Git Product home page Git Product logo

android-secure-preferences's People

Contributors

kovmarci86 avatar tprochazka avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

android-secure-preferences's Issues

Use secured-preferences on already existing project

I'm thinking about adding secure-preferences to already existing project. Currently users will lost all preference data, because library can't decrypt non encrypted data. Did you think about it already?

Will be useful something like prefix for encrypted data with version identificator like "$sp-1-". And library will be use this to recognize if data are already encrypted. It allow also use different (more secure, faster) encryption in the future with backward compatibility for existing applications.

What do you mean?

crash during decoding

I have now found this crash in my app

java.lang.ArrayIndexOutOfBoundsException: src.length=16 srcPos=0 dst.length=32 dstPos=32 length=5
            at java.lang.System.arraycopy(Native Method)
            at com.android.org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher.doFinal(PaddedBufferedBlockCipher.java:288)
            at com.android.org.bouncycastle.jce.provider.JCEBlockCipher$BufferedGenericBlockCipher.doFinal(JCEBlockCipher.java:1045)
            at com.android.org.bouncycastle.jce.provider.JCEBlockCipher.engineDoFinal(JCEBlockCipher.java:693)
            at javax.crypto.Cipher.doFinal(Cipher.java:1111)
            at edu.gmu.tec.scout.utilities.Encryption.decrypt(Encryption.java:94)
            at com.github.kovmarci86.android.secure.preferences.encryption.EncryptionHelper.createDecodedObjectStream(EncryptionHelper.java:101)
            at com.github.kovmarci86.android.secure.preferences.encryption.EncryptionHelper.readDecoded(EncryptionHelper.java:88)
            at com.github.kovmarci86.android.secure.preferences.encryption.EncryptionHelper.readAndDecodeTemplate(EncryptionHelper.java:44)
            at com.github.kovmarci86.android.secure.preferences.SecureSharedPreferences.getString(SecureSharedPreferences.java:74)
            at cz.idc.letenky.service.AppSettingsService.getUserLogin(AppSettingsService.java:50)
            at cz.idc.letenky.service.AppSettingsService.isUserLoggedIn(AppSettingsService.java:46)

Maybe encrypted data was corrupted accidently and now is not possible decrypt them, but it should by handled and better would be return default value in this situation than app crash. And log error to the logcat.

Instrumentation test failed

I started testing the new version and one of integration test failed, when I try to build library by maven.

[INFO] 4df1c91a0c879f8b_samsung_GT-N7100 :       ERROR:com.mkovacs.android.secure.preferences.SecureSharedPreferencesFunctionalTest#testSecureSharedPreferencesApply
[INFO] 4df1c91a0c879f8b_samsung_GT-N7100 :       java.lang.IncompatibleClassChangeError: interface not implemented
at com.mkovacs.android.secure.preferences.encryption.EncryptionHelper.encode(EncryptionHelper.java:71)
at com.mkovacs.android.secure.preferences.SecuredEditor.putBoolean(SecuredEditor.java:69)
at com.mkovacs.android.secure.preferences.SecureSharedPreferencesFunctionalTest.testSecureSharedPreferencesApply(SecureSharedPreferencesFunctionalTest.java:118)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.InstrumentationTestCase.runMethod(InstrumentationTestCase.java:214)
at android.test.InstrumentationTestCase.runTest(InstrumentationTestCase.java:199)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:192)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:177)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:555)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1619)

Add unit tests

Add unit tests for SecureUtils, EncryptionHelper,SecuredEditor, SecureFactory.
Check results with emma:

mvn emma:emma

Grave security issues with the used encryption setup

Hi,

You state your code derives it's basic encryption logic from: http://www.java2s.com/Code/Android/Security/AESEncryption.htm (see: https://github.com/kovmarci86/android-secure-preferences/blob/master/secure-preferences/src/main/java/edu/gmu/tec/scout/utilities/Encryption.java)

This example has grave security issues, among others:

  • Silently uses the same key if none is provided
  • Uses ECB mode wich is utterly insecure if the encrypted data is longer than 16 byte
  • Uses broken MD5 hash to derive secret key from password

As I can see you avoid the first point, but still the other points are grave enough to make the whole scheme very unsecure.

Multiple changes in one commit

Code like

        getPrefs().edit()
            .putString("closureID", closureID)
            .putString("merchantName", merchantName)
            .putString("sourceAuthKey", sourceAuthKey)
            .commit();

doesn't work, because you return unsecured (standard) Editor from putXY methods instead of SecuredEditor.

Missing licence

Please can you provide licence for your project, not it is completely missing :-(

Add licensing information

What is the license that SecurePreferences is distributed under? Can you add a licensing file describing the license, or add a mention at the bottom of the readme?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.