kotlin:S6291: Android SharedPreferences security recommendation is out-of-date

When using SharedPreferences in an Android app with minSdk set to API 29 (Android 10), Sonar raises the following security hotspot:

Make sure using an unencrypted database is safe here.
Using unencrypted databases in mobile applications is security-sensitive (kotlin:S6291)

In Sonar, I clicked “How can I fix it” and the “Recommended Secure Coding Practices” states:

Instead of SharedPreferences you can use EncryptedSharedPreferences

However, this recommendation is out-of-date as the solution is deprecated.

Please can you update the security recommendations around SharedPreferences usage?

Hi @jonnyandrewgds,

Thanks for taking the time to report this issue on our community.

Rule S6291 is not relevant anymore since Android 10.

Android 10+ (as well as iOS) has encryption by default, so databases don’t need to provide encryption features themselves anymore. See this article for further details about the deprecation of Encrypted Shared Preferences.

We had this rule under our radar, and we planned its deprecation, both for Kotlin and Java. We just could not do it yet.

While waiting for the deprecation of the rule to be done and released, you can mark all issues detected by this hotspot as Safe, or remove the rule from your profile, if it is really noisy.

Hope it helps,
Antonio

1 Like