Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Android] [Beta] Version 10 - Full migration to custom implementation of SecureSharedPreferences #769

Open
juliansteenbakker opened this issue Aug 13, 2024 · 20 comments

Comments

@juliansteenbakker
Copy link
Owner

juliansteenbakker commented Aug 13, 2024

A long outstanding problem with the Android part of this package is the deprecated usage of older cryptography usage (CBC with PKCS5/PKCS7 padding) for SDK < 23, and the already deprecated JetSec Crypto library that is being used for the current implementation of SecureSharedPreferences.

To fix these issues, i am moving to a custom implementation of the JetSec Crypto library, and removing all other deprecated methods of encrypting the shared preferences. This requires the minimum SDK to be raised from 21 to 23.

I am currently testing the new implementation in the branch version-10. Any help is greatly appreciated.

Affected issues:
#512 #522 #562 #584 #627 #672 #694 #713 #729 #758 #759

@paulking86
Copy link

paulking86 commented Aug 14, 2024

Hi @juliansteenbakker - Thanks for your work on this! 👏

Have just tested the version-10 branch using the override for flutter_secure_storage_web: ^2.0.0-beta.1.

When running the app on a device which has written to secure storage prior to this upgrade, my app crashes on startup (when I first call readAll()). Here is the traceback:

PlatformException(Exception encountered, readAll, java.lang.SecurityException: Could not decrypt key. decryption failed
	at com.it_nomads.fluttersecurestorage.crypto.EncryptedSharedPreferences.decryptKey(EncryptedSharedPreferences.java:566)
	at com.it_nomads.fluttersecurestorage.crypto.EncryptedSharedPreferences.getAll(EncryptedSharedPreferences.java:377)
	at com.it_nomads.fluttersecurestorage.FlutterSecureStorage.readAll(FlutterSecureStorage.java:54)
	at com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin$MethodRunner.run(FlutterSecureStoragePlugin.java:156)
	at android.os.Handler.handleCallback(Handler.java:959)
	at android.os.Handler.dispatchMessage(Handler.java:100)
	at android.os.Looper.loopOnce(Looper.java:232)
	at android.os.Looper.loop(Looper.java:317)
	at android.os.HandlerThread.run(HandlerThread.java:85)
Caused by: java.security.GeneralSecurityException: decryption failed
	at com.google.crypto.tink.daead.DeterministicAeadWrapper$WrappedDeterministicAead.decryptDeterministically(DeterministicAeadWrapper.java:122)
	at com.it_nomads.fluttersecurestorage.crypto.EncryptedSharedPreferences.decryptKey(EncryptedSharedPreferences.java:557)
	... 8 more

If I uninstall the previous version of my app (using 9.2.2) and perform a clean install (using version-10), then the app appears to work as expected.

This is using a physical Google Pixel 7 pro on Android 15, Flutter 3.22.3. Have yet to try on iOS but will do that later. If there is any other information you need or anything you want me to try, do let me know! 👍

@paulking86
Copy link

Can confirm that this issue does not occur on iOS. This is also a physical device (iPhone 12), iOS 16, Flutter 3.22.3. version-10 appears to be behaving and I have yet to observe any keychain related errors. 💪

@juliansteenbakker
Copy link
Owner Author

This is using a physical Google Pixel 7 pro on Android 15, Flutter 3.22.3. Have yet to try on iOS but will do that later. If there is any other information you need or anything you want me to try, do let me know! 👍

Did you set the encryptedSharedPreferences to true, or didnt you use it at all?

@paulking86
Copy link

Instantiated with defaults!

final storage = new FlutterSecureStorage();

Will try with encrypted preferences on now 👍

@paulking86
Copy link

Can confirm that I get the same behaviour when initialising like this:

final storage = new FlutterSecureStorage(aOptions: AndroidOptions(encryptedSharedPreferences: true));

This is when opening the app after upgrading from the version that uses 9.2.2 and no encrypted preferences.

As before, the app seems to be behave as expected in encrypted preferences mode with a fresh install!

I am going to turn encrypted prefs on in 9.2.2, and then see what happens when upgrading to version 10 with encrypted prefs on.

@juliansteenbakker
Copy link
Owner Author

Thanks for checking! I think we need a migration helper for this use case. I will let you know when i have some work done.

@paulking86
Copy link

No problem @juliansteenbakker - I can confirm that upgrading from 9.2.2 with encrypted prefs to 10 also using encrypted prefs appears to work as expected 🙌

@sed1ka
Copy link

sed1ka commented Aug 29, 2024

Hi @juliansteenbakker thanks for your work!

When will version 10 be released?
Suppose it can't be estimated. Can it be published in pre-release?

@Gonzalo-Bruna
Copy link

I wish we could have some news about this, I still can't fix the issue on many devices, and I might have to use another library for now. Any updates on the progress?

@acacioveit
Copy link

any updates here guys? thank you very much in advance

@bahadirarslan
Copy link

I wish we could have some news about this, I still can't fix the issue on many devices, and I might have to use another library for now. Any updates on the progress?

I am dropping this package because of this problem. I hope one day you can fix it and we can return.

@acacioveit
Copy link

Yeah @bahadirarslan, I'm also thinking about that, even downgrading to version 6 it is not working in many devices here in our application :(

@bryan1anderson
Copy link

@juliansteenbakker so am I understanding correctly that you have accomplished all the main heavy lifting with moving away from the deprecated package.. but now you need help writing a migration so that it doesn't crash existing apps?

@juliansteenbakker
Copy link
Owner Author

Hi all, i have been working on a migration which i am testing right now. Once done, i will release this under a new beta version.

@dharanidharandharmasivam

@juliansteenbakker , could you please provide an approximate timeline for this beta release, so that I can plan accordingly for my project?

@ernestjsf
Copy link

Is there any update about this issue? Any estimated time frame for when it will be fixed?

@juliansteenbakker
Copy link
Owner Author

Hi all, i have worked on a version with migration support. The timeline is as follow:

v10.0.0: version with custom implementation of secure storage, together with a migration tool. This version will still have the insecure encryption method for when useEncryptedSharedPreferences is disabled.

v11.0.0: old encryption method will be removed and only the new encrypted shared preference will be used.

If you want users to keep their data, you should first upgrade to version 10.0.0 and when feeling confident that everyone is migrated, update to version 11.0.0. Otherwise, you can use version 11.0.0 straight away

As some may have noticed, the package is now part of my github page, which enables me to rearrange the issues and braches. I am planning on reviving support for this package as soon as i am back from my vacation, which is around 16 december. Version 10.0.0 will be released in that week, and version 11.0.0 will soon follow as it only removes the deprecated code and migration tool.

My apologies for the delay.

@daniloapr
Copy link

daniloapr commented Dec 13, 2024

Looking forward to this!

@kieranmccwayleadr
Copy link

Bump

@GelistirmeKF
Copy link

Hi, is there any update about Version 10? Thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests