How to Encrypt Android SDK Preferences
Learn to Encrypt SDK Preferences in Android SDKs in mobile CI/CD with a Data-Driven DevSecOps™ build system.
What are SDK Preferences?
SDK Preferences, also known as SharedPreferences in the Android ecosystem, are settings within a software development kit (SDK) that dictate how the SDK operates within an app. These preferences store key-value pairs of data and are typically used for configurations, user settings, and other information that needs to persist across app sessions. This simple yet effective mechanism ensures that important data is maintained consistently within the application environment.
Here are some typical use cases for SDK Preferences in Android:
- User Preferences: Store user choices such as notification settings, language selection, and theme preferences that customize the user interface.
- Application Settings: Maintain configurations like API keys, server URLs, or feature flags that dictate how the application communicates with backend services or toggles certain features on or off.
- Session Data: Save session-specific data such as login tokens, user IDs, or other identifiers that are essential for maintaining user sessions without requiring re-authentication.
- Behavioral Parameters: Configure operational aspects of the SDK, such as caching mechanisms, data refresh rates, or error logging preferences, to optimize performance and user experience.
However, by default, SharedPreferences store data in plain text, making them vulnerable to unauthorized access and potential exploitation if the device is compromised.
How Does Encrypting SDK Preferences Protect Your SDK?
Encrypting SDK preferences is a vital security measure that directly protects the integrity and functionality of your SDK by ensuring that its configurations are kept secure from unauthorized access and manipulation. Here’s how it benefits your SDK:
- Secures Configuration Data: SDK preferences often contain configuration settings that dictate how the SDK operates within an app. These settings can include operational parameters like network configurations, API endpoints, and performance tuning options. Encrypting these preferences ensures that sensitive configuration data cannot be read or altered by unauthorized parties, thus maintaining the intended functionality and security posture of the SDK.
- Prevents Tampering: Encrypting SDK preferences ensures that any changes to the configuration data are detectable. This level of integrity checking helps prevent attackers from subtly altering SDK behavior in a way that could facilitate data breaches or other malicious activities.
- Enhances Reliability and Trust: Developers and clients using your SDK need assurance that the integrated components they rely on are not only functional but also secure. Encrypting the SDK preferences helps enhance the SDK’s overall reliability.
- Compliance with Security Standards: As with app data, SDK data often needs to comply with industry-specific security standards and regulations. Encryption of SDK preferences helps meet these standards, demonstrating a commitment to security and data protection. This compliance is crucial not just for legal adherence but also for maintaining market reputation and user trust.
By implementing encryption on SDK preferences, you protect against potential security threats and ensure that the SDK remains a reliable and trusted component in the app development ecosystem. This protection is crucial for maintaining the overall security and integrity of the apps that rely on your SDK.
Prerequisites for Using Encrypt SDK Preferences:
Before you encrypt your SDK preferences, you’ll need:
-
Appdome account (create a free Appdome account here)
-
A license for Encrypt SDK Preferences
-
Mobile SDK (.aar for Android)
Gradle Dependency Requirement
Include the following Gradle dependency in your SDK documentation to support SDK Preference encryption:
androidx.security:security-crypto-ktx:1.1.0-alpha02
Appdome supports versions from 1.1.0-alpha02 up to the latest, currently 1.1.0-alpha06.
Encrypt SDK Preferences using Appdome
On Appdome, follow these simple steps to secure Android SDKs:
- Upload the Mobile SDK to Appdome.
- Upload Method: Appdome Console or DEV-API
- Android Formats: .aar
- Build the feature: Encrypt SDK Preferences.
- Building Encrypt SDK Preferences using Appdome’s DEV-API:
- Create and name the Fusion Set (security template) that will contain the Encrypt SDK Preferences feature as shown below:
Figure 1: Fusion Set that will contain the Encrypt SDK Preferences feature
Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required). - Follow the steps in the section Building the Encrypt SDK Preferences feature via Appdome Console of this article to add the Encrypt SDK Preferences feature to this Fusion Set
- Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set. Copy the Fusion Set ID from the Fusion Set Detail Summary (as shown below):
Figure 2: Fusion Set Detail Summary
Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory). - Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, App Center, Jenkins, Travis, Team City, Circle CI, or other systems:
- Look for sample APIs in Appdome’s GitHub Repository
- Build an API for the SDK – for instructions, see the tasks under Appdome API Reference Guide
- Building the Encrypt SDK Preferences feature via Appdome Console
- Where: Inside the Appdome Console, go to Build > Build SDKProtect™ Tab > SDK Threat-Shielding section.
- How: Check whether SDK Threat-Shielding is toggled On (enabled); otherwise, enable it. The feature Encrypt SDK Preferences is enabled by default, as shown below.
Figure 3: Encrypt SDK Preferences option
- When you enable SDK Threat-Shielding, the Fusion Set you created now bears the icon of the protection category that contains Encrypt SDK Preferences.
Figure 4: Fusion Set that displays the newly added Encrypt SDK Preferences protection
- Click Build My SDK at the bottom of the Build Workflow (shown in Figure 3).
Certify the Encrypt SDK Preferences feature in Android Apps.
After building Encrypt SDK Preferences, Appdome generates a Certified Secure™ certificate to guarantee that the Encrypt SDK Preferences protection has been added and is protecting the mobile SDK. To verify that the Encrypt SDK Preferences protection has been added to the SDK, locate the protection in the Certified Secure™ certificate as shown below:
Figure 5: Certified Secure™ certificate
Each Certified Secure™ certificate provides DevOps and DevSecOps organizations with the entire workflow summary, audit trail of each build, and proof of protection that Encrypt SDK Preferences has been added to each Android SDK.
Related Articles:
- Use Appdome SDKProtect to Secure Mobile iOS SDKs
- Implement Threat Event Handling in Android SDKs
- Use Appdome SDKProtect to Secure Mobile SDKs
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.