTERNAL_STORAGE; putting secrets there is a mistake. For particularly sensitive data — API keys, session tokens, encryption keys — apps should use the Android Keystore, which stores cryptographic keys in a hardware-backed keystore on modern devices. The keys never leave the secure element and are usable only by the app that created them, even if the device is rooted. EncryptedSharedPreferences and EncryptedFile (from androidx.security.crypto) build on top of Keystore and provide encrypted storage with a simple API. During security testing, pull the app's data directory from a rooted test device and inspect every file: SharedPreferences XML, SQLite DBs, log files, cached responses. Any plaintext credential, API token or PII is a finding. A modern app should pass a manual grep for common secrets keywords (token, secret, password) without any hits in its on-disk storage.

Mjetet

Ku ruhen sekretet gabimisht:

  • SharedPreferences pa enkriptim.
  • Files në /sdcard/ (external storage world-readable në versione të vjetra).
  • SQLite pa enkriptim (SQLCipher është zgjidhja).
  • Log-e (Log.d) që ngelin në logcat.

Praktika

EncryptedSharedPreferences:

val masterKey = MasterKey.Builder(context)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()
val prefs = EncryptedSharedPreferences.create(
    context, "secure_prefs", masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM)

Ushtrime

  1. Zbulon një aplikacion ku Session Token ruhet në SharedPreferences të thjeshtë.
  2. Rishkruaje për të përdorur Android Keystore + EncryptedSharedPreferences.

Burime

  • Android — Data and file storage security.
  • OWASP MASVS-STORAGE.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re