store password securely

Use encrypted preferences for storing password starting with Android 6+.
Lower versions sadly do not offer the necessary Keystore API, so for now
the password stays unencrypted for these.

Also extract each preference into its own class for better separation
and rename preferences where necessary to make their content more clear.

Author: ostrya

app/build.gradle

@@ -69,6 +69,7 @@ afterEvaluate {
 dependencies {
     implementation 'androidx.appcompat:appcompat:1.1.0'
     implementation 'androidx.preference:preference:1.1.0'
+    implementation 'androidx.security:security-crypto:1.0.0-alpha02'
     implementation('com.hypertrack:hyperlog:0.0.10') {
         exclude group: 'com.android.support'
         exclude group: 'com.android.volley'

app/src/main/AndroidManifest.xml

@@ -14,6 +14,8 @@
         android:name="android.permission.WRITE_EXTERNAL_STORAGE"
         android:maxSdkVersion="18" />
 
+    <uses-sdk tools:overrideLibrary="androidx.security" />
+
     <application
         android:allowBackup="false"
         android:icon="@mipmap/ic_launcher"

app/src/main/java/org/ostrya/presencepublisher/ForegroundService.java

@@ -31,10 +31,27 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-import static org.ostrya.presencepublisher.ui.ConnectionFragment.*;
-import static org.ostrya.presencepublisher.ui.ScheduleFragment.*;
+import static org.ostrya.presencepublisher.ui.ScheduleFragment.SSID;
 import static org.ostrya.presencepublisher.ui.notification.NotificationFactory.getServiceNotification;
 import static org.ostrya.presencepublisher.ui.notification.NotificationFactory.updateServiceNotification;
+import static org.ostrya.presencepublisher.ui.preference.AutostartPreference.AUTOSTART;
+import static org.ostrya.presencepublisher.ui.preference.BatteryTopicPreference.BATTERY_TOPIC;
+import static org.ostrya.presencepublisher.ui.preference.ClientCertificatePreference.CLIENT_CERTIFICATE;
+import static org.ostrya.presencepublisher.ui.preference.HostPreference.HOST;
+import static org.ostrya.presencepublisher.ui.preference.LastSuccessTimestampPreference.LAST_SUCCESS;
+import static org.ostrya.presencepublisher.ui.preference.MessageSchedulePreference.MESSAGE_SCHEDULE;
+import static org.ostrya.presencepublisher.ui.preference.NextScheduleTimestampPreference.NEXT_SCHEDULE;
+import static org.ostrya.presencepublisher.ui.preference.OfflineContentPreference.OFFLINE_CONTENT;
+import static org.ostrya.presencepublisher.ui.preference.PasswordPreference.PASSWORD;
+import static org.ostrya.presencepublisher.ui.preference.PortPreference.PORT;
+import static org.ostrya.presencepublisher.ui.preference.PresenceTopicPreference.PRESENCE_TOPIC;
+import static org.ostrya.presencepublisher.ui.preference.SendBatteryMessagePreference.SEND_BATTERY_MESSAGE;
+import static org.ostrya.presencepublisher.ui.preference.SendOfflineMessagePreference.SEND_OFFLINE_MESSAGE;
+import static org.ostrya.presencepublisher.ui.preference.SendViaMobileNetworkPreference.SEND_VIA_MOBILE_NETWORK;
+import static org.ostrya.presencepublisher.ui.preference.SsidListPreference.SSID_LIST;
+import static org.ostrya.presencepublisher.ui.preference.UseTlsPreference.USE_TLS;
+import static org.ostrya.presencepublisher.ui.preference.UsernamePreference.USERNAME;
+import static org.ostrya.presencepublisher.ui.preference.WifiContentPreference.WIFI_CONTENT_PREFIX;
 
 public class ForegroundService extends Service {
     public static final String ALARM_ACTION = "org.ostrya.presencepublisher.ALARM_ACTION";
@@ -51,9 +68,9 @@ public class ForegroundService extends Service {
     private MqttService mqttService;
     private ConnectivityManager connectivityManager;
     private AlarmManager alarmManager;
-    private long lastPing;
+    private long lastSuccess;
     private SharedPreferences sharedPreferences;
-    private long nextPing;
+    private long nextSchedule;
     private WifiMessageProvider wifiMessageProvider;
     private BatteryMessageProvider batteryMessageProvider;
     private final OnSharedPreferenceChangeListener sharedPreferenceListener = this::onSharedPreferenceChanged;
@@ -107,8 +124,8 @@ public void onCreate() {
         intent.setClass(getApplicationContext(), AlarmReceiver.class);
         pendingIntent = PendingIntent.getBroadcast(getApplicationContext(), 0, intent, 0);
         sharedPreferences = PreferenceManager.getDefaultSharedPreferences(getApplicationContext());
-        lastPing = sharedPreferences.getLong(LAST_PING, 0L);
-        nextPing = sharedPreferences.getLong(NEXT_PING, 0L);
+        lastSuccess = sharedPreferences.getLong(LAST_SUCCESS, 0L);
+        nextSchedule = sharedPreferences.getLong(NEXT_SCHEDULE, 0L);
         wifiMessageProvider = new WifiMessageProvider(this);
         batteryMessageProvider = new BatteryMessageProvider(this);
         registerPreferenceCallback();
@@ -156,24 +173,32 @@ private void onSharedPreferenceChanged(SharedPreferences sharedPreferences, Stri
         switch (key) {
             case HOST:
             case PORT:
-            case TLS:
-            case CLIENT_CERT:
+            case USE_TLS:
+            case CLIENT_CERTIFICATE:
             case PRESENCE_TOPIC:
-            case PING:
-            case LOGIN:
+            case MESSAGE_SCHEDULE:
+            case USERNAME:
             case PASSWORD:
             case SSID_LIST:
-            case OFFLINE_PING:
-            case MOBILE_NETWORK_PING:
+            case SEND_OFFLINE_MESSAGE:
+            case SEND_VIA_MOBILE_NETWORK:
+            case SEND_BATTERY_MESSAGE:
+            case BATTERY_TOPIC:
+            case OFFLINE_CONTENT:
                 HyperLog.i(TAG, "Changed parameter " + key);
                 start();
                 break;
             case AUTOSTART:
-            case LAST_PING:
-            case NEXT_PING:
+            case LAST_SUCCESS:
+            case NEXT_SCHEDULE:
                 break;
             default:
-                HyperLog.v(TAG, "Ignoring unexpected value " + key);
+                if (key.startsWith(WIFI_CONTENT_PREFIX)) {
+                    HyperLog.i(TAG, "Changed parameter " + key);
+                    start();
+                } else {
+                    HyperLog.v(TAG, "Ignoring unexpected value " + key);
+                }
         }
     }
 
@@ -192,17 +217,17 @@ private void start() {
             } catch (RuntimeException e) {
                 HyperLog.w(TAG, "Error while getting messages to send", e);
             }
-            int ping = sharedPreferences.getInt(PING, 15);
-            nextPing = System.currentTimeMillis() + ping * 60_000L;
-            HyperLog.i(TAG, "Re-scheduling for " + new Date(nextPing));
-            sharedPreferences.edit().putLong(NEXT_PING, nextPing).apply();
+            int ping = sharedPreferences.getInt(MESSAGE_SCHEDULE, 15);
+            nextSchedule = System.currentTimeMillis() + ping * 60_000L;
+            HyperLog.i(TAG, "Re-scheduling for " + new Date(nextSchedule));
+            sharedPreferences.edit().putLong(NEXT_SCHEDULE, nextSchedule).apply();
             updateNotification();
             if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
-                alarmManager.setExactAndAllowWhileIdle(AlarmManager.RTC_WAKEUP, nextPing, pendingIntent);
+                alarmManager.setExactAndAllowWhileIdle(AlarmManager.RTC_WAKEUP, nextSchedule, pendingIntent);
             } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
-                alarmManager.setExact(AlarmManager.RTC_WAKEUP, nextPing, pendingIntent);
+                alarmManager.setExact(AlarmManager.RTC_WAKEUP, nextSchedule, pendingIntent);
             } else {
-                alarmManager.set(AlarmManager.RTC_WAKEUP, nextPing, pendingIntent);
+                alarmManager.set(AlarmManager.RTC_WAKEUP, nextSchedule, pendingIntent);
             }
         } finally {
             currentlyRunning.set(false);
@@ -211,7 +236,7 @@ private void start() {
 
     private void updateNotification() {
         NotificationManagerCompat.from(this)
-                .notify(NOTIFICATION_ID, updateServiceNotification(getApplicationContext(), lastPing, nextPing, CHANNEL_ID));
+                .notify(NOTIFICATION_ID, updateServiceNotification(getApplicationContext(), lastSuccess, nextSchedule, CHANNEL_ID));
     }
 
     @Override
@@ -222,8 +247,8 @@ public IBinder onBind(final Intent intent) {
     private void doSend(List<Message> messages) {
         try {
             mqttService.sendMessages(messages);
-            lastPing = System.currentTimeMillis();
-            sharedPreferences.edit().putLong(LAST_PING, lastPing).apply();
+            lastSuccess = System.currentTimeMillis();
+            sharedPreferences.edit().putLong(LAST_SUCCESS, lastSuccess).apply();
             updateNotification();
         } catch (Exception e) {
             HyperLog.w(TAG, "Error while sending messages", e);

app/src/main/java/org/ostrya/presencepublisher/message/battery/BatteryMessageProvider.java

@@ -12,8 +12,8 @@
 import java.util.Collections;
 import java.util.List;
 
-import static org.ostrya.presencepublisher.ui.ScheduleFragment.BATTERY_MESSAGE;
-import static org.ostrya.presencepublisher.ui.ScheduleFragment.BATTERY_TOPIC;
+import static org.ostrya.presencepublisher.ui.preference.BatteryTopicPreference.BATTERY_TOPIC;
+import static org.ostrya.presencepublisher.ui.preference.SendBatteryMessagePreference.SEND_BATTERY_MESSAGE;
 
 public class BatteryMessageProvider {
     private static final String TAG = "BatteryMessageProvider";
@@ -27,7 +27,7 @@ public BatteryMessageProvider(Context context) {
     }
 
     public List<Message> getMessages() {
-        if (!sharedPreferences.getBoolean(BATTERY_MESSAGE, false)) {
+        if (!sharedPreferences.getBoolean(SEND_BATTERY_MESSAGE, false)) {
             HyperLog.d(TAG, "Battery messages disabled, not generating any messages");
             return Collections.emptyList();
         }

app/src/main/java/org/ostrya/presencepublisher/message/wifi/WifiMessageProvider.java

@@ -11,16 +11,19 @@
 import androidx.preference.PreferenceManager;
 import com.hypertrack.hyperlog.HyperLog;
 import org.ostrya.presencepublisher.message.Message;
+import org.ostrya.presencepublisher.ui.preference.OfflineContentPreference;
+import org.ostrya.presencepublisher.ui.preference.WifiContentPreference;
 
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 
 import static android.content.Context.CONNECTIVITY_SERVICE;
 import static android.content.Context.WIFI_SERVICE;
-import static org.ostrya.presencepublisher.ui.ConnectionFragment.PRESENCE_TOPIC;
-import static org.ostrya.presencepublisher.ui.ContentFragment.*;
-import static org.ostrya.presencepublisher.ui.ScheduleFragment.*;
+import static org.ostrya.presencepublisher.ui.preference.PresenceTopicPreference.PRESENCE_TOPIC;
+import static org.ostrya.presencepublisher.ui.preference.SendOfflineMessagePreference.SEND_OFFLINE_MESSAGE;
+import static org.ostrya.presencepublisher.ui.preference.SendViaMobileNetworkPreference.SEND_VIA_MOBILE_NETWORK;
+import static org.ostrya.presencepublisher.ui.preference.SsidListPreference.SSID_LIST;
 
 public class WifiMessageProvider {
     private static final String TAG = "WifiMessageProvider";
@@ -48,14 +51,14 @@ public List<Message> getMessages() {
             String ssid = getSsidIfMatching();
             if (ssid != null) {
                 HyperLog.i(TAG, "Scheduling message for SSID " + ssid);
-                String onlineContent = sharedPreferences.getString(WIFI_PREFIX + ssid, DEFAULT_CONTENT_ONLINE);
+                String onlineContent = sharedPreferences.getString(WifiContentPreference.WIFI_CONTENT_PREFIX + ssid, WifiContentPreference.DEFAULT_CONTENT_ONLINE);
                 return Collections.singletonList(messageBuilder.withContent(onlineContent));
             }
         }
-        if (sharedPreferences.getBoolean(OFFLINE_PING, false)
-                && (connectedToWiFi || sharedPreferences.getBoolean(MOBILE_NETWORK_PING, false))) {
+        if (sharedPreferences.getBoolean(SEND_OFFLINE_MESSAGE, false)
+                && (connectedToWiFi || sharedPreferences.getBoolean(SEND_VIA_MOBILE_NETWORK, false))) {
             HyperLog.i(TAG, "Scheduling offline message");
-            String offlineContent = sharedPreferences.getString(CONTENT_OFFLINE, DEFAULT_CONTENT_OFFLINE);
+            String offlineContent = sharedPreferences.getString(OfflineContentPreference.OFFLINE_CONTENT, OfflineContentPreference.DEFAULT_CONTENT_OFFLINE);
             return Collections.singletonList(messageBuilder.withContent(offlineContent));
         }
         return Collections.emptyList();

app/src/main/java/org/ostrya/presencepublisher/mqtt/MqttService.java

@@ -10,30 +10,38 @@
 import org.eclipse.paho.client.mqttv3.MqttException;
 import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;
 import org.ostrya.presencepublisher.message.Message;
+import org.ostrya.presencepublisher.security.SecurePreferencesHelper;
 
 import java.nio.charset.Charset;
 import java.util.List;
 
-import static org.ostrya.presencepublisher.ui.ConnectionFragment.*;
+import static org.ostrya.presencepublisher.ui.preference.ClientCertificatePreference.CLIENT_CERTIFICATE;
+import static org.ostrya.presencepublisher.ui.preference.HostPreference.HOST;
+import static org.ostrya.presencepublisher.ui.preference.PasswordPreference.PASSWORD;
+import static org.ostrya.presencepublisher.ui.preference.PortPreference.PORT;
+import static org.ostrya.presencepublisher.ui.preference.UseTlsPreference.USE_TLS;
+import static org.ostrya.presencepublisher.ui.preference.UsernamePreference.USERNAME;
 
 public class MqttService {
     private static final String TAG = "MqttService";
 
     private final AndroidSslSocketFactoryFactory factory;
     private final SharedPreferences sharedPreferences;
+    private final SharedPreferences securePreferences;
 
     public MqttService(Context context) {
         Context applicationContext = context.getApplicationContext();
         factory = new AndroidSslSocketFactoryFactory(applicationContext);
         sharedPreferences = PreferenceManager.getDefaultSharedPreferences(applicationContext);
+        securePreferences = SecurePreferencesHelper.getSecurePreferences(applicationContext);
     }
 
     public void sendMessages(List<Message> messages) throws MqttException {
         HyperLog.i(TAG, "Sending messages to server");
-        boolean tls = sharedPreferences.getBoolean(TLS, false);
-        String clientCertAlias = sharedPreferences.getString(CLIENT_CERT, null);
-        String login = sharedPreferences.getString(LOGIN, "");
-        String password = sharedPreferences.getString(PASSWORD, "");
+        boolean tls = sharedPreferences.getBoolean(USE_TLS, false);
+        String clientCertAlias = sharedPreferences.getString(CLIENT_CERTIFICATE, null);
+        String login = sharedPreferences.getString(USERNAME, "");
+        String password = securePreferences.getString(PASSWORD, "");
 
         MqttClient mqttClient = new MqttClient(getMqttUrl(tls), Settings.Secure.ANDROID_ID, new MemoryPersistence());
         MqttConnectOptions options = new MqttConnectOptions();

app/src/main/java/org/ostrya/presencepublisher/receiver/SystemBroadcastReceiver.java

@@ -9,7 +9,7 @@
 import com.hypertrack.hyperlog.HyperLog;
 import org.ostrya.presencepublisher.ForegroundService;
 
-import static org.ostrya.presencepublisher.ui.ScheduleFragment.AUTOSTART;
+import static org.ostrya.presencepublisher.ui.preference.AutostartPreference.AUTOSTART;
 
 public class SystemBroadcastReceiver extends BroadcastReceiver {
     private static final String TAG = "SystemBroadcastReceiver";

app/src/main/java/org/ostrya/presencepublisher/security/SecurePreferencesHelper.java

@@ -0,0 +1,56 @@
+package org.ostrya.presencepublisher.security;
+
+import android.content.Context;
+import android.content.SharedPreferences;
+import android.os.Build;
+import android.security.keystore.KeyGenParameterSpec;
+import androidx.annotation.Nullable;
+import androidx.preference.PreferenceDataStore;
+import androidx.security.crypto.EncryptedSharedPreferences;
+import androidx.security.crypto.MasterKeys;
+import com.hypertrack.hyperlog.HyperLog;
+
+public class SecurePreferencesHelper {
+    private static final String TAG = "SecurePreferencesHelper";
+
+    private static final String FILENAME = "encryptedPreferences";
+
+    public static PreferenceDataStore getSecurePreferenceDataStore(Context context) {
+        return new PreferenceDataStore() {
+            @Override
+            public void putString(String key, @Nullable String value) {
+                SharedPreferences preferences = getSecurePreferences(context);
+                preferences.edit().putString(key, value).apply();
+            }
+
+            @Nullable
+            @Override
+            public String getString(String key, @Nullable String defValue) {
+                SharedPreferences preferences = getSecurePreferences(context);
+                return preferences.getString(key, defValue);
+            }
+        };
+    }
+
+    public static SharedPreferences getSecurePreferences(Context context) {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+            try {
+                KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC;
+                String masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec);
+                return EncryptedSharedPreferences
+                        .create(
+                                FILENAME,
+                                masterKeyAlias,
+                                context,
+                                EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+                                EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
+                        );
+            } catch (Exception e) {
+                HyperLog.w(TAG, "Unable to get secure preferences", e);
+                throw new RuntimeException("Unable to get secure preferences");
+            }
+        } else {
+            return context.getSharedPreferences(FILENAME, Context.MODE_PRIVATE);
+        }
+    }
+}