russhwolf
commented
7 months ago You can already use EncryptedSharedPreferences with the existing SharedPreferencesSettings.
Open HLCaptain opened 7 months ago
russhwolf
commented
7 months ago You can already use EncryptedSharedPreferences with the existing SharedPreferencesSettings.
HLCaptain
commented
7 months ago That is true, but I think there should be more default(er) implementations of secure storage methods, which relies on Android Keystore or other platform specific keystore methods. On JVM, I had to find a way to acquire and save the master key, which is not intuitive to do. On web, this secure storage is even harder to implement. I would like security to be an option in common code, with platform specific secure implementation of settings.
russhwolf
commented
7 months ago Regarding JVM and JS, I'm open to adding something but not clear on what the best backing API is. If you have any demo code of what worked for you, I'd be interested to see it.
For Android, a couple questions. Is there anything you'd like to do with the Keystore that you can't do via EncryptedSharedPreferences? And do you have an example of what you'd like to be able to do with the Credential Manager?
HLCaptain
commented
6 months ago Regarding Android platform, yes, I think using EncryptedSharedPreferences with Android KeyStore is enough, thanks for pointing that out.
I have an experimental demo working on the JVM side via Credential Secure Storage. It relies on MacOS, Windows and Linux native KeyStore libraries. I still have some bugs to squish, but it works fine on Ubuntu 23 and Windows 11. You can check out platform implementations from here for Common, JVM, Android. I still have to figure out Web. There may be better alternatives to Microsoft's Credential Secure Storage, like CoreCrypto.
HLCaptain
commented
6 months ago As I stabilized my EncryptedPreferences for JVM, I may make a proper pull request to include it as a solution for making settings encrypted in some sorts.
Currently:
EncryptedPreferences acts like java.util.prefs.Preferences, but with encrypted keys and values.I could make the encryption happen in the Credential Secure Storage instead of java Preferences, just like Apple's KeyStore implementation, but I think java Preferences is secure enough for now.
As iOS platform supports Keychain experimentally, other platforms have similar secure implementations of a simple key-value storage directly, like Android's Keystore or Credential Manager. Or encrypt your data with a master key, like in EncryptedSharedPreferences, also on Android.
I suggest that the library should provide these secure methods of data persistence. I also vouch for an implementation which relies on master keys, as we may reuse code and only need to encrypt the stored key-value pairs and not rely on an entirely different system.