roulljdh
Encryption key must not be saved in SharedPreferences
I've researched how the encryption key is stored in encrypted_shared_preference and found that it is simply stored in SharedPreferences. Basically, such sensitive info must be stored in keychain or something like it.
Totally agree. For those with more strict security requirements, I would recommend to add an API that allows to provide your own encryption key (as a string) instead of generating it randomly.
I see maintainers have failed to understand the gravity of the situation.
Here randomKeyKey stores the encryption key and is stored as plain text in Shared Preference.
https://github.com/roulljdh/encrypted_shared_preferences/blob/1d49456257e293ffad9a01ff45b5453565c5dfc0/lib/encrypted_shared_preferences.dart#L37-L42
It's like locking your door with the best of the best lock and then hanging your key just beside the lock.
Storing the security key as plain text in Shared Preference is not at all the recommended security practice.
Here is the paradox "if maintainers thinks that Shared Preference is secure enough to store the encryption key then why need encrypted shared preference in the first place?"
TL;DR
- PROBLEM: The current implementation of this plugin is insecure and for a hacker, it would take minutes to hack into the data.
- SOLUTION: Use Keystore and Keychain for storing the encryption keys.
I'm kind of shocked that this package is in the top 5% of popular packages (95% popularity).
Calling this package "encrypted_shared_preferences" is very misleading:
- Like @keshav-space and @espresso3389 said, saving the key in plain text is not secure at all. This is just secruity through obscurity, not secure encryption.
- The name suggests that the package makes use of Androids EncryptedSharedPreferences, which it does not.
Anyone who wants use encryption to store data should either use flutter_secure_storage, or even better biometric_storage.
