Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Encrypt Stored Sensitive Data


Applies To

  • Android applications that store sensitive data.

What to Do

Encrypt stored sensitive data.


Sensitive data at rest should be encrypted to make it difficult for an attacker to recover this data if the device is stolen or compromised.


To encrypt stored sensitive data:

  1. Identify sensitive data. Make a list of all sensitive information handled by your application.
  2. Determine whether sensitive data needs to be stored. For each type of sensitive data, determine whether it needs to be stored at all. Do not store sensitive data unless it is absolutely necessary. Make a list of the locations where each piece of sensitive data is stored and which functions access it.
  3. Add an encryption subsystem to your application. Implement a centralized set of encryption functions to be used by your application. A centralized encryption subsystem is simpler to manage and to implement correctly than ad hoc code spread out throughout the application. The encryption system should provide encryption and decryption functions; functions for managing the encryption keys might also be useful.
  4. Use the Cipher class for encryption. The Android SDK includes the Cipher class, which provides access to industry-standard cryptographic algorithms.
  5. Use a strong encryption algorithm and mode. Use the getInstance method of the Cipher class to specify an encryption algorithm and mode. One recommended algorithm and mode is "AES/CBC/PKCS5Padding".
  6. Use strong encryption keys. Make sure to use strong encryption keys when protecting sensitive data. The most important factor in encryption key strength is length. The recommended length of encryption keys for the AES algorithm is 256-bit. Pass the key as a byte array to the constructor of the SecretKeySpec class to get a SecretKeySpec object that can be used with the Cipher for encryption or decryption. The key may be generated using the KeyGenerator class.
  7. Explicitly specify character encoding. Make sure to explicitly specify the character encoding when encrypting and decrypting data by using theCharset.forName method.
  8. Use CipherOutputStream and CipherInputStream classes to access encrypted streams. The CipherOutputStream and CipherInputStream classes provide cryptographic wrappers for stream objects - using these for cryptographic I/O may be simpler than using the Cipher class directly for each byte.
  9. Use your application's encryption subsystem to encrypt stored sensitive data. Once your encryption subsystem has been defined, use it to protect all files that store sensitive data. Encryption functions need to be called whenever sensitive data is stored and decryption functions need to be called whenever sensitive data is loaded.


Additional Resources


Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics