owasp-mastg icon indicating copy to clipboard operation
owasp-mastg copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Encrypted Shared Preferences not covered in MSTG-STORAGE-1 and MSTG-STORAGE-2

Open galapogos opened this issue 4 years ago • 15 comments

MSTG-STORAGE-1 and MSTG-STORAGE-2 lists proper usage of Shared Preferences, but doesn't provide guidelines for the new Encrypted Shared Preferences, which automatically encrypt the contents of the XML file.

galapogos avatar Feb 25 '20 07:02 galapogos

Hi @galapogos , thanks for pointing that out! If you have experience using that feature, would you mind opening a PR including what's missing? That'd be a great help for us, we'll gladly review it :)

cpholguera avatar Feb 25 '20 07:02 cpholguera

I actually don't have experience using this, however I recently encountered an app using this while doing an assessment of it, and wanted to refer to MSTG on testing it, but didn't find anything, hence the issue. However, I did note that I could simply hook on the API call and get the decrypted data.

galapogos avatar Feb 25 '20 08:02 galapogos

I think that testing encrypted that is similar either they're stored in Shared Preferences or elsewhere. don't you think? Perhaps adding a section specifically for Shared_Prefs would be Good.

A-AFTAHI avatar Feb 25 '20 09:02 A-AFTAHI

On a first step we should add a reference on usage of encrypted shared preferences in the current section. After that we could think if we need a separate section or a better sub-sections structure, I'm not sure if the current static and dynamic analysis sections even match.

cpholguera avatar Feb 25 '20 11:02 cpholguera

I think we should update the section accordingly:

https://developer.android.com/topic/security/data

Do we have already something about using Jetpack and EncryptedFiles?

cpholguera avatar Feb 25 '20 11:02 cpholguera

@cpholguera I think I can work on it, as mentioned in issues #947 and #949.

lwierzbicki avatar Feb 25 '20 14:02 lwierzbicki

That'd be perfect, thank you so much!

cpholguera avatar Feb 25 '20 16:02 cpholguera

The mechanism being proposed by the new security lib is super simple to use, but the lib itself is an alpha.

However, I would suggest the MSTG recommend its use when it is generally released. I would not recommend to any dev teams that they make use of alpha libraries in general.

https://developer.android.com/topic/security/data#edit-shared-preferences

jadeboer avatar Feb 25 '20 20:02 jadeboer

@jadeboer thanks for being thorough :) Lib will make things easier in the future. But I've seen implementations which use the same pattern - master key is stored in Keystore (or at the end it was advised to be stored in Keystore ;) ) and it is used to encrypt keys and values (which are encoded with base64 and saved in shared preferences - app container).

lwierzbicki avatar Feb 25 '20 21:02 lwierzbicki

Yep, the pattern is useful and this new security lib will also simplify consistent implementation of the pattern for developers. I just wanted to caution against recommending use of an alpha lib =)

jadeboer avatar Feb 25 '20 21:02 jadeboer

Actually I'm not sure if EncryptedSharedPreferences is even a good idea. It seems to only provide data at rest protection, but is susceptible to runtime hooking in order to either dump out the decrypted key/value pair, or the data encryption key of the key/value pair. Seems to give a false sense of security in this sense.

galapogos avatar Mar 09 '20 08:03 galapogos

Hey @galapogos , I think there is still value here.

In my experience, teams will implement their own idea of something to call secured shared preferences, with varying tactics, code quality and resultant security outcomes. This new library's capability will provide consistent implementation, make use of the android key store for master keys, make use of enums for configuration options, etc - which are useful in my opinion.

jadeboer avatar Mar 09 '20 21:03 jadeboer

True, but I think we need to list out the caveats in the MSTG once it's included.

galapogos avatar Mar 09 '20 23:03 galapogos

Actually I'm not sure if EncryptedSharedPreferences is even a good idea. It seems to only provide data at rest protection, but is susceptible to runtime hooking in order to either dump out the decrypted key/value pair, or the data encryption key of the key/value pair. Seems to give a false sense of security in this sense.

I agree with @jadeboer. It streamlines the effort to encrypt data and abstracts it so it's easier to use. @galapogos You are right it provides additional protection at rest and an attacker will always be able to hock into apps (it's always just a matter of time and skills of the attacker) to get the decrypted data in this case. Nevertheless it's a best practice and should be used once out of the alpha stage.

sushi2k avatar Apr 01 '20 11:04 sushi2k

Fyi, AndroidX Security library is now a release candidate.

https://mvnrepository.com/artifact/androidx.security/security-crypto/1.0.0-rc01

mkaraoz avatar Apr 22 '20 07:04 mkaraoz