如何保护Android共享首选项？ [英] How to Secure Android Shared Preferences?

问题描述

共享位置 SharedPreferences 存储在Android应用程序中：

The common location where SharedPreferences are stored in Android apps is:

/data/data/<package name>/shared_prefs/<filename.xml>

具有root权限的用户可以导航到此位置，并可以更改其值。需要保护它的是非常重要。

User with root privileges can navigate to this location and can change its values.Need of protecting it is of much importance.

在多少种方式可以加密整个 shared_pref的xml 文件？

In how many ways we can encrypt whole shared_pref's xml file?

我们都知道我们可以在 shared_pref的xml 文件中加密和保存数据，但这不仅仅是100％的安全，所以需要加密整个文件用钥匙需要帮助，了解各种方法来加密整个 xml 文件。这是通用的问题，在这里讨论的各种加密方法可以帮助所有开发人员保护应用程序。

We all know that we can encrypt and save data in shared_pref's xml file, but that's not only 100% safe, so need to encrypt whole file with a key. Need help in knowing various ways to encrypt whole xml file. This is generic question, various encryption methods discussed as answers here can be helpful to all developers in securing apps.

推荐答案

Android的共享首选项是基于XML键值的。你不能改变这个事实（因为它会破坏它的解析器），最好你可以加密键和值，所以root用户可以阅读，但不会有丝毫的想法他正在阅读。

You should note that Android's shared preferences are XML key-value based. You cannot change that fact (as it would break it's parser), at best you can encrypt both the key and the value, so the root user could read but wouldn't have the slightest idea what he is reading.

为此，您可以使用这样的简单加密

To do that, you could use a simple encryption like this

public static String encrypt(String input) {
    // This is base64 encoding, which is not an encryption
    return Base64.encodeToString(input.getBytes(), Base64.DEFAULT);
}

public static String decrypt(String input) {
    return new String(Base64.decode(input, Base64.DEFAULT));
}

这是你如何使用这个

// Write
SharedPreferences preferences = getSharedPreferences("some_prefs_name", MODE_PRIVATE);
SharedPreferences.Editor editor = preferences.edit();
editor.putString(encrypt("password"), encrypt("dummypass"));
editor.apply(); // Or commit if targeting old devices

// Read
SharedPreferences preferences = getSharedPreferences("some_prefs_name", MODE_PRIVATE);
String passEncrypted = preferences.getString(encrypt("password"), encrypt("default"));
String pass = decrypt(passEncrypted);

你应该知道很难， SharedPreferences 从来没有建立安全的，只是一个简单的方式来保存数据。

You should know tough, that SharedPreferences were never built to be secure, it's just a simple way to persist data.

你也应该意识到我使用的加密不是最安全的，但很简单

You should be aware too that the encryption I have used is not the most secure, but it's simple.

有几个库提供更好的加密，如这些

There are several libraries that provide better encryption, like these

• < a href =https://github.com/scottyab/secure-preferences =nofollow noreferrer> https://github.com/scottyab/secure-preferences


• https://github.com/sveinungkb/encrypted-userprefs


• https://github.com/kovmarci86/android-secure-preferences


• HTTP：// www.righthandedmonkey.com/2014/04/obscured-shared-preferences-for-android.html

• https://github.com/scottyab/secure-preferences
• https://github.com/sveinungkb/encrypted-userprefs
• https://github.com/kovmarci86/android-secure-preferences
• http://www.righthandedmonkey.com/2014/04/obscured-shared-preferences-for-android.html

但他们所有这一切都意味着文件的格式仍然是XML，它是基于键值的。你不能改变这个事实。见下文。

But they all come to the fact that the format of the file is still XML and it is key-value based. You cannot change that fact. See below.

cat /data/data/your.package.application/shared_prefs/prefs-test.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="JopRH053b7Ogw17Yxmh7Og==">0AB7Y28XEvbQcnXpEZ4j9PtqzFLtm2V3KBXjTO1V704=</string>
</map>

The key is "hemmelighet" and the value is "dette er en hemmelighet".

如果安全性是一个问题，超出了 SharedPreferences 仍然是基于键值的，以XML格式，您需要完全避免它。

If security is an issue beyond the fact that SharedPreferences is still key-value based and in XML format, you need to avoid it entirely.

这篇关于如何保护Android共享首选项？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！