android icon indicating copy to clipboard operation
android copied to clipboard
verified publisher icon eduvpn

remove com.scottyab:secure-preferences-lib dependency

Open fkooman opened this issue 8 years ago • 10 comments

It seems more of a liability than adding anything: https://github.com/scottyab/secure-preferences

By default it's not bullet proof security (in fact it's more like obfuscation of the preferences) but it's a 
quick win for incrementally making your android app more secure. For instance it'll stop users on 
rooted devices easily modifying your app's shared prefs. Recommend using the user password based 
prefs as introduced in v0.1.0.

fkooman avatar Nov 04 '17 11:11 fkooman

Is it easy to remove this?

ghost avatar Oct 24 '19 10:10 ghost

Replacing the implementation would not be too hard, only we need to spend some extra time to migrate the data over to the new implementation. A good alternative would be facebook/conceal, what do you think?

dzolnai avatar Oct 24 '19 10:10 dzolnai

I think just using the private app storage is more than enough... we don't need to protect against the user, but only against other installed apps obtaining the key/token information on a non-rooted device.

ghost avatar Oct 24 '19 10:10 ghost

Okay, will switch to plain text preferences then!

dzolnai avatar Oct 24 '19 10:10 dzolnai

Fixed! I had to keep the dependency because of the migration, but we can remove it in the next major release probably.

dzolnai avatar Nov 08 '19 06:11 dzolnai

Breaks updates on Android 9, i.e. app loses data.

ghost avatar Nov 26 '19 14:11 ghost

Approaches:

  1. Do nothing;
  2. Remove the lib now as the majority of users will be impacted anyway (70+% is on Android 9 according to @dzolnai based on statistics of other apps he published in play store, takes about 30 minute to 1 hour to complete)

In both scenario's users will have to re-enter the URL of their server.

As for eduVPN: this will require the user to choose their country/institute again.

The most important thing is that this shitty dependency can not possibly do any more damage going forward.

ghost avatar Nov 26 '19 15:11 ghost

One small correction: for point 1, for users who are not on Android 9 (so around 30%) the app should still work without losing data.

dzolnai avatar Nov 26 '19 15:11 dzolnai

Personally I think it will be best to remove the dependency as soon as possible to avoid having to deal with this in the future. On the other hand, when switching to "no buttons" all data will be lost again. Although that should only affect eduVPN and not Let's Connect!.

@efef what do you think?

ghost avatar Nov 29 '19 13:11 ghost

I understood that @dzolnai should be available to work on no-buttons in January, think this is soon enough to wait and combine things

efef avatar Nov 29 '19 22:11 efef