kovmarci86 / android-secure-preferences Goto Github PK

I'm thinking about adding secure-preferences to already existing project. Currently users will lost all preference data, because library can't decrypt non encrypted data. Did you think about it already?

Will be useful something like prefix for encrypted data with version identificator like "$sp-1-". And library will be use this to recognize if data are already encrypted. It allow also use different (more secure, faster) encryption in the future with backward compatibility for existing applications.

What do you mean?

I have now found this crash in my app

java.lang.ArrayIndexOutOfBoundsException: src.length=16 srcPos=0 dst.length=32 dstPos=32 length=5
            at java.lang.System.arraycopy(Native Method)
            at com.android.org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher.doFinal(PaddedBufferedBlockCipher.java:288)
            at com.android.org.bouncycastle.jce.provider.JCEBlockCipher$BufferedGenericBlockCipher.doFinal(JCEBlockCipher.java:1045)
            at com.android.org.bouncycastle.jce.provider.JCEBlockCipher.engineDoFinal(JCEBlockCipher.java:693)
            at javax.crypto.Cipher.doFinal(Cipher.java:1111)
            at edu.gmu.tec.scout.utilities.Encryption.decrypt(Encryption.java:94)
            at com.github.kovmarci86.android.secure.preferences.encryption.EncryptionHelper.createDecodedObjectStream(EncryptionHelper.java:101)
            at com.github.kovmarci86.android.secure.preferences.encryption.EncryptionHelper.readDecoded(EncryptionHelper.java:88)
            at com.github.kovmarci86.android.secure.preferences.encryption.EncryptionHelper.readAndDecodeTemplate(EncryptionHelper.java:44)
            at com.github.kovmarci86.android.secure.preferences.SecureSharedPreferences.getString(SecureSharedPreferences.java:74)
            at cz.idc.letenky.service.AppSettingsService.getUserLogin(AppSettingsService.java:50)
            at cz.idc.letenky.service.AppSettingsService.isUserLoggedIn(AppSettingsService.java:46)

Maybe encrypted data was corrupted accidently and now is not possible decrypt them, but it should by handled and better would be return default value in this situation than app crash. And log error to the logcat.

I started testing the new version and one of integration test failed, when I try to build library by maven.

[INFO] 4df1c91a0c879f8b_samsung_GT-N7100 :       ERROR:com.mkovacs.android.secure.preferences.SecureSharedPreferencesFunctionalTest#testSecureSharedPreferencesApply
[INFO] 4df1c91a0c879f8b_samsung_GT-N7100 :       java.lang.IncompatibleClassChangeError: interface not implemented
at com.mkovacs.android.secure.preferences.encryption.EncryptionHelper.encode(EncryptionHelper.java:71)
at com.mkovacs.android.secure.preferences.SecuredEditor.putBoolean(SecuredEditor.java:69)
at com.mkovacs.android.secure.preferences.SecureSharedPreferencesFunctionalTest.testSecureSharedPreferencesApply(SecureSharedPreferencesFunctionalTest.java:118)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.InstrumentationTestCase.runMethod(InstrumentationTestCase.java:214)
at android.test.InstrumentationTestCase.runTest(InstrumentationTestCase.java:199)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:192)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:177)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:555)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1619)

Change groupId, package base to fulfil the requirements for uploading to the Maven Central Repository:
http://maven.apache.org/guides/mini/guide-central-repository-upload.html
http://maven.apache.org/guides/mini/guide-naming-conventions.html

Add unit tests for SecureUtils, EncryptionHelper,SecuredEditor, SecureFactory.
Check results with emma:

mvn emma:emma

Hi,

You state your code derives it's basic encryption logic from: http://www.java2s.com/Code/Android/Security/AESEncryption.htm (see: https://github.com/kovmarci86/android-secure-preferences/blob/master/secure-preferences/src/main/java/edu/gmu/tec/scout/utilities/Encryption.java)

This example has grave security issues, among others:

• Silently uses the same key if none is provided
• Uses ECB mode wich is utterly insecure if the encrypted data is longer than 16 byte
• Uses broken MD5 hash to derive secret key from password

As I can see you avoid the first point, but still the other points are grave enough to make the whole scheme very unsecure.

Adding support for getStringSet and putStringSet methods to work on Android 1.x, 2.x.
The minimum Sdk version is: ?

Set up pom.xmls to upload the project to central maven repository

Code like

        getPrefs().edit()
            .putString("closureID", closureID)
            .putString("merchantName", merchantName)
            .putString("sourceAuthKey", sourceAuthKey)
            .commit();

doesn't work, because you return unsecured (standard) Editor from putXY methods instead of SecuredEditor.

Please can you provide licence for your project, not it is completely missing :-(

What is the license that SecurePreferences is distributed under? Can you add a licensing file describing the license, or add a mention at the bottom of the readme?