Customer token configuration

The developer has control of the on-device generation of the Secure Local Storage encryption key with the mandatory customer-specified token. This configuration option allows the customer to change the decryption key by changing the customer-specific "token" to ensure old data is not accessible anymore after rolling out a specific application update, or to ensure that two different apps from the same publisher cannot retrieve data from each other.

Implementation of the SAROM token configuration

The customer token is set by adding the following item to the App Shielding config.xml file:

config.xml

...
<secureLocalStorageToken v="RXhhbXBsZSBmb3IgU0xTIGN1c3RvbWVyIHRva2Vu"/>
...

The value of secureLocalStorageToken is a string. To use binary data for the token, it can be encoded as base64 format.

Implementation details

To enable this feature in an application, the app must integrate the platform specific App Shielding elements, as well as have code to use the features. For more information, see iOS integration and Android integration.

Technical notes of the implementation

The Secure Local Storage implementation is backed by files, these are stored in the directory app-storage/736869656c64/736c73/, where app-storage is the application's private data directory for the platform, such as returned by e.g. Context.getFilesDir() on Android.

The data stored is encryped using the AES-256 algorithm in CGM mode. Future versions of Secure Local Storage may add additional ciphers for encryption of the data.