Secure Storage Plugin for Xamarin and Windows

Many apps need to store sensitive data such as password, credit card numbers, session token etc. This data should not be stored in clear text. Text files and settings store information in plain text. So they are not an option for storing sensitive data.

Each mobile platform has its own mechanism to store sensitive information. This plugin provides a simple API abstracted over iOS, Android and Windows platforms (Phone, Store and UWP). The API is similar to key value storage.

The underlying implementation on each platform takes care of securing the data and storing it. On iOS platform, it is stored using KeyChain. On Android, it uses password protected KeyStore. Windows platform stores it using Data Protection mechanism. However the nitty-gritties of each platform are encapsulated under the hood, keeping the API simple.

The plugin has no dependencies on any package (including Xamarin.Forms, MVVMCross). It can be used by any Xamarin or Windows app. It is open source.

Here are the examples of how to use it:

To store a value:


CrossSecureStorage.Current.SetValue(“SessionToken”, “1234567890”);

To retrieve a value:

var sessionToken = CrossSecureStorage.Current.GetValue (“SessionToken”);

To delete a value:

CrossSecureStorage.Current.DeleteKey(“SessionToken”);

To check, if a key exists:

var exists = CrossSecureStorage.Current.HasKey (“SessionToken”);

NOTE:

In Android apps, it is required that the password is set by the application prior to use.

SecureStorageImplementation.StoragePassword = "Your Password";

In Windows apps, it is required that the password is set by the application prior to use.

WinSecureStorageBase.StoragePassword = "Your Password";

Two sample apps (one for Xamarin and another for Windows) are provided on the GitHub for your reference.

Plugin: http://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

GitHub: https://github.com/sameerkapps/SecureStorage

 

 

 

 

 

Advertisements

2 thoughts on “Secure Storage Plugin for Xamarin and Windows”

  1. Hi Sameer. I came across this while looking for somewhere to store a sensitive item (a string) between successive executions of my app (on Play Store in limited test as a convenient distribution mechanism). My plan is to authorize the user into the app with the fingerprint scanner (or some other authentication mechanism later). Once that is done he can enter the sensitive string, and I’ll save it via SecureStorage so that he can retrieve it again on the next execution of the app after the fingerprint is accepted. My problem is, I don’t see how to stop somebody finding the StoragePassword I have chosen by doing a simple analysis or decompilation of my app. And once they have that, then my fingerprint scan idea is essentially useless. Or have I misunderstood something? I know I’m being paranoid, because the thief needs to have decompiled my app and stolen my phone, but it’s a challenge I’d like to solve properly.

    Like

    1. You are correct about the ability of phone being stolen and app being reverse engineered to find sensitive data. The remedy is to have your password and obfuscate the app. So the password cannot be retrieved. Effectively the data cannot be stolen. Hope this helps. BTW, I just published new version of the package that supports .net standard. You can see the new features here. https://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s