Open HLCaptain opened 7 months ago
You can already use EncryptedSharedPreferences
with the existing SharedPreferencesSettings
.
That is true, but I think there should be more default(er) implementations of secure storage methods, which relies on Android Keystore or other platform specific keystore methods. On JVM, I had to find a way to acquire and save the master key, which is not intuitive to do. On web, this secure storage is even harder to implement. I would like security to be an option in common code, with platform specific secure implementation of settings.
Regarding JVM and JS, I'm open to adding something but not clear on what the best backing API is. If you have any demo code of what worked for you, I'd be interested to see it.
For Android, a couple questions. Is there anything you'd like to do with the Keystore that you can't do via EncryptedSharedPreferences
? And do you have an example of what you'd like to be able to do with the Credential Manager?
Regarding Android platform, yes, I think using EncryptedSharedPreferences
with Android KeyStore
is enough, thanks for pointing that out.
I have an experimental demo working on the JVM side via Credential Secure Storage. It relies on MacOS, Windows and Linux native KeyStore libraries. I still have some bugs to squish, but it works fine on Ubuntu 23 and Windows 11. You can check out platform implementations from here for Common, JVM, Android. I still have to figure out Web. There may be better alternatives to Microsoft's Credential Secure Storage, like CoreCrypto.
As I stabilized my EncryptedPreferences
for JVM, I may make a proper pull request to include it as a solution for making settings encrypted in some sorts.
Currently:
EncryptedPreferences
acts like java.util.prefs.Preferences
, but with encrypted keys and values.I could make the encryption happen in the Credential Secure Storage instead of java Preferences, just like Apple's KeyStore implementation, but I think java Preferences is secure enough for now.
As iOS platform supports Keychain experimentally, other platforms have similar secure implementations of a simple key-value storage directly, like Android's Keystore or Credential Manager. Or encrypt your data with a master key, like in EncryptedSharedPreferences, also on Android.
I suggest that the library should provide these secure methods of data persistence. I also vouch for an implementation which relies on master keys, as we may reuse code and only need to encrypt the stored key-value pairs and not rely on an entirely different system.