Skip to content

security: migrate Android secrets to EncryptedSharedPreferences#43

Open
juliosuas wants to merge 1 commit intoIntent-Lab:mainfrom
juliosuas:fix/android-encrypted-prefs
Open

security: migrate Android secrets to EncryptedSharedPreferences#43
juliosuas wants to merge 1 commit intoIntent-Lab:mainfrom
juliosuas:fix/android-encrypted-prefs

Conversation

@juliosuas
Copy link
Copy Markdown

@juliosuas juliosuas commented Apr 6, 2026

Problem

Android SettingsManager stores API keys and tokens in plain SharedPreferences (unencrypted XML on disk). Readable on rooted devices and in ADB backups.

Fix

Use EncryptedSharedPreferences (AES256-GCM) for secrets. Non-sensitive settings remain in plain SharedPreferences. Auto-migration on first launch.

Files Changed

  • settings/SettingsManager.kt — dual storage (encrypted + plain)
  • app/build.gradle.kts — added security-crypto dependency
  • gradle/libs.versions.toml — added version entry

Related

🤖 Generated with Claude Code

@claude
security: migrate Android secrets to EncryptedSharedPreferences
41ff064 
Mirrors the iOS Keychain migration (PR Intent-Lab#41). API keys and tokens were
stored in plain SharedPreferences (unencrypted XML on disk).

Changes:
- Add androidx.security:security-crypto dependency
- SettingsManager now uses EncryptedSharedPreferences (AES256-GCM)
  for geminiAPIKey, openClawHookToken, and openClawGatewayToken
- Non-sensitive settings (host, port, toggles) remain in plain prefs
- One-time auto-migration from plain prefs to encrypted on first launch
- resetAll() clears both encrypted and plain storage

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@juliosuas