What’s new in Secure Storage 2.0?

Secure Storage NuGet package was created to provide a cross-platform library to store sensitive data. It has easy to use API at the abstraction layer that is implemented in the platform-specific layers. This provides platform agnostic API as well as platform-specific implementations. In 1.x versions, the abstraction layer was implemented in PCL using profile 259. And the supported platforms were iOS, Android and Windows Phone.

After more than 47K downloads of the package, 20 forks of the repository and introduction of .Net Standard 2.0, there were several feature requests on the GitHub for major enhancements. As a result, 2.0 was released with the following major changes:

• Abstraction Layer => Compatible with .net standard
As mentioned before, this was a PCL layer. It has been converted to .net standard. As per the best practices, a library should be at the lowest .net standard to support a wider range of Apps. Taking that into account, this layer supports .net standard 1.0. So it can be used by any app that supports 1.0 and above.

To provide consistent API with other Xamarin Plugins, CrossSecureStorage has a new property IsSupported. Using this, a developer can check, if a package has been implemented on a certain platform or not.

• iOS Layer – No changes
This layer has not changed, and storage mechanism is backward compatible.

• Android Layer – Hardware serial number is the default password
In the 1.x package, it was necessary to provide a password for the Android implementation. There have been several questions on blog and GitHub about potential security leak in case someone reverse engineers the app. It is strongly recommended to use Obfuscation to prevent it.

In 2.0, the Android implementation comes with the device’s hardware serial number as the default password. The advantage of this feature is it prevents having a common password for the entire app. So if the developer does not do string obfuscation, it will be harder to find the password and access the data.

Caution: A hacker may still be able to get access to the data by finding the device serial number.

• UWP – New platform in 2.0.
This is a new platform in 2.0. It has been implemented using PasswordVault feature of UWP. The package id is used as the credential source, the key for storage is mapped to UserName and the value is mapped to Password field of the PasswordCredential.
PasswordVault (and UWP layer) has the following limitations.

o Max 10 values per app.
In UWP, PasswordVault has the limitation of storing max 10 values per App. The package inherits the limitation for UWP platform only. This would not be an issue for most of the apps.

o The value cannot be set as null or empty string.
PasswordVault does not allow null or empty values. So this is one more platform limitation. But it is an unlikely case that an App is required to securely store an empty string. The developer may want to delete the key instead.

• Mac – New platform in 2.0.0
Since Xamarin Forms is expanding to Mac OS, it is important to support the platform. The implementation is very similar to iOS storage. The only difference being the record is stored as InternetPassword in MacOS vs GenericPassword in iOS.

• Tizen – New platform in 2.0.0
Tizen is an open source Linux based OS created by Samsung and Intel to support Mobile, Wearable and TV devices. It was encouraging to see that Samsung team created a pull request with full implementation for their platform using DataManager. Thanks #samsung. It has been incorporated into the package.

• Windows Phone 8.X – RIP
For obvious reason, support for Windows Phone 8 and 8.X has been retired. If anybody wants to use it, it is there in 1.2.2

The package can be obtained here: https://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/

Source is on the GitHub: https://github.com/sameerkapps/SecureStorage

Thanks to all the contributors on the GitHub.

Thanks for your time for reading this. Feel free to share this article/blog. Comments/Questions are welcome.

Blog related to the first version that has more detail API. https://sameerkapps.wordpress.com/2016/02/01/secure-storage-plugin-for-xamarin/

Published by: Sameer Khandekar

I am a passionate software engineer who loves to work on Azure microservices, REST API, SDKs, and .NET apps using WPF, Xamarin, and MAUI. The work includes highly scalable geo-distributed services and an authentication library with nearly 500 million downloads. I also had fun integrating with hardware using Bluetooth (BLE). More here: https://www.sameer.blog/about/

Categories Uncategorized1 Comment

One thought on “What’s new in Secure Storage 2.0?”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s