Secure Storage Plugin for Xamarin and Windows

Many apps need to store sensitive data such as password, credit card numbers, session token etc. This data should not be stored in clear text. Text files and settings store information in plain text. So they are not an option for storing sensitive data.

Each mobile platform has its own mechanism to store sensitive information. This plugin provides a simple API abstracted over iOS, Android, UWP, and MacOS platforms. The API is similar to key value storage.

The underlying implementation on each platform takes care of securing the data and storing it. On iOS platform, it is stored using KeyChain. On Android, it uses password protected KeyStore. Windows platform stores it using Data Protection mechanism. However the nitty-gritties of each platform are encapsulated under the hood, keeping the API simple.

The plugin has no dependencies on any package (including Xamarin.Forms, MVVMCross). It can be used by any Xamarin or Windows app. It is open source.

Here are the examples of how to use it:

To store a value:


CrossSecureStorage.Current.SetValue(“SessionToken”, “1234567890”);

To retrieve a value:

var sessionToken = CrossSecureStorage.Current.GetValue (“SessionToken”);

To delete a value:

CrossSecureStorage.Current.DeleteKey(“SessionToken”);

To check, if a key exists:

var exists = CrossSecureStorage.Current.HasKey (“SessionToken”);

NOTE:

In Android apps, it is required that the password is set by the application prior to use.

SecureStorageImplementation.StoragePassword = "Your Password";

In Windows apps, it is required that the password is set by the application prior to use.

WinSecureStorageBase.StoragePassword = "Your Password";

Two sample apps (one for Xamarin and another for Windows) are provided on the GitHub for your reference.

Plugin: http://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

GitHub: https://github.com/sameerkapps/SecureStorage

Update: Blog about “What’s new in ver 2.0.0” is here: https://sameer.blog/2018/01/19/whats-new-in-secure-storage-2-0/

 

 

 

Advertisements

6 thoughts on “Secure Storage Plugin for Xamarin and Windows”

  1. Hi Sameer. I came across this while looking for somewhere to store a sensitive item (a string) between successive executions of my app (on Play Store in limited test as a convenient distribution mechanism). My plan is to authorize the user into the app with the fingerprint scanner (or some other authentication mechanism later). Once that is done he can enter the sensitive string, and I’ll save it via SecureStorage so that he can retrieve it again on the next execution of the app after the fingerprint is accepted. My problem is, I don’t see how to stop somebody finding the StoragePassword I have chosen by doing a simple analysis or decompilation of my app. And once they have that, then my fingerprint scan idea is essentially useless. Or have I misunderstood something? I know I’m being paranoid, because the thief needs to have decompiled my app and stolen my phone, but it’s a challenge I’d like to solve properly.

    Like

    1. You are correct about the ability of phone being stolen and app being reverse engineered to find sensitive data. The remedy is to have your password and obfuscate the app. So the password cannot be retrieved. Effectively the data cannot be stolen. Hope this helps. BTW, I just published new version of the package that supports .net standard. You can see the new features here. https://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

      Like

  2. Hi,
    I really like this package and the fact that it implements KeyChain and KeyStore.
    But could you provide more information on the UWP implementation “Data protection Mechanism”?
    I need the information for the security team at my organisation.

    Plus would this be the most secure way to store Credit/ debit card details?

    Thanks, Ieuan Walker.

    Like

      1. Yes. It supports only string values. The secure data generally consists of security tokens, password, credit card etc. that does not require numerical processing. So only the string type is supported.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s