Android Shared Preference Unencrypted Local storage security risk – #3 DIVA Solution

Android Shared Preference are name-value pair saved as XML files. Majorly used to save user’s app preference or user’s details or state of the app by developers. Shared Preference are files which are saved inside directory named shared_prefs present within App Sandbox i.e.  /data/data/AppPackageName/shared_prefs .

Being part of Sandbox by default when shared preference is declared in PRIVATE MODE, only the sole app can access it. Specifying Publicly WORLD READ/WRITE MODE as the name suggests would allow any application installed on the phone to access particular Shared Pref. file (by default files are only accessible by app which created it). So as to keep any sensitive information choose Access Mode wisely.



The video demonstrates DIVA app, that app login information is visible in clear-text from Shared Preference of the App. Below are possible ways to view content of Shared preference using a rooted physical device / emulator. ( Make sure you fill in the data and save it first, then only Shared Preference file would be populated )


  • ADB Shell – Reading file of device using ADB from computer
    With ADB Configured in your laptop/computer, connecting physical device via USB & granting ADB connectivity or emulator works directly. Using below commands we can access Shared preference file:


  • There are many Root File explorer apps from Android Play Store, so we can view Shared Preference files directly within device using those File Explorer.


  • Android Studio comes with in-built utility called Android Device Monitor (shown in video). It has a GUI window using which we can navigate to shared_prefs folder and pull file from device storage to computer.


Although Shared preference is protected via Sandbox, yet there are few catch which voids App Sandbox protection mechanism for Shared Preference. Easiest is having a Rooted device (with plenty of tweaks motivating millions of users to root devices). With SU (super user) privilege any apps can read files from Sandbox of any other Apps even with PRIVATE MODE declared for Shared Pref. files. In case if device is not rooted and if app is installed with AndroidManifest.xml containing debuggable=’true’, still files protected by sandbox can be easily accessed from outside. Or if AndroidManifest.xml contains allowBackup=’true’ then using ADB backup sandbox files can be pulled connecting to a computer (however ADB permission needs to be granted from the phone).

Realizing the above facts its recommended not to save any sensitive information in cleartext within Shared Preference such as user personal details, login credentials, Bank details, credit-debit card details, Tokens, PIN, health data, etc.


  • Best solution is not to save anything within the apk in plaintext- either via generating it on run time via user input or bringing details making a secure HTTPS call over the internet.
  • Saving passwords only after Salting + Hashing them with strong algo. like SHA2 or Bcrypt
  • Using Android Keystore which allows to store encryption keys safe even on rooted devices, and using these keys to encrypt sensitive data and then save it in shared preference or SQLite DB.
  • When it comes to maintaining confidential of a proprietary algorithm or logic, a strong code obfuscation technique might help in increasing complexity while reversing. However no 100% reliable solutions are available till date.


Report Errors + Bugs & Become Insider for

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to you could help other peers.