biji
commented
2 years ago Probably for easier backup/restore to google cloud?
Open espresso3389 opened 3 years ago
biji
commented
2 years ago Probably for easier backup/restore to google cloud?
PasqualePuzio
commented
2 years ago Totally agree. For those with more strict security requirements, I would recommend to add an API that allows to provide your own encryption key (as a string) instead of generating it randomly.
keshav-space
commented
2 years ago I see maintainers have failed to understand the gravity of the situation.
Here randomKeyKey stores the encryption key and is stored as plain text in Shared Preference.
https://github.com/roulljdh/encrypted_shared_preferences/blob/1d49456257e293ffad9a01ff45b5453565c5dfc0/lib/encrypted_shared_preferences.dart#L37-L42
It's like locking your door with the best of the best lock and then hanging your key just beside the lock.
Storing the security key as plain text in Shared Preference is not at all the recommended security practice.
Here is the paradox "if maintainers thinks that Shared Preference is secure enough to store the encryption key then why need encrypted shared preference in the first place?"
TL;DR
sebkoller
commented
1 year ago I'm kind of shocked that this package is in the top 5% of popular packages (95% popularity).
Calling this package "encrypted_shared_preferences" is very misleading:
Anyone who wants use encryption to store data should either use flutter_secure_storage, or even better biometric_storage.
allomy
commented
1 year ago Hi, is this issue resolved now?
I've researched how the encryption key is stored in encrypted_shared_preference and found that it is simply stored in SharedPreferences. Basically, such sensitive info must be stored in keychain or something like it.