Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/tasks/android-production/07-encrypted-storage.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.6 KiB
Raw Permalink Blame History

07. Encrypted SharedPreferences & DataStore Audit

meta: id: android-production-07 feature: android-production priority: P1 depends_on: [] tags: [security, data-protection, production]

objective:

  • Audit and secure all local data storage using encrypted SharedPreferences and DataStore

deliverables:

  • EncryptedSharedPreferences for sensitive data
  • DataStore for preferences
  • Secure data deletion
  • Storage audit report

steps:

  1. Audit current storage:
    • Review all SharedPreferences usage
    • Review DataStore usage
    • Review CacheManager.kt
    • Identify all sensitive data stored locally
  2. Implement encrypted preferences:
    • Use EncryptedSharedPreferences from androidx.security
    • Store auth tokens, refresh tokens
    • Store biometric preference
    • Store user profile data
  3. Configure DataStore:
    • Use DataStore for non-sensitive preferences
    • Theme, language, notification settings
    • Migrate from SharedPreferences if needed
  4. Secure CacheManager:
    • Ensure no sensitive data in unencrypted cache
    • Encrypt cached API responses containing PII
    • Set cache size limits
    • Implement secure eviction
  5. Add secure deletion:
    • Overwrite sensitive data before removal
    • Clear all secure storage on logout
    • Handle account deletion (GDPR)
  6. Add backup exclusion:
    • Exclude encrypted preferences from cloud backup
    • Mark sensitive files with android:allowBackup="false"
    • Document backup strategy
  7. Test storage security:
    • Verify data encrypted at rest
    • Verify no plaintext sensitive data in files
    • Test backup/restore behavior

tests:

  • Unit: Test encrypted storage read/write
  • Security: Verify no plaintext tokens in files
  • Integration: Test logout clears all data

acceptance_criteria:

  • All sensitive data in EncryptedSharedPreferences
  • Auth tokens encrypted at rest
  • Refresh tokens encrypted at rest
  • Non-sensitive preferences in DataStore
  • No sensitive data in unencrypted cache
  • Secure deletion overwriting data
  • Sensitive storage excluded from backup
  • Logout clears all auth data
  • Account deletion removes all local data
  • No plaintext sensitive data discoverable in app files

validation:

  • Inspect app files → no plaintext tokens
  • Check EncryptedSharedPreferences → data encrypted
  • Logout → all auth data cleared
  • Backup app → sensitive data not included
  • Account deletion → all data removed

notes:

  • EncryptedSharedPreferences uses AES-256 encryption
  • Master key stored in Android Keystore
  • DataStore is modern replacement for SharedPreferences
  • Consider using SQLCipher for database encryption if using Room
Reference in New Issue View Git Blame Copy Permalink