Keeping in mind the needs of developers who have shared storage, Google recently released a crypto library as part of the Jetpack Security that encrypts data in the app.
The crypto library provides abstractions for encrypting Files and SharedPreferences objects, using which you can locally store the files that might contain sensitive data such as API keys, OAuth tokens, among others.
Need for an extra protection
Google, since Android 5.0 has been providing encryption to user’s data by default. However, there are certain cases where you might need additional security, primarily when you use shared storage.
Jetpack uses a master key that stores all the subkeys that are used in each encryption and stores it in the AndroidKeyStore. AndroidKeyStore acts as a container which stores the keys in the form of TEE or StrongBox, making it hard for an unauthorised person to steal. For apps that store extra sensitive data, you can use keys with a BiometricPrompt to add additional security and privacy.
Jetpack security divides the data into bits and is encrypted via Streaming AEAD, which cannot be arranged in order. EncryptedFile class is similar to File and provides two object streams — FileInputStream for reading and FileOutputStream for writing.
This class can be used to save key pair values such as API keys. The keys are stored using AES256-SIV-CMAC, and the values are encrypted using the AES256-GCM, which are bound to the encrypted key. This structure allows the data to be stored safely while still allowing for lookups.
Developers can access FileLocker, a sample app on Android Security GitHub page, which implements file and shared preference security based on Jetpack Security.