Data Storage Security
SECURITY › Security
Encrypting data at rest with Keystore-backed keys, EncryptedSharedPreferences, and scoped storage.
Interviewers probe this to see whether you understand that on-device data is attacker-reachable on rooted or stolen devices, and that the OS gives you hardware-backed primitives to defend it. You are tested on where the root key lives (Android Keystore, never the app process), how to encrypt prefs/files at rest, what must never be stored in plaintext, and how to gate keys behind biometrics. Expect tradeoff questions on TEE vs StrongBox and the deprecation of Jetpack Security Crypto.
What this covers
- How the Android Keystore prevents key extraction and keeps key material in secure hardware (TEE/StrongBox)
- EncryptedSharedPreferences internals: AES256-SIV for keys, AES256-GCM for values, backed by a MasterKey in Keystore
- What you must never put in plain SharedPreferences (tokens, passwords, PII, keys) and why
- Binding keys to user authentication with setUserAuthenticationParameters and BiometricPrompt.CryptoObject
- Scoped storage: app-private dirs, MediaStore, and SAF instead of broad external-storage access
- Why you encrypt at rest, and that Jetpack Security Crypto is deprecated (know the current alternatives)
Study this topic
- Data Storage Security explained: the guided lesson
- 14 practice quiz questions
- 9 revision flashcards
- Data Storage Security interview questions and answers