Posted on

Secure Storage Plugin for Xamarin and Windows

Many apps need to store sensitive data such as password, credit card numbers, session token etc. This data should not be stored in clear text. Text files and settings store information in plain text. So they are not an option for storing sensitive data.

Each mobile platform has its own mechanism to store sensitive information. This plugin provides a simple API abstracted over iOS, Android, UWP, and MacOS platforms. The API is similar to key value storage.

The underlying implementation on each platform takes care of securing the data and storing it. On iOS platform, it is stored using KeyChain. On Android, it uses password protected KeyStore. Windows platform stores it using Data Protection mechanism. However the nitty-gritties of each platform are encapsulated under the hood, keeping the API simple.

The plugin has no dependencies on any package (including Xamarin.Forms, MVVMCross). It can be used by any Xamarin or Windows app. It is open source.

Here are the examples of how to use it:

To store a value:


CrossSecureStorage.Current.SetValue(“SessionToken”, “1234567890”);

To retrieve a value:

var sessionToken = CrossSecureStorage.Current.GetValue (“SessionToken”);

To delete a value:

CrossSecureStorage.Current.DeleteKey(“SessionToken”);

To check, if a key exists:

var exists = CrossSecureStorage.Current.HasKey (“SessionToken”);

NOTE:

In Android apps, it is required that the password is set by the application prior to use.

SecureStorageImplementation.StoragePassword = "Your Password";

In Windows apps, it is required that the password is set by the application prior to use.

WinSecureStorageBase.StoragePassword = "Your Password";

Two sample apps (one for Xamarin and another for Windows) are provided on the GitHub for your reference.

Plugin: http://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

GitHub: https://github.com/sameerkapps/SecureStorage

Update: Blog about “What’s new in ver 2.0.0” is here: https://sameer.blog/2018/01/19/whats-new-in-secure-storage-2-0/

 

 

 

13 thoughts on “Secure Storage Plugin for Xamarin and Windows”

  1. Hi Sameer. I came across this while looking for somewhere to store a sensitive item (a string) between successive executions of my app (on Play Store in limited test as a convenient distribution mechanism). My plan is to authorize the user into the app with the fingerprint scanner (or some other authentication mechanism later). Once that is done he can enter the sensitive string, and I’ll save it via SecureStorage so that he can retrieve it again on the next execution of the app after the fingerprint is accepted. My problem is, I don’t see how to stop somebody finding the StoragePassword I have chosen by doing a simple analysis or decompilation of my app. And once they have that, then my fingerprint scan idea is essentially useless. Or have I misunderstood something? I know I’m being paranoid, because the thief needs to have decompiled my app and stolen my phone, but it’s a challenge I’d like to solve properly.

    Like

    Reply

    1. You are correct about the ability of phone being stolen and app being reverse engineered to find sensitive data. The remedy is to have your password and obfuscate the app. So the password cannot be retrieved. Effectively the data cannot be stolen. Hope this helps. BTW, I just published new version of the package that supports .net standard. You can see the new features here. https://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

      Like

      Reply

  2. Hi,
    I really like this package and the fact that it implements KeyChain and KeyStore.
    But could you provide more information on the UWP implementation “Data protection Mechanism”?
    I need the information for the security team at my organisation.

    Plus would this be the most secure way to store Credit/ debit card details?

    Thanks, Ieuan Walker.

    Like

    Reply

      2. Yes. It supports only string values. The secure data generally consists of security tokens, password, credit card etc. that does not require numerical processing. So only the string type is supported.

        Like

  3. Hi again, Sameer. I’ve now started to use the latest version of the plugin and it works just great (I’m using Android and UWP). However, during my development I have managed to create some “junk” key/value entries in the storage which I can’t delete since I have (stupidly!) lost the key values. Is it possible to enumerate the existing key values in some way? Or even clear the entire storage?

    Like

    Reply

  4. Hi,

    The security team at my organisation are happy with the iOS implementation of using KeyChain.
    But they are not convinced that KeyStore should be used for storing users data.

    Could you provide some more information about why KeyStore is suitable, the encryption used and any other information that may help my case.

    Thanks in advance, Ieuan Walker.

    Like

    Reply

    1. Hi,
      Android provides two options to store confidential data KeyChain and KeyStore. KeyChain provides system-wide storage, whereas KeyStore provides App specific storage that can be accessed only by the App.
      The new package 2.5.0 has an implementation of AndroidKeyStore. The security features of the AndroidKeyStore are documented here:
      https://developer.android.com/training/articles/keystore#SecurityFeatures

      Hope this helps to clarify any doubts regarding its security.

      Like

      Reply

  5. Hi there,
    AWESOME plugin! Thank you for sharing!
    Just a quick question. Let’s say I store the user’s name at SecureStorage. If I publish an update of the app, will the user’s name be deleted after updating? If not, is that possible?

    Like

    Reply

    1. Thanks for the compliments! After the update, user’s name will not be deleted. It is stored by the underlying platform. Your app will have to explicitly delete it using CrossSecureStorage.Current.DeleteKey(…);

      Like

      Reply

Leave a reply to Ieuan Walker Cancel reply