feat: Implementing encrypted local storage for user sessions

parse-community / Parse-SDK-Android

The Android SDK for Parse Platform

https://parseplatform.org/

Other

1.88k stars 739 forks source link

feat: Implementing encrypted local storage for user sessions #1191

Open DrMimik opened 1 year ago

DrMimik commented 1 year ago

New Pull Request Checklist

[x] I am not disclosing a vulnerability.
[x] I am creating this PR in reference to an issue.

Issue Description

User data can be copied on rooted devices.

Closes: #1192

Approach

Encrypting local user session using Jetpack security features to ensure better security for rooted devices.

TODOs before merging

[x] Add tests
[ ] Add changes to documentation (guides, repository pages, in-code descriptions)

parse-github-assistant[bot] commented 1 year ago

Thanks for opening this pull request!

🎉 We are excited about your hands-on contribution!

mtrezza commented 1 year ago

We don't have a specific policy for the duration of providing migration mechanisms. It depends on the type of change. In this case I'd see the mechanism staying for several years, so indefinite at this point. The reason is that it can be a years long process to migrate clientes once they are released to end-users.

azlekov commented 1 year ago

@mtrezza @DrMimik I believe here we are on the finish line, what do you think can we get this merged?

rommansabbir commented 1 year ago

Hi, pardon me if my question is out of the context. Why we need to Encrypt the user session for Rooted Device? If a device is rooted, the device is compromised. And to decrypt the Session Token, someone have to decrypt the token by using decode method to get JSON payload. If so, then session token is already Encrypted, so why do we need to add an extra security layer for the Session Token?