prefser icon indicating copy to clipboard operation
prefser copied to clipboard

Published 20 hours ago verified publisher icon pwittchen

Is encryption planned?

Open Rainer-Lang opened this issue 8 years ago • 2 comments

Rainer-Lang avatar Feb 17 '17 13:02 Rainer-Lang

Not for now, but we can consider it for the future. Please note that prefser uses SharedPreferences from Android SDK under the hood. SharedPreferences of one application are not accessible for other applications. It could be possible if you explicitly use Context.MODE_WORLD_READABLE, which is actually deprecated in the newest API. The conclusion is that SharedPreferences should be pretty safe by default if they're used correctly and additional encryption is not needed here. Nevertheless, I'm open for a discussion and encryption can be an additional feature. In such case, an external solution for that encryption should be used, because I don't specialize in that area and it's not the trivial problem. Optionally, we can use conceal library by Facebook.

pwittchen avatar Feb 17 '17 19:02 pwittchen

It's an interesting topic. I've performed a quick research about that. I think the first step for introducing encryption would be creating an interface for all prefser public methods. Then, we can add its default implementation. Next, we can create a separate artifact (module) prefser-secure, which will depend on prefser for people who would like to use secure preferences. It doesn't make sense to force people who don't want that feature to download additional dependencies for encryption & decryption, what will make apps heavier. Inside presfer-secure, we can provide additional operations (layer) for encryption & decryption using conceal.

I'm open for a further suggestions and discussion.

References

Facebook conceal

  • https://github.com/facebook/conceal - Facebook's library for encryption/decryption
  • https://github.com/rtoshiro/SecureSharedPreferences - library which implements "secure preferences" with "conceal"; it's nice, but it has a few things, which I would like to implement differently
  • http://stackoverflow.com/questions/30420478/android-encrypting-plaint-text-using-facebook-conceal-library - exemplary usage of conceal

Google Tink

  • https://github.com/google/tink - Google's library for encryption/decryption
  • https://github.com/google/tink/blob/master/doc/JAVA-HOWTO.md

Alice

https://github.com/rockaport/alice

Encryption

https://github.com/simbiose/Encryption

Crypto-utils

https://github.com/nshusa/crypto-utils

Crypto

https://github.com/wg/crypto

Serializing/Deserializing byte array

serializing/deserializing byte array probably will be required while working with encrypting libraries.

  • http://stackoverflow.com/questions/2836646/java-serializable-object-to-byte-array - different ways of serialization/deserialization of bytes array - it's needed for conceal's encryption/decryption mechanisms
  • https://gist.github.com/orip/3635246 - serialization/deserialization of byte array with Gson
  • https://stackoverflow.com/questions/25522309/converting-json-between-string-and-byte-with-gson - same as above

pwittchen avatar Feb 18 '17 13:02 pwittchen