Use of Secure SharedPreferences

Many apps that have a user authentication component sends a user’s access token to have access to the API and that user’s information.

Many posts on StackOverflow suggest storing the user’s access token in SharedPreferences to have easy access to it. In fact, this is what I’ve been doing too as it is easy and convenient. Also, based on what I’ve been reading on how to store tokens on the client side, this seems to be the de-facto way most people approach storing tokens on client side.

One recent code review I’ve gotten suggested that I use a third party Secure SharedPreferences library to encrypt the user’s access token. This is because a user who may have root access to their phone will be able to view the values stored in SharedPreferences. Is this being a bit too paranoid? I think so. I mean, the last time I rooted my phone was back in the original Droid days (500 mhz phone…) so that I can overclock it and install custom ROMs. These days, phones are so fast that I’m too lazy to root it. But is Secured SharedPreferences easy enough to implement to warrant not doing it? Nope, it’s super easy that it makes no sense not to use it to encrypt potentially sensitive user data when saving data to SharedPreferences.

There are numerous libraries available to do this. I decided to go with this one since it was the one suggested by the code reviewer.

https://github.com/scottyab/secure-preferences

Code reviews like this made me wonder whether I should get a proper job where I can work on Android development on a team with more people who are more experienced in Android development than I am. It should speed up my learning process (as it did with web development a few years ago). Also, I do miss working on a proper software development team.

About the Author Chris Jeon

Software developer currently focusing on Android development.