search

scottyab / secure-preferences

Android Shared preference wrapper than encrypts the values of Shared Preferences. It's not bullet proof security but rather a quick win for incrementally making your android app more secure.
1.53k stars 235 forks source link

Hashing the keys broke the getAll() and onSharedPreferenceChanged(SharedPreferences, String) methods #85

Open awasisto opened 6 years ago

awasisto commented 6 years ago

The keys returned by the SecurePreferences#getAll() method or passed through the OnSharedPreferenceChangeListener#onSharedPreferenceChanged(SharedPreferences, String) method are the hashed keys instead of the real keys.

Example:

SharedPreferences preferences = new SecurePreferences(getContext());

preferences.edit().putString("userBirthPlace", "Mars").apply();
preferences.edit().putString("userFavouriteAnimal", "Unicorn").apply();

System.out.println(preferences.getAll());

/*
 * Output: {/ntTe3/atqHnZpVLXZFdZCh1kXCeMNI4ZxZakEmn46M==Unicorn, EKfKV82MWU69SaHA6DzF5LIJ2m6EhElrylXmoC4qFkY==Mars}
 */

I think the keys shouldn't be hashed since they shouldn't contain any user data.

samratshaw commented 5 years ago

@awasisto I think this is the intended behaviour. The library does not store the keys & uses a hash of the keys for storing the values.

With the current implementation, it is not possible to get the actual keys.