fix(app): flag to force strongbox by removing fallback

Author: Numoy

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorage.java

@@ -33,6 +33,7 @@ public class FlutterSecureStorage {
     private static final String PREF_OPTION_PREFIX = "preferencesKeyPrefix";
     private static final String PREF_OPTION_DELETE_ON_FAILURE = "resetOnError";
     private static final String PREF_KEY_MIGRATED = "preferencesMigrated";
+    private static final String PREF_OPTION_ONLY_ALLOW_STRONGBOX = "onlyAllowStrongBox";
     @NonNull
     private final SharedPreferences encryptedPreferences;
     @NonNull
@@ -63,7 +64,15 @@ public FlutterSecureStorage(Context context, Map<String, Object> options) throws
             }
         }
 
-        encryptedPreferences = getEncryptedSharedPreferences(deleteOnFailure, options, context.getApplicationContext(), sharedPreferencesName, true);
+        boolean onlyAllowStrongbox = false;
+         if (options.containsKey(PREF_OPTION_ONLY_ALLOW_STRONGBOX)) {
+            var value = options.get(PREF_OPTION_ONLY_ALLOW_STRONGBOX);
+            if (value instanceof String) {
+                onlyAllowStrongbox = Boolean.parseBoolean((String) value);
+            }
+        }
+
+        encryptedPreferences = getEncryptedSharedPreferences(deleteOnFailure, options, context.getApplicationContext(), sharedPreferencesName, true, onlyAllowStrongbox);
     }
 
     public boolean containsKey(String key) {
@@ -104,7 +113,7 @@ private String addPrefixToKey(String key) {
         return preferencesKeyPrefix + "_" + key;
     }
 
-    private SharedPreferences getEncryptedSharedPreferences(boolean deleteOnFailure, Map<String, Object> options, Context context, String sharedPreferencesName, boolean isStrongBoxBacked) throws GeneralSecurityException, IOException {
+    private SharedPreferences getEncryptedSharedPreferences(boolean deleteOnFailure, Map<String, Object> options, Context context, String sharedPreferencesName, boolean isStrongBoxBacked, boolean isOnlyStrongBoxAllowed) throws GeneralSecurityException, IOException {
         try {
             final SharedPreferences encryptedPreferences = initializeEncryptedSharedPreferencesManager(context, sharedPreferencesName, isStrongBoxBacked);
             boolean migrated = encryptedPreferences.getBoolean(PREF_KEY_MIGRATED, false);
@@ -117,7 +126,7 @@ private SharedPreferences getEncryptedSharedPreferences(boolean deleteOnFailure,
                 Throwable cause = e.getCause();
 
                 if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
-                    if (cause instanceof StrongBoxUnavailableException) {
+                    if (cause instanceof StrongBoxUnavailableException && !isOnlyStrongBoxAllowed) {
                         // Fallback to not using Strongbox
                         return getEncryptedSharedPreferences(deleteOnFailure, options, context, sharedPreferencesName, false);
                     }

flutter_secure_storage/lib/options/android_options.dart

@@ -27,10 +27,12 @@ class AndroidOptions extends Options {
         StorageCipherAlgorithm.AES_CBC_PKCS7Padding,
     this.sharedPreferencesName,
     this.preferencesKeyPrefix,
+    bool onlyAllowStrongBox = false,
   })  : _encryptedSharedPreferences = encryptedSharedPreferences,
         _resetOnError = resetOnError,
         _keyCipherAlgorithm = keyCipherAlgorithm,
-        _storageCipherAlgorithm = storageCipherAlgorithm;
+        _storageCipherAlgorithm = storageCipherAlgorithm,
+        _onlyAllowStrongBox = onlyAllowStrongBox;
 
   /// EncryptedSharedPrefences are only available on API 23 and greater
   final bool _encryptedSharedPreferences;
@@ -70,6 +72,12 @@ class AndroidOptions extends Options {
   /// WARNING: If you change this you can't retrieve already saved preferences.
   final String? preferencesKeyPrefix;
 
+  /// If true, only allow keys to be stored in StrongBox backed keymaster.
+  /// This option is only available on API 28 and greater. If set to true some phones might now work
+  /// Defaults to false.
+  /// https://developer.android.com/training/articles/keystore#HardwareSecurityModule
+  final bool _onlyAllowStrongBox;
+
   static const AndroidOptions defaultOptions = AndroidOptions();
 
   @override
@@ -80,6 +88,7 @@ class AndroidOptions extends Options {
         'storageCipherAlgorithm': _storageCipherAlgorithm.name,
         'sharedPreferencesName': sharedPreferencesName ?? '',
         'preferencesKeyPrefix': preferencesKeyPrefix ?? '',
+        'onlyAllowStrongBox': '$_onlyAllowStrongBox',
       };
 
   AndroidOptions copyWith({
@@ -89,6 +98,7 @@ class AndroidOptions extends Options {
     StorageCipherAlgorithm? storageCipherAlgorithm,
     String? preferencesKeyPrefix,
     String? sharedPreferencesName,
+    bool? onlyAllowStrongBox,
   }) =>
       AndroidOptions(
         encryptedSharedPreferences:
@@ -99,5 +109,6 @@ class AndroidOptions extends Options {
             storageCipherAlgorithm ?? _storageCipherAlgorithm,
         sharedPreferencesName: sharedPreferencesName,
         preferencesKeyPrefix: preferencesKeyPrefix,
+        onlyAllowStrongBox: onlyAllowStrongBox ?? _onlyAllowStrongBox,
       );
 }