Migrate to SecureStorage

This commit is contained in:
soraefir
2026-06-30 19:00:15 +02:00
parent c3d380ddb4
commit 119ae757b9
8 changed files with 89 additions and 73 deletions
+2
View File
@@ -116,4 +116,6 @@ dependencies {
implementation 'androidx.activity:activity-ktx:1.13.0'
implementation 'androidx.security:security-crypto:1.1.0'
implementation 'androidx.lifecycle:lifecycle-viewmodel-compose:2.11.0'
implementation "androidx.datastore:datastore-preferences:1.2.1"
implementation "com.google.crypto.tink:tink-android:1.22.0"
}
@@ -69,7 +69,6 @@ class AccountActivity : AppCompatActivity() {
}
private lateinit var preferences: SharedPreferences
private var oldPassword = ""
private var useWebLogin = true
private var showLoginDialog by mutableStateOf(false)
@@ -222,11 +221,7 @@ class AccountActivity : AppCompatActivity() {
private fun legacyLogin() {
val url = CospendClientUtil.formatURL(viewModel.serverUrl.trim())
val username = viewModel.username
var password = viewModel.password
if (password.isEmpty()) {
password = oldPassword
}
val password = viewModel.password
performLogin(url, username, password)
}
@@ -61,14 +61,15 @@ class AccountViewModel(application: Application) : AndroidViewModel(application)
} else {
preferences.getString(AccountActivity.SETTINGS_USERNAME, "")
}
if (!url.isNullOrEmpty() && !username.isNullOrEmpty()) {
viewModelScope.launch {
val password = if (useSso) {
""
} else {
SecureStorage.getPassword(getApplication(), AccountActivity.SETTINGS_PASSWORD)
}
if (!url.isNullOrEmpty() && !username.isNullOrEmpty()) {
viewModelScope.launch {
isValidatingLogin = true
isLoggedIn = withContext(Dispatchers.IO) {
if (useSso) {
@@ -88,7 +89,9 @@ class AccountViewModel(application: Application) : AndroidViewModel(application)
}
fun logout() {
viewModelScope.launch {
SecureStorage.removePassword(getApplication(), AccountActivity.SETTINGS_PASSWORD)
}
preferences.edit {
remove(AccountActivity.SETTINGS_USE_SSO)
remove(AccountActivity.SETTINGS_SSO_URL)
@@ -121,13 +121,7 @@ fun NewProjectScreen(
Spacer(modifier = Modifier.height(8.dp))
if (viewModel.whatTodoIsCreate) {
if (viewModel.projectType == ProjectType.COSPEND) {
Button(
onClick = onChooseFromNextcloud
) {
Text(stringResource(R.string.new_project_from_nextcloud_tooltip))
}
} else if (viewModel.projectType == ProjectType.LOCAL) {
if (viewModel.projectType == ProjectType.LOCAL) {
Button(
onClick = onImportFile
) {
@@ -5,7 +5,7 @@ import java.io.Serializable
class DBProject(
var id: Long,
var remoteId: String,
var password: String?,
var password: String,
var name: String,
var serverUrl: String?,
var email: String?,
@@ -321,7 +321,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
values.put(key_name, accountProject.name)
values.put(key_archived, accountProject.archivedTs ?: 0L)
val id = db.insert(table_account_projects, null, values)
SecureStorage.savePassword(context, "AccountProjectPassword_$id", accountProject.password)
SecureStorage.savePasswordSync(context, "AccountProjectPassword_$id", accountProject.password)
return id
}
@@ -348,7 +348,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
private fun getAccountProjectFromCursor(cursor: Cursor): DBAccountProject {
val id = cursor.getLong(cursor.getColumnIndex(key_id))
val archivedTs = cursor.getLong(cursor.getColumnIndex(key_archived))
val password = SecureStorage.getPassword(context, "AccountProjectPassword_$id")
val password = SecureStorage.getPasswordSync(context, "AccountProjectPassword_$id")
return DBAccountProject(
id,
cursor.getString(cursor.getColumnIndex(key_remoteId)),
@@ -619,7 +619,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
values.put(key_type, project.type.id)
values.put(key_archived, project.archivedTs ?: 0L)
val id = db.insert(table_projects, null, values)
SecureStorage.savePassword(context, "ProjectPassword_$id", project.password)
SecureStorage.savePasswordSync(context, "ProjectPassword_$id", project.password)
return id
}
@@ -651,7 +651,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
private fun getProjectFromCursor(cursor: Cursor): DBProject {
val id = cursor.getLong(cursor.getColumnIndex(key_id))
val archivedTs = cursor.getLong(cursor.getColumnIndex(key_archived))
val password = SecureStorage.getPassword(context, "ProjectPassword_$id")
val password = SecureStorage.getPasswordSync(context, "ProjectPassword_$id") ?: ""
return DBProject(
id,
cursor.getString(cursor.getColumnIndex(key_remoteId)),
@@ -678,7 +678,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
}
db.delete(table_members, "$key_projectid = ?", arrayOf(id.toString()))
db.delete(table_projects, "$key_id = ?", arrayOf(id.toString()))
SecureStorage.removePassword(context, "ProjectPassword_$id")
SecureStorage.removePasswordSync(context, "ProjectPassword_$id")
}
fun updateProject(
@@ -693,7 +693,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
val values = ContentValues()
if (newName != null) values.put(key_name, newName)
if (newEmail != null) values.put(key_email, newEmail)
if (newPassword != null) SecureStorage.savePassword(context, "ProjectPassword_$projId", newPassword)
if (newPassword != null) SecureStorage.savePasswordSync(context, "ProjectPassword_$projId", newPassword)
if (newBearerToken != null) values.put(key_bearer_token, newBearerToken)
if (newLastPayerId != null) values.put(key_lastPayerId, newLastPayerId)
if (newLastSyncedTimestamp != null) values.put(key_lastSyncTimestamp, newLastSyncedTimestamp)
@@ -733,7 +733,7 @@ class CowspentSQLiteOpenHelper private constructor(val context: Context) :
val values = ContentValues()
if (newName != null) values.put(key_name, newName)
if (newEmail != null) values.put(key_email, newEmail)
if (newPassword != null) SecureStorage.savePassword(context, "ProjectPassword_$projId", newPassword)
if (newPassword != null) SecureStorage.savePasswordSync(context, "ProjectPassword_$projId", newPassword)
if (newBearerToken != null) values.put(key_bearer_token, newBearerToken)
if (newLastPayerId != null) values.put(key_lastPayerId, newLastPayerId)
if (newLastSyncedTimestamp != null) values.put(key_lastSyncTimestamp, newLastSyncedTimestamp)
@@ -1,47 +1,84 @@
package net.helcel.cowspent.util
import android.content.Context
import android.content.SharedPreferences
import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKey
import androidx.core.content.edit
import android.util.Base64
import androidx.datastore.core.DataStore
import androidx.datastore.preferences.core.Preferences
import androidx.datastore.preferences.core.edit
import androidx.datastore.preferences.core.stringPreferencesKey
import androidx.datastore.preferences.preferencesDataStore
import com.google.crypto.tink.Aead
import com.google.crypto.tink.KeyTemplates
import com.google.crypto.tink.RegistryConfiguration
import com.google.crypto.tink.aead.AeadConfig
import com.google.crypto.tink.integration.android.AndroidKeysetManager
import kotlinx.coroutines.flow.first
import kotlinx.coroutines.flow.map
import kotlinx.coroutines.runBlocking
private val Context.dataStore: DataStore<Preferences> by preferencesDataStore(name = "secure_prefs")
object SecureStorage {
private const val SECURE_PREFS_NAME = "secure_prefs"
private var encryptedPrefs: SharedPreferences? = null
private var aead: Aead? = null
@Synchronized
fun getEncryptedPrefs(context: Context): SharedPreferences {
encryptedPrefs?.let { return it }
val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
private fun getAead(context: Context): Aead {
aead?.let { return it }
AeadConfig.register()
val masterKeyUri = "android-keystore://secure_storage_master_key"
val keysetManager = AndroidKeysetManager.Builder()
.withSharedPref(context, "tink_keyset", "secure_storage_keyset_prefs")
.withKeyTemplate(KeyTemplates.get("AES256_GCM"))
.withMasterKeyUri(masterKeyUri)
.build()
val prefs = EncryptedSharedPreferences.create(
context,
SECURE_PREFS_NAME,
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
encryptedPrefs = prefs
return prefs
val newAead = keysetManager.keysetHandle.getPrimitive(RegistryConfiguration.get(), Aead::class.java)
aead = newAead
return newAead
}
fun savePassword(context: Context, key: String, password: String?) {
private fun encrypt(context: Context, value: String): String {
val encrypted = getAead(context).encrypt(value.toByteArray(), null)
return Base64.encodeToString(encrypted, Base64.NO_WRAP)
}
private fun decrypt(context: Context, encryptedValue: String): String? {
return try {
val decoded = Base64.decode(encryptedValue, Base64.NO_WRAP)
val decrypted = getAead(context).decrypt(decoded, null)
String(decrypted)
} catch (_: Exception) {
null
}
}
suspend fun savePassword(context: Context, key: String, password: String?) {
if (password == null) {
removePassword(context, key)
} else {
getEncryptedPrefs(context).edit { putString(key, password) }
val encrypted = encrypt(context, password)
context.dataStore.edit { it[stringPreferencesKey(key)] = encrypted }
}
}
fun getPassword(context: Context, key: String): String? {
return getEncryptedPrefs(context).getString(key, null)
suspend fun getPassword(context: Context, key: String): String? {
val encrypted = context.dataStore.data.map { it[stringPreferencesKey(key)] }.first()
return encrypted?.let { decrypt(context, it) }
}
fun removePassword(context: Context, key: String) {
getEncryptedPrefs(context).edit { remove(key) }
suspend fun removePassword(context: Context, key: String) {
context.dataStore.edit { it.remove(stringPreferencesKey(key)) }
}
// Synchronous alternatives for legacy code
fun savePasswordSync(context: Context, key: String, password: String?) = runBlocking {
savePassword(context, key, password)
}
fun getPasswordSync(context: Context, key: String): String? = runBlocking {
getPassword(context, key)
}
fun removePasswordSync(context: Context, key: String) = runBlocking {
removePassword(context, key)
}
}
@@ -333,7 +333,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills/" + bill.remoteId
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills/" + bill.remoteId
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for editRemoteBill")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/bills/" + bill.remoteId
@@ -386,7 +385,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password)
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password)
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for deleteRemoteProject")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId
@@ -433,7 +431,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills/" + billRemoteId
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills/" + billRemoteId
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for deleteRemoteProject")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/bills/" + billRemoteId
@@ -504,8 +501,7 @@ class VersatileProjectSyncClient(
else
project.getRequestBaseUrl(false) + "/api-priv/projects"
useOcsApiRequest = cospendVersionGT161
if (cospendVersionGT161) {
}
return ServerResponse.CreateRemoteProjectResponse(
requestServer(
target, METHOD_POST, paramKeys, paramValues,
@@ -584,7 +580,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills"
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills"
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for createRemoteBill")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/bills"
@@ -651,7 +646,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/members"
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/members"
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for createRemoteBill")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/members"
@@ -686,8 +680,6 @@ class VersatileProjectSyncClient(
else
project.getRequestBaseUrl(false) + "/api-priv/projects/" + project.remoteId + "/bills?lastchanged=" + tsLastSync
useOcsApiRequest = cospendVersionGT161
if (cospendVersionGT161) {
}
return ServerResponse.BillsResponse(
requestServer(
target, METHOD_GET, null, null,
@@ -718,7 +710,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills?lastChanged=" + tsLastSync
else
project.getRequestBaseUrl(false) + "/apiv2/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/bills?lastchanged=" + tsLastSync
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for getBills")
return ServerResponse.BillsResponse(
requestServer(
target, METHOD_GET, null, null,
@@ -773,7 +764,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/members"
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/members"
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for getMembers")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/members"
@@ -827,7 +817,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/currency"
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/currency"
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for createRemoteCurrency")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/currency"
@@ -881,7 +870,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/currency/" + currency.remoteId
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/currency/" + currency.remoteId
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for createRemoteCurrency")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/currency/" + currency.remoteId
@@ -928,7 +916,6 @@ class VersatileProjectSyncClient(
project.getRequestBaseUrl(true) + "/api/v1/public/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/currency/" + currencyRemoteId
else
project.getRequestBaseUrl(false) + "/api/projects/" + project.remoteId + "/" + getEncodedPassword(project.password) + "/currency/" + currencyRemoteId
Log.i(TAG, "using public API, target is: ${SupportUtil.maskUrl(target)} for deleteRemoteCurrency")
}
} else {
target = project.serverUrl!!.replace("/+$".toRegex(), "") + "/api/projects/" + project.remoteId + "/currency/" + currencyRemoteId
@@ -1027,7 +1014,6 @@ class VersatileProjectSyncClient(
httpCon.setRequestProperty("Accept", "application/json")
}
httpCon.connectTimeout = 10 * 1000 // 10 seconds
Log.d(javaClass.simpleName, "$method ${SupportUtil.maskUrl(target)}")
if (paramKeys != null && paramValues != null) {
var dataString = ""
for (i in paramKeys.indices) {
@@ -1040,7 +1026,6 @@ class VersatileProjectSyncClient(
dataString += URLEncoder.encode(value, "UTF-8")
}
val data = dataString.toByteArray()
Log.d(javaClass.simpleName, "Params: ${SupportUtil.maskParams(dataString)}")
httpCon.setFixedLengthStreamingMode(data.size)
httpCon.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")
httpCon.setRequestProperty("Content-Length", data.size.toString())