即时通讯目前正在制定的OAuth 1和2的访问web服务的框架和我的问题是，如何存放敏感数据就像在一个安全的方式OAuth访问密钥？ 与此键的问题是，Twitter之类的某些平台上使用永久密钥，如果有人可以访问这个关键，他可以做任何他想做的与用户的Twitter帐户。

Im currently developing a framework for oAuth 1 and 2 access to webservices and my question is, how do i store sensitive data like an oAuth access key in a secure way? the problem with this keys is that some platforms like twitter use a permanent key and if someone would get access to this key he could do whatever he wants with the users twitter account..

所以是有可能之前，存储在共享preferences自动加密数据？还是有更好的方法/地方来存储重要数据？

so is it possible to automatically encrypt the data before it is stored in the shared preferences? Or is there a better way/place to store very important data?

更新 - 还阅读：What是最合适的方式来存储在Android应用程序用户设置

UPDATE - ALSO READ: What is the most appropriate way to store user settings in Android application

推荐答案

1）。如何加密？

在Android上的加密是通过Java加密体系结构（JCA）进行。主要是在 javax.crypto中。* 包。

On Android the encryption is done via Java Cryptography Architecture (JCA). Mainly it is the javax.crypto.* package.

JCA参考指南

下面是一个example JCA API的使用（AES alrorithm尤其是）。

Here is an example of JCA API usage (AES alrorithm in particular).

2）。在哪里存放？

加密API操纵使用字节数组（而不是字符串）。这意味着您可以使用共享preferences ，但你需要把它变成之前应用BASE-64编码加密的字节数组共享preferences （否则XML解析器将无法读取共享preferences文件）。然后阅读，您需要使用相应的-64解码。请注意，在默认情况下大多数Android操作系统的版本不具有一个内置的BASE-64 API（请参阅更新一节）。因此，要消除这种BASE-64的开销，我会建议只是来存储字节的private文件。

Encryption API manipulates with byte arrays (not strings). This means you can use SharedPreferences, but you'll need to apply Base-64 encoding on the encrypted byte array before putting it into SharedPreferences (otherwise XML parser will fail to read the shared preferences file). Then to read you will need to use Base-64 decoding. Note that by default most Android OS versions do not have a built in Base-64 API (see UPDATE section). So to remove this Base-64 overhead I would recommend just to store your bytes in a private file.

更新：由于API级别8，原料药有 android.util.Base64

UPDATE: Since API Level 8, the API has android.util.Base64.