flutter_secure_storage
flutter_secure_storage copied to clipboard
mogol
[Android] [Beta] Version 10 - Full migration to custom implementation of SecureSharedPreferences
A long outstanding problem with the Android part of this package is the deprecated usage of older cryptography usage (CBC with PKCS5/PKCS7 padding) for SDK < 23, and the already deprecated JetSec Crypto library that is being used for the current implementation of SecureSharedPreferences.
To fix these issues, i am moving to a custom implementation of the JetSec Crypto library, and removing all other deprecated methods of encrypting the shared preferences. This requires the minimum SDK to be raised from 21 to 23.
I am currently testing the new implementation in the branch version-10. Any help is greatly appreciated.
Affected issues: #512 #522 #562 #584 #627 #672 #694 #713 #729 #758 #759
Hi @juliansteenbakker - Thanks for your work on this! 👏
Have just tested the version-10 branch using the override for flutter_secure_storage_web: ^2.0.0-beta.1.
When running the app on a device which has written to secure storage prior to this upgrade, my app crashes on startup (when I first call readAll()). Here is the traceback:
PlatformException(Exception encountered, readAll, java.lang.SecurityException: Could not decrypt key. decryption failed
at com.it_nomads.fluttersecurestorage.crypto.EncryptedSharedPreferences.decryptKey(EncryptedSharedPreferences.java:566)
at com.it_nomads.fluttersecurestorage.crypto.EncryptedSharedPreferences.getAll(EncryptedSharedPreferences.java:377)
at com.it_nomads.fluttersecurestorage.FlutterSecureStorage.readAll(FlutterSecureStorage.java:54)
at com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin$MethodRunner.run(FlutterSecureStoragePlugin.java:156)
at android.os.Handler.handleCallback(Handler.java:959)
at android.os.Handler.dispatchMessage(Handler.java:100)
at android.os.Looper.loopOnce(Looper.java:232)
at android.os.Looper.loop(Looper.java:317)
at android.os.HandlerThread.run(HandlerThread.java:85)
Caused by: java.security.GeneralSecurityException: decryption failed
at com.google.crypto.tink.daead.DeterministicAeadWrapper$WrappedDeterministicAead.decryptDeterministically(DeterministicAeadWrapper.java:122)
at com.it_nomads.fluttersecurestorage.crypto.EncryptedSharedPreferences.decryptKey(EncryptedSharedPreferences.java:557)
... 8 more
If I uninstall the previous version of my app (using 9.2.2) and perform a clean install (using version-10), then the app appears to work as expected.
This is using a physical Google Pixel 7 pro on Android 15, Flutter 3.22.3. Have yet to try on iOS but will do that later. If there is any other information you need or anything you want me to try, do let me know! :+1:
Can confirm that this issue does not occur on iOS. This is also a physical device (iPhone 12), iOS 16, Flutter 3.22.3. version-10 appears to be behaving and I have yet to observe any keychain related errors. 💪
This is using a physical Google Pixel 7 pro on Android 15, Flutter 3.22.3. Have yet to try on iOS but will do that later. If there is any other information you need or anything you want me to try, do let me know! 👍
Did you set the encryptedSharedPreferences to true, or didnt you use it at all?
Instantiated with defaults!
final storage = new FlutterSecureStorage();
Will try with encrypted preferences on now :+1:
Can confirm that I get the same behaviour when initialising like this:
final storage = new FlutterSecureStorage(aOptions: AndroidOptions(encryptedSharedPreferences: true));
This is when opening the app after upgrading from the version that uses 9.2.2 and no encrypted preferences.
As before, the app seems to be behave as expected in encrypted preferences mode with a fresh install!
I am going to turn encrypted prefs on in 9.2.2, and then see what happens when upgrading to version 10 with encrypted prefs on.
Thanks for checking! I think we need a migration helper for this use case. I will let you know when i have some work done.
No problem @juliansteenbakker - I can confirm that upgrading from 9.2.2 with encrypted prefs to 10 also using encrypted prefs appears to work as expected 🙌
Hi @juliansteenbakker thanks for your work!
When will version 10 be released? Suppose it can't be estimated. Can it be published in pre-release?
I wish we could have some news about this, I still can't fix the issue on many devices, and I might have to use another library for now. Any updates on the progress?
I wish we could have some news about this, I still can't fix the issue on many devices, and I might have to use another library for now. Any updates on the progress?
I am dropping this package because of this problem. I hope one day you can fix it and we can return.
Yeah @bahadirarslan, I'm also thinking about that, even downgrading to version 6 it is not working in many devices here in our application :(
@juliansteenbakker so am I understanding correctly that you have accomplished all the main heavy lifting with moving away from the deprecated package.. but now you need help writing a migration so that it doesn't crash existing apps?
Hi all, i have been working on a migration which i am testing right now. Once done, i will release this under a new beta version.
@juliansteenbakker , could you please provide an approximate timeline for this beta release, so that I can plan accordingly for my project?
Is there any update about this issue? Any estimated time frame for when it will be fixed?
Hi all, i have worked on a version with migration support. The timeline is as follow:
v10.0.0: version with custom implementation of secure storage, together with a migration tool. This version will still have the insecure encryption method for when useEncryptedSharedPreferences is disabled.
v11.0.0: old encryption method will be removed and only the new encrypted shared preference will be used.
If you want users to keep their data, you should first upgrade to version 10.0.0 and when feeling confident that everyone is migrated, update to version 11.0.0. Otherwise, you can use version 11.0.0 straight away
As some may have noticed, the package is now part of my github page, which enables me to rearrange the issues and braches. I am planning on reviving support for this package as soon as i am back from my vacation, which is around 16 december. Version 10.0.0 will be released in that week, and version 11.0.0 will soon follow as it only removes the deprecated code and migration tool.
My apologies for the delay.
Hi @juliansteenbakker , could you please provide an updated timeline for version 10? We are anticipating this release.
Hi, i am almost done with the first beta release of version 10. I am planning on releasing the beta version today or tomorrow. In the mean time, i have released v9.2.3 which has some minor improvements.
I have released v10.0.0-beta.1, which contains a migration tool to copy data to EncryptedSharedPreferences, together with lots of other improvements. Please checkout the full list in the changelog.
If the beta version has no problems for users, i will promote it to a stable release.
Hi @juliansteenbakker, what's your plans on release date of v10.0.0?
I am still working on a better integration of the new Tink API but i am aiming on another week of development before i get my final beta release, and when the beta release is deemed stable, i can promote it to production. In all i'm aiming on a new production version at the end of this month.
Is there a major problem with v10.0.0-beta.4? juliansteenbakker planned to release the final beta version 3 weeks ago.
Due to limited resources on my end, I haven't had the time to make a stable release or address any potential issues that might arise from it. However, I am still working on this new release.
While waiting for new update from @juliansteenbakker , i remove the AES_CBC_PKCS7Padding in the code, so that when analysis with Mobsf i will pass with this fork: My fork
@sherlockvn Hey, I have tried to use your fork, but I get an error with the name of the package. Can you provided an example of how can I import this package through the pubspec.yaml.
flutter_secure_storage: git: url: https://github.com/sherlockvn/flutter_secure_storage.git ref: remove-old-encrypt-algorithm flutter_secure_storage_linux: ^1.2.2 flutter_secure_storage_macos: ^3.1.3 flutter_secure_storage_platform_interface: 1.1.2 flutter_secure_storage_web: 1.2.1 flutter_secure_storage_windows: 3.1.2
Gives: Error on line 1, column 7: "name" field doesn't match expected name "flutter_secure_storage". ╷ 1 │ name: flutter_secure_storage_root
Also I tried to import with the root, but I was not able to import the code into my project.
