Search code examples
androidandroid-activityandroid-security

Most secure way of sending data between activities in Android

I looked up different Q&A on how to send data or what are the best way to send data between activities in Android but I could not find an answer on what is the most secure way to do it, if data are sensitive.

Best ways to send data between activities in android: https://stackoverflow.com/a/4878259/5544859

Which of these ways is the most secure AND efficient one to send data?

Solution

  • Putting the data in the Intent would be the least secure, insofar as that data is being sent by IPC from your process to a core OS process, then back to your process via another IPC invocation. On modern versions of Android, I know of no security issues with this — other apps cannot spy on that IPC or otherwise get at that data. However, all else being equal, keeping the sensitive data within your process at all times would be more secure than passing that data outside of your process.

    The cited "Persist objects (sqlite, share preferences, file, etc.)" is not a way of passing data between components. It is a way of persisting data for long-term use. Now, most apps need such persistence, and so you may have persistence for other reasons and simply leverage it (e.g., A triggers writing data; E reads in that data). From an efficiency standpoint, though, disk I/O is slow, and so you do it when you need persistence, not data passing. Typically, though, with persistence, we maintain some sort of in-memory cache, to minimize that disk I/O. That involves static fields and WeakReferences, the other option cited in that Stack Overflow answer.

    Off the cuff, and knowing nothing about your app:

    • If this sensitive data should be persisted, then just persist it, use a cache, and have E get the data from the cache or persistent store

    • If this sensitive data should not be persisted, but it is large and it can be acquired again (e.g., via network I/O), cache it using a static field and a WeakReference, so you do not tie up heap space indefinitely

    • If this sensitive data should not be persisted, and either is not large or cannot readily be acquired again, cache it using a static field, so it sticks around as long as your process does