Secure information stored in SharedPreferences (#771)

* Secure information stored in SharedPreferences

* Lower aws-android-sdk-core-test compile and target sdk version to 27

* Add a symlink to android-23.jar for core

* Add a gradle task that creates a symlink to android-23.jar for AWS Core

* Fix the gradle task that creates symbolic link to android-23.jar

* Change config.yml to setup android-23

* Enable core, cognitoidentityprovider and cognitoauth integration tests on CircleCI

* Enable core, cognitoidentityprovider and cognitoauth integration tests on CircleCI

* Fix pom.xml

* Improve exception handling in AWSKeyValueStore

Author: Karthikeyan

.circleci/config.yml

@@ -153,7 +153,16 @@ commands:
             echo "title:$title"
             echo "content:$content"
             python3 ../CircleciScripts/create_pullrequest.py  "${GITHUB_BUMPVERSION_USER}" "${GITHUB_BUMPVERSION_TOKEN}" "$title" "$content" "master" "${GITHUB_BUMPVERSION_USER}:bump_version" ${bumpversion_repo_user} ${bumpversion_repo_name}
-
+  setup_android_platform23:
+    description: >-
+      setup android platform 23
+    steps:
+      - run:
+          name: download android platform 23
+          command: |
+            # This is required becaused AWSCore has a compileOnly
+            # dependency on API Level 23.
+            sudo yes | sdkmanager "platforms;android-23"
 
 jobs:
   build:
@@ -165,6 +174,7 @@ jobs:
     steps:
       - checkout
       - generate_gradle_wrapper
+      - setup_android_platform23
       - run:
           name: build the whole project
           command: |
@@ -188,6 +198,7 @@ jobs:
     steps:
       - checkout
       - generate_gradle_wrapper
+      - setup_android_platform23
       - run:
           name: run unit tests
           command: |
@@ -320,7 +331,7 @@ jobs:
       - run:
           name: Install Android build tools
           command: |
-            sudo yes | /usr/local/bin/sdkmanager "platforms;android-21" "platforms;android-27" "build-tools;27.0.1"  "extras;google;m2repository" "extras;android;m2repository"
+            sudo yes | /usr/local/bin/sdkmanager "platforms;android-21" "platforms;android-23" "platforms;android-27" "build-tools;27.0.1"  "extras;google;m2repository" "extras;android;m2repository"
             /usr/local/bin/sdkmanager --update
       - run:
           name: Install GPG
@@ -438,6 +449,7 @@ jobs:
     steps:
       - checkout
       - configure_aws
+      - setup_android_platform23
       - run: 
           name: install python3-pip
           command: |
@@ -487,6 +499,7 @@ jobs:
     steps:
       - checkout
       - configure_aws     
+      - setup_android_platform23
       - run:
           name: checkout sample applications
           command: |

.gitignore

@@ -76,3 +76,6 @@ __pycache__/
 # Credentials
 **/testconfiguration.json
 **/awsconfiguration.json
+
+# AWSCoreRuntime libs
+aws-android-sdk-core/libs

CHANGELOG.md

@@ -1,5 +1,24 @@
 # Change Log - AWS SDK for Android
 
+## [Release 2.12.3](https://github.com/aws/aws-sdk-android/releases/tag/release_v2.12.3)
+
+### Enhancements
+
+* **AWS Core**
+  * The `SharedPreferences` used by `CognitoCachingCredentialsProvider` is now encrypted. 
+  * Added a method `CognitoCachingCredentialsProvider.setPersistenceEnabled(boolean)`, which is enabled (set to true) by default therefore the information is persisted in SharedPreferences. When disabled (set to false), the information will only be kept in memory.
+
+* **Amazon CognitoIdentityProvider**
+  * The `SharedPreferences` used by `CognitoUserPool` is now encrypted. 
+  * Added a method `CognitoUserPool.setPersistenceEnabled(boolean)`, which is enabled (set to true) by default therefore the information is persisted in SharedPreferences. When disabled (set to false), the information will only be kept in memory.
+
+* **Amazon CognitoAuth**
+  * The `SharedPreferences` used by `Auth` is now encrypted. 
+  * Added a method `Auth.setPersistenceEnabled(boolean)`, which is enabled (set to true) by default therefore the information is persisted in SharedPreferences. When disabled (set to false), the information will only be kept in memory.
+
+* **AWSMobileClient**
+  * The `SharedPreferences` used by `AWSMobileClient` is now encrypted.
+
 ## [Release 2.12.2](https://github.com/aws/aws-sdk-android/releases/tag/release_v2.12.2)
 
 ### Misc. Updates

CircleciScripts/run_integrationtest.py

@@ -6,8 +6,11 @@
 root = sys.argv[2]
 credentials = sys.argv[3]
 
-testmodules =  ["aws-android-sdk-apigateway-test",
+testmodules =  ["aws-android-sdk-core-test",
+                "aws-android-sdk-apigateway-test",
                 "aws-android-sdk-autoscaling-test",
+                "aws-android-sdk-cognitoidentityprovider-test",
+                "aws-android-sdk-cognitoauth",
                 "aws-android-sdk-cloudwatch-test",
                 "aws-android-sdk-elb-test",
                 "aws-android-sdk-ddb-test",

aws-android-sdk-auth-core/src/main/java/com/amazonaws/mobile/auth/core/IdentityManager.java

@@ -19,7 +19,6 @@
 
 import android.app.Activity;
 import android.content.Context;
-import android.content.Intent;
 import android.util.Log;
 
 import com.amazonaws.ClientConfiguration;
@@ -30,6 +29,7 @@
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.auth.CognitoCachingCredentialsProvider;
 
+import com.amazonaws.internal.keyvaluestore.AWSKeyValueStore;
 import com.amazonaws.mobile.auth.core.signin.AuthException;
 import com.amazonaws.mobile.auth.core.signin.CognitoAuthException;
 import com.amazonaws.mobile.auth.core.signin.ProviderAuthException;
@@ -42,9 +42,6 @@
 import com.amazonaws.regions.Region;
 import com.amazonaws.regions.Regions;
 
-import java.io.IOException;
-import java.lang.reflect.Method;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
@@ -56,7 +53,6 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 
-import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;
 
@@ -157,6 +153,19 @@ private void setUnderlyingProvider(final CognitoCachingCredentialsProvider under
      */
     private static final String EXPIRATION_KEY = "expirationDate";
 
+    /**
+     * Instance of AWSKeyValueStorageUtility that provides access
+     * to secure storage of credentials in SharedPreferences.
+     */
+    private AWSKeyValueStore awsKeyValueStore;
+
+    /**
+     * Flag if true indicates that secure storage is used to
+     * access information. Flag if false keeps the information
+     * in memory.
+     */
+    private boolean isPersistenceEnabled = true;
+
     boolean shouldFederate = true;
 
     /**
@@ -199,6 +208,7 @@ public IdentityManager(final Context context) {
         this.awsConfiguration = null;
         this.clientConfiguration = null;
         this.credentialsProviderHolder = null;
+        this.awsKeyValueStore = new AWSKeyValueStore(appContext, SHARED_PREF_NAME, isPersistenceEnabled);
     }
 
     /**
@@ -216,6 +226,7 @@ public IdentityManager(final Context context,
         this.clientConfiguration = new ClientConfiguration().withUserAgent(awsConfiguration.getUserAgent());
         this.credentialsProviderHolder = new AWSCredentialsProviderHolder();
         createCredentialsProvider(this.appContext, this.clientConfiguration);
+        this.awsKeyValueStore = new AWSKeyValueStore(appContext, SHARED_PREF_NAME, isPersistenceEnabled);
     }
 
     /**
@@ -245,6 +256,7 @@ public IdentityManager(final Context context,
 
         this.credentialsProviderHolder = new AWSCredentialsProviderHolder();
         createCredentialsProvider(this.appContext, this.clientConfiguration);
+        this.awsKeyValueStore = new AWSKeyValueStore(appContext, SHARED_PREF_NAME, isPersistenceEnabled);
     }
 
     /**
@@ -260,8 +272,24 @@ public IdentityManager(final Context context,
         this.clientConfiguration = clientConfiguration;
         this.credentialsProviderHolder = new AWSCredentialsProviderHolder();
         credentialsProviderHolder.setUnderlyingProvider(credentialsProvider);
+        this.awsKeyValueStore = new AWSKeyValueStore(appContext, SHARED_PREF_NAME, isPersistenceEnabled);
     }
 
+    /**
+     * Set the flag that indicates if persistence is enabled or not.
+     * @param persistenceEnabled the flag that indicates if persistence is enabled or not.
+     */
+    public void setPersistenceEnabled(boolean persistenceEnabled) {
+        isPersistenceEnabled = persistenceEnabled;
+        this.awsKeyValueStore.setPersistenceEnabled(isPersistenceEnabled);
+    }
+
+    /**
+     * Set the flag that indicates if tokens will be
+     * federated into Cognito Identity pool
+     * @param enabled Flag that indicates if tokens will
+     *                be federated into Cognito Identity pool
+     */
     public void enableFederation(final boolean enabled) {
         shouldFederate = enabled;
     }
@@ -544,11 +572,8 @@ private void refreshCredentialWithLogins(final Map<String, String> loginMap) {
         credentialsProvider.refresh();
 
         // Set the expiration key of the Credentials Provider to 8 minutes, 30 seconds.
-        appContext.getSharedPreferences(SHARED_PREF_NAME, Context.MODE_PRIVATE)
-                  .edit()
-                  .putLong(credentialsProvider.getIdentityPoolId() + "." + EXPIRATION_KEY,
-                           System.currentTimeMillis() + (510 * 1000))
-                  .apply();
+        awsKeyValueStore.put(credentialsProvider.getIdentityPoolId() + "." + EXPIRATION_KEY,
+                String.valueOf(System.currentTimeMillis() + (510 * 1000)));
     }
 
     /**
@@ -904,9 +929,10 @@ private void createCredentialsProvider(final Context context,
             new AWSRefreshingCognitoIdentityProvider(null, poolId,
                 clientConfiguration, cognitoIdentityRegion);
 
-        credentialsProviderHolder.setUnderlyingProvider(
-            new CognitoCachingCredentialsProvider(context, refreshingCredentialsProvider,
-                    cognitoIdentityRegion, clientConfiguration));
+        final CognitoCachingCredentialsProvider cognitoCachingCredentialsProvider = new CognitoCachingCredentialsProvider(context, refreshingCredentialsProvider,
+                cognitoIdentityRegion, clientConfiguration);
+        cognitoCachingCredentialsProvider.setPersistenceEnabled(isPersistenceEnabled);
+        credentialsProviderHolder.setUnderlyingProvider(cognitoCachingCredentialsProvider);
     }
 
     /**

aws-android-sdk-cognitoauth/build.gradle

@@ -1,4 +1,5 @@
 apply plugin: 'com.android.library'
+apply plugin: 'devicefarm'
 
 android {
     compileSdkVersion 27
@@ -31,9 +32,28 @@ dependencies {
 
     implementation "com.amazonaws:aws-android-sdk-cognitoidentityprovider-asf:1.0.0"
     implementation "com.android.support:customtabs:25.4.0"
+    api (project(':aws-android-sdk-core')) {
+        exclude group: "com.google.android", module: "android"
+    }
 
     testImplementation 'junit:junit:4.12'
 
     androidTestImplementation 'com.android.support.test:runner:1.0.2'
     androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2'
+    androidTestImplementation project(':aws-android-sdk-testutils')
+}
+
+devicefarm {
+
+    // Required. The Project must already exist. You can create a project in the AWS console.
+    projectName "AWSAndroidKeyStoreTester"
+
+    // Required. You must specify either accessKey and secretKey OR roleArn. roleArn takes precedence.
+    authentication {
+        accessKey "$System.env.DEVICEFARM_ACCESS_KEY"
+        secretKey "$System.env.DEVICEFARM_SECRET_KEY"
+    }
+
+    devicePool "AWSAndroidKeyStoreTesterPool"
 }
+

aws-android-sdk-cognitoauth/pom.xml

@@ -49,6 +49,12 @@
       <optional>false</optional>
       <version>1.0.0</version>
     </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-android-sdk-core</artifactId>
+      <optional>false</optional>
+      <version>2.12.2</version>
+    </dependency>
     <dependency>
       <groupId>com.android.support</groupId>
       <artifactId>customtabs</artifactId>

aws-android-sdk-cognitoauth/src/androidTest/java/com/amazonaws/mobileconnectors/cognitoauth/CognitoAuthIntegrationTestBase.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2019-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package com.amazonaws.mobileconnectors.cognitoauth;
+
+import com.amazonaws.testutils.AWSTestBase;
+
+import org.json.JSONObject;
+
+public abstract class CognitoAuthIntegrationTestBase extends AWSTestBase {
+    public static JSONObject getPackageConfigure()  {
+        return getPackageConfigure("cognitoauth");
+    }
+}