Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(application-settings): use correct storage on Android N and above #9905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(application-settings): use correct storage on Android N and above #9905

wants to merge 3 commits into from

Conversation

nikoTM
Copy link

@nikoTM nikoTM commented May 11, 2022

Fixes the use of Android Device Storage for Application Settings to avoid runtime error cause by user accessing SharedPreferances when the device is locked:

Unable to create application com.tns.NativeScriptApplication: com.tns.NativeScriptException: Error calling module function 
Error: java.lang.IllegalStateException: SharedPreferences in credential encrypted storage are not available until after user is unlocked

Logic is based on the snippet from Google Archive here:

https://github.com/googlearchive/android-DirectBoot/blob/737ab9a214debbf3c940360b834077ccc3035ff3/Application/src/main/java/com/example/android/directboot/alarms/AlarmStorage.java#L42

// All N devices have split storage areas, but we may need to
// move the existing preferences to the new device protected
// storage area, which is where the data lives from now on.

@cla-bot
Copy link

cla-bot bot commented May 11, 2022

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign the CLA at https://www.nativescript.org/cla.
CLA has not been signed by users: @nikoTM.
After signing the CLA, you can ask me to recheck this PR by posting @cla-bot check as a comment to the PR.

@nikoTM
Copy link
Author

nikoTM commented May 11, 2022

@cla-bot check

@cla-bot cla-bot bot added the cla: yes label May 11, 2022
@cla-bot
Copy link

cla-bot bot commented May 11, 2022

The cla-bot has been summoned, and re-checked this pull request!

NathanWalker
NathanWalker previously approved these changes May 12, 2022
View reviewed changes
@farfromrefug
Copy link
Collaborator

@NathanWalker I added comments on this

@nikoTM nikoTM requested a review from NathanWalker May 12, 2022 14:13
@Archez
Copy link
Contributor

Archez commented May 19, 2022

I think this would be considered a breaking change. If the android device supports and is using direct boot mode, then there is two storage locations. The "User locked" storage, and the "Device locked" storage. Google recommends only using the device locked storage if you strictly need parts of your app to run while the device is locked from a fresh reboot, and to only put data into it regarding those functions that run in direct boot mode.

Accessing device storage

Use device encrypted storage only for information that must be accessible during Direct Boot mode. Don't use device encrypted storage as a general-purpose encrypted store. For private user information, or encrypted data that isn't needed during Direct Boot mode, use credential encrypted storage.

The rest of your app should only use the user locked storage as to ensure that information like user tokens are secured by the users passcode.

The changes proposed in this PR only utilize the device locked storage, so any developers using application settings to store sensitive info on behalf of the user will now be using a less secure storage method without realizing it.

I think the developer should be able to access either storage locations and decide which one to use. Someone with more knowledge of the Android runtime and background services might be able to better explain how developers should access one or the other.

@nikoTM
Copy link
Author

nikoTM commented May 19, 2022

@Archez while that's true and this change has a security implications, ApplicationSettings are not meant to be a storage for secure information, it's meant to be used to store...well settings. There is no difference between what we have and what this PR is proposing once the device is unlocked. There are plugins available to store secure data.

@lambourn
Copy link

@nikoTM I think the root cause is that the preferences are accessed when the phone is locked after boot. That should not happen IMHO.

We experience lots of ANRs due to that, even though the issue was supposedly fixed by this PR NativeScript/android#1712 - but even when using android-runtime 8.2.3 and above, we get the original issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NathanWalker NathanWalker Awaiting requested review from NathanWalker

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nikoTM @farfromrefug @Archez @lambourn @NathanWalker