Android recently released EncryptedSharedPreferences which automatically encrypts SharedPreferences key/value data. While this is good, I've found that I can simply hook onto the API call and retrieve the decrypted value. Other than encrypting the data manually before calling EncryptedSharedPreferences (which kind of defeats its purpose) and implementing stronger runtime tampering do detect hooking, is there any way to be resistant to such attacks?
Additionally, I was also able to extract the encryption key used to encrypt the key/value pair in EncryptedSharedPreferences by hooking onto javax.crypto.Cipher and inspecting SecretKeySpec and IvParameterSpec. This seems weird because isn't the encryption key supposed to reside in the Android Keystore and never leave it?
The purpose of EncryptedSharedPreferences is to protect the data its encrypted so hackers can not understand the data, it can not protect from stealing the data. But what can u do if u get the encrypted data and can not decrypted it? If u can not then EncryptedSharedPreferences already serves it purpose.