Add EncryptedSharedPreferences and BaseEncryptedDiskSource (#543)

2024-11-21 17:05:44 +03:00 · 2024-01-08 21:52:26 -06:00 · 2024-01-08 21:52:26 -06:00 · 2d4427a7cf
commit 2d4427a7cf
parent 14d686af76
15 changed files with 148 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -72,6 +72,11 @@ The following is a list of all third-party dependencies included as part of the
  - Purpose: Display and capture images for barcode scanning.
  - License: Apache 2.0

+- **AndroidX Security**
+    - https://developer.android.com/jetpack/androidx/releases/security
+    - Purpose: Safely manage keys and encrypt files and sharedpreferences.
+    - License: Apache 2.0
+
 - **Core SplashScreen**
    - https://developer.android.com/jetpack/androidx/releases/core
    - Purpose: Backwards compatible SplashScreen API implementation.
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@ -121,6 +121,7 @@ dependencies {
    ksp(libs.androidx.room.compiler)
    implementation(libs.androidx.room.ktx)
    implementation(libs.androidx.room.runtime)
+    implementation(libs.androidx.security.crypto)
    implementation(libs.androidx.splashscreen)
    implementation(libs.bitwarden.sdk)
    implementation(libs.bumptech.glide)
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@ -11,7 +11,7 @@

    <application
        android:name=".BitwardenApplication"
-        android:allowBackup="true"
+        android:allowBackup="false"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@mipmap/ic_launcher"
--- a/app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceImpl.kt
@ -2,8 +2,8 @@ package com.x8bit.bitwarden.data.auth.datasource.disk

 import android.content.SharedPreferences
 import com.x8bit.bitwarden.data.auth.datasource.disk.model.UserStateJson
-import com.x8bit.bitwarden.data.platform.datasource.disk.BaseDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.BaseDiskSource.Companion.BASE_KEY
+import com.x8bit.bitwarden.data.platform.datasource.disk.BaseEncryptedDiskSource
 import com.x8bit.bitwarden.data.platform.repository.util.bufferedMutableSharedFlow
 import com.x8bit.bitwarden.data.vault.datasource.network.model.SyncResponseJson
 import kotlinx.coroutines.flow.Flow
@ -26,9 +26,13 @@ private const val ORGANIZATION_KEYS_KEY = "$BASE_KEY:encOrgKeys"
 */
@Suppress("TooManyFunctions")
 class AuthDiskSourceImpl(
+    encryptedSharedPreferences: SharedPreferences,
    sharedPreferences: SharedPreferences,
    private val json: Json,
-) : BaseDiskSource(sharedPreferences = sharedPreferences),
+) : BaseEncryptedDiskSource(
+    encryptedSharedPreferences = encryptedSharedPreferences,
+    sharedPreferences = sharedPreferences,
+),
    AuthDiskSource {
    private val mutableOrganizationsFlowMap =
        mutableMapOf<String, MutableSharedFlow<List<SyncResponseJson.Profile.Organization>?>>()
--- a/app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/di/AuthDiskModule.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/di/AuthDiskModule.kt
@ -3,6 +3,8 @@ package com.x8bit.bitwarden.data.auth.datasource.disk.di
 import android.content.SharedPreferences
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSource
 import com.x8bit.bitwarden.data.auth.datasource.disk.AuthDiskSourceImpl
+import com.x8bit.bitwarden.data.platform.datasource.di.EncryptedPreferences
+import com.x8bit.bitwarden.data.platform.datasource.di.UnencryptedPreferences
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@ -20,10 +22,12 @@ object AuthDiskModule {
    @Provides
    @Singleton
    fun provideAuthDiskSource(
-        sharedPreferences: SharedPreferences,
+        @EncryptedPreferences encryptedSharedPreferences: SharedPreferences,
+        @UnencryptedPreferences sharedPreferences: SharedPreferences,
        json: Json,
    ): AuthDiskSource =
        AuthDiskSourceImpl(
+            encryptedSharedPreferences = encryptedSharedPreferences,
            sharedPreferences = sharedPreferences,
            json = json,
        )
--- a/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/di/EncryptedPreferences.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/di/EncryptedPreferences.kt
@ -0,0 +1,11 @@
+package com.x8bit.bitwarden.data.platform.datasource.di
+
+import android.content.SharedPreferences
+import javax.inject.Qualifier
+
+/**
+ * Used to denote an instance of [SharedPreferences] that encrypts its data.
+ */
+@Qualifier
+@Retention(AnnotationRetention.RUNTIME)
+annotation class EncryptedPreferences
--- a/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/di/PreferenceModule.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/di/PreferenceModule.kt
@ -3,6 +3,8 @@ package com.x8bit.bitwarden.data.platform.datasource.di
 import android.app.Application
 import android.content.Context
 import android.content.SharedPreferences
+import androidx.security.crypto.EncryptedSharedPreferences
+import androidx.security.crypto.MasterKey
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@ -18,11 +20,29 @@ object PreferenceModule {

    @Provides
    @Singleton
-    fun provideDefaultSharedPreferences(
+    @UnencryptedPreferences
+    fun provideUnencryptedSharedPreferences(
        application: Application,
    ): SharedPreferences =
        application.getSharedPreferences(
            "${application.packageName}_preferences",
            Context.MODE_PRIVATE,
        )
+
+    @Provides
+    @Singleton
+    @EncryptedPreferences
+    fun provideEncryptedSharedPreferences(
+        application: Application,
+    ): SharedPreferences =
+        EncryptedSharedPreferences
+            .create(
+                application,
+                "${application.packageName}_encrypted_preferences",
+                MasterKey.Builder(application)
+                    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+                    .build(),
+                EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+                EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM,
+            )
 }
--- a/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/di/UnencryptedPreferences.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/di/UnencryptedPreferences.kt
@ -0,0 +1,11 @@
+package com.x8bit.bitwarden.data.platform.datasource.di
+
+import android.content.SharedPreferences
+import javax.inject.Qualifier
+
+/**
+ * Used to denote an instance of [SharedPreferences] that does not encrypt its data.
+ */
+@Qualifier
+@Retention(AnnotationRetention.RUNTIME)
+annotation class UnencryptedPreferences
--- a/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/BaseEncryptedDiskSource.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/BaseEncryptedDiskSource.kt
@ -0,0 +1,31 @@
+package com.x8bit.bitwarden.data.platform.datasource.disk
+
+import android.content.SharedPreferences
+import androidx.core.content.edit
+import androidx.security.crypto.EncryptedSharedPreferences
+
+/**
+ * Base class for simplifying interactions with [SharedPreferences] and
+ * [EncryptedSharedPreferences].
+ */
+@Suppress("UnnecessaryAbstractClass")
+abstract class BaseEncryptedDiskSource(
+    sharedPreferences: SharedPreferences,
+    private val encryptedSharedPreferences: SharedPreferences,
+) : BaseDiskSource(
+    sharedPreferences = sharedPreferences,
+) {
+    protected fun getEncryptedString(
+        key: String,
+        default: String? = null,
+    ): String? = encryptedSharedPreferences.getString(key, default)
+
+    protected fun putEncryptedString(
+        key: String,
+        value: String?,
+    ): Unit = encryptedSharedPreferences.edit { putString(key, value) }
+
+    companion object {
+        const val ENCRYPTED_BASE_KEY: String = "bwSecureStorage"
+    }
+}
--- a/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/di/PlatformDiskModule.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/di/PlatformDiskModule.kt
@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.platform.datasource.disk.di

 import android.content.SharedPreferences
+import com.x8bit.bitwarden.data.platform.datasource.di.UnencryptedPreferences
 import com.x8bit.bitwarden.data.platform.datasource.disk.EnvironmentDiskSource
 import com.x8bit.bitwarden.data.platform.datasource.disk.EnvironmentDiskSourceImpl
 import com.x8bit.bitwarden.data.platform.datasource.disk.SettingsDiskSource
@ -22,7 +23,7 @@ object PlatformDiskModule {
    @Provides
    @Singleton
    fun provideEnvironmentDiskSource(
-        sharedPreferences: SharedPreferences,
+        @UnencryptedPreferences sharedPreferences: SharedPreferences,
        json: Json,
    ): EnvironmentDiskSource =
        EnvironmentDiskSourceImpl(
@ -33,7 +34,7 @@ object PlatformDiskModule {
    @Provides
    @Singleton
    fun provideSettingsDiskSource(
-        sharedPreferences: SharedPreferences,
+        @UnencryptedPreferences sharedPreferences: SharedPreferences,
    ): SettingsDiskSource =
        SettingsDiskSourceImpl(
            sharedPreferences = sharedPreferences,
--- a/app/src/main/java/com/x8bit/bitwarden/data/tools/generator/datasource/disk/di/GeneratorDiskModule.kt
+++ b/app/src/main/java/com/x8bit/bitwarden/data/tools/generator/datasource/disk/di/GeneratorDiskModule.kt
@ -3,6 +3,7 @@ package com.x8bit.bitwarden.data.tools.generator.datasource.disk.di
 import android.app.Application
 import android.content.SharedPreferences
 import androidx.room.Room
+import com.x8bit.bitwarden.data.platform.datasource.di.UnencryptedPreferences
 import com.x8bit.bitwarden.data.tools.generator.datasource.disk.GeneratorDiskSource
 import com.x8bit.bitwarden.data.tools.generator.datasource.disk.GeneratorDiskSourceImpl
 import com.x8bit.bitwarden.data.tools.generator.datasource.disk.PasswordHistoryDiskSource
@ -26,7 +27,7 @@ object GeneratorDiskModule {
    @Provides
    @Singleton
    fun provideGeneratorDiskSource(
-        sharedPreferences: SharedPreferences,
+        @UnencryptedPreferences sharedPreferences: SharedPreferences,
        json: Json,
    ): GeneratorDiskSource =
        GeneratorDiskSourceImpl(
--- a/app/src/main/res/xml/backup_rules.xml
+++ b/app/src/main/res/xml/backup_rules.xml
@ -1,3 +1,18 @@
 <?xml version="1.0" encoding="utf-8"?>
 <full-backup-content>
+    <exclude
+        domain="sharedpref"
+        path="." />
+    <exclude
+        domain="file"
+        path="." />
+    <exclude
+        domain="database"
+        path="." />
+    <exclude
+        domain="external"
+        path="." />
+    <exclude
+        domain="root"
+        path="." />
 </full-backup-content>
--- a/app/src/main/res/xml/data_extraction_rules.xml
+++ b/app/src/main/res/xml/data_extraction_rules.xml
@ -1,5 +1,37 @@
 <?xml version="1.0" encoding="utf-8"?>
 <data-extraction-rules>
    <cloud-backup>
+        <exclude
+            domain="sharedpref"
+            path="." />
+        <exclude
+            domain="file"
+            path="." />
+        <exclude
+            domain="database"
+            path="." />
+        <exclude
+            domain="external"
+            path="." />
+        <exclude
+            domain="root"
+            path="." />
    </cloud-backup>
+    <device-transfer>
+        <exclude
+            domain="sharedpref"
+            path="." />
+        <exclude
+            domain="file"
+            path="." />
+        <exclude
+            domain="database"
+            path="." />
+        <exclude
+            domain="external"
+            path="." />
+        <exclude
+            domain="root"
+            path="." />
+    </device-transfer>
 </data-extraction-rules>
--- a/app/src/test/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceTest.kt
+++ b/app/src/test/java/com/x8bit/bitwarden/data/auth/datasource/disk/AuthDiskSourceTest.kt
@ -20,11 +20,13 @@ import org.junit.jupiter.api.Assertions.assertNull
 import org.junit.jupiter.api.Test

 class AuthDiskSourceTest {
+    private val fakeEncryptedSharedPreferences = FakeSharedPreferences()
    private val fakeSharedPreferences = FakeSharedPreferences()

    private val json = PlatformNetworkModule.providesJson()

    private val authDiskSource = AuthDiskSourceImpl(
+        encryptedSharedPreferences = fakeEncryptedSharedPreferences,
        sharedPreferences = fakeSharedPreferences,
        json = json,
    )
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@ -21,6 +21,7 @@ androidxHiltNavigationCompose = "1.1.0"
 androidxLifecycle = "2.6.2"
 androidxNavigation = "2.7.6"
 androidxRoom = "2.6.1"
+androidXSecurityCrypto = "1.1.0-alpha06"
 androidxSplash = "1.1.0-alpha02"
 # Once the app and SDK reach a critical point of completeness we should begin fixing the version
 # here (BIT-311).
@ -74,6 +75,7 @@ androidx-navigation-compose = { module = "androidx.navigation:navigation-compose
 androidx-room-compiler = { module = "androidx.room:room-compiler", version.ref = "androidxRoom" }
 androidx-room-ktx = { module = "androidx.room:room-ktx", version.ref = "androidxRoom" }
 androidx-room-runtime = { module = "androidx.room:room-runtime", version.ref = "androidxRoom" }
+androidx-security-crypto = { module = "androidx.security:security-crypto", version.ref = "androidXSecurityCrypto" }
 androidx-splashscreen = { module = "androidx.core:core-splashscreen", version.ref = "androidxSplash" }
 bitwarden-sdk = { module = "com.bitwarden:sdk-android", version.ref = "bitwardenSdk" }
 bumptech-glide = { module = "com.github.bumptech.glide:compose", version.ref = "glide" }