Kinvey’s crypto extension for the Android library allows you to apply encryption to user credentials, files, and offline sqlite storage, when they are stored on disk. You can use the provided classes to override default behavior, using encryption whenever anything is stored locally.

The implementation uses AES encryption with Cipher-Block Chaining (CBC) and PKCS5Padding. A unique Initialization Vector (IV) is used for each encryption operation, which is stored along with the encrypted data. Secret keys are stored in Android's Keystore. We also apply the Secure-PRNG fixes recommended by Google.

The crypto extensions are not included as part of the standard Android library download as they are features of our Business (BE) and Enterprise (EE) editions. Please contact your account representative if you have a BE or EE account and would like access to these assets. Alternately, if you do not currently have a BE or EE account but are interested in trialling this functionality, please email sales@kinvey.com.


Encryption is only available on devices running Android Ice Cream Sandwich and higher (4.0+). It is also required that the device's Screen Lock feature is enabled, and a pin, password, or pattern is defined. Encryption will only be performed once these conditions are met, and the screen is unlocked.

Encrypting Credentials

The Android client maintains a user’s credentials on the device after they have logged in successfully. These credentials are automatically loaded when the client is built, and can be used to authenticate requests made against your backend. A user’s password is never stored on the device.

To encrypt and decrypt user credentials, set an AESCredentialStore on the Client.Builder you use to create your Kinvey Client.

import com.kinvey.android.secure.AESCredentialStore;


Client myClient = new Client.Builder(getContext()).setCredentialStore(new AESCredentialStore()).build();

Encrypting Files

File encryption and decryption is accomplished by applying a cipher to an InputStream or an OutputStream. You can use static methods in the class Crypto to automatically get the secured streams when reading or writing files to disk, and can pass these encrypted streams to the library’s File methods.

import com.kinvey.android.secure.Crypto;


OutputStream secure = Crypto.encryptOutput(new FileOutputStream(getFileTarget()));
myClient.file().download(“myFileID”, secure, new DownloadProgressListener(){ … });

The Crypto class also provides a helper method for decrypting Inputstream objects, which can be used on any file that has been previously encrypted with the above method.

import com.kinvey.android.secure.Crypto;


InputStream decrypt = Crypto.decryptInput(new FileInputStream(myEncryptedFie));

Encrypting Offline Storage

The crypto extension uses SqlCipher to secure offline data storage by encrypting the backing SQLite database.

Using the encrypted data store is very similar to the default implementation explained in the Caching and Offline guide, although there are two additional classes provided to replace existing functionality.

When defining your OfflinePolicy and OfflineStore, use the SecureOfflineStore class which will encrypt all data before it is written to the database:

import com.kinvey.android.secure.SecureOfflineStore;


myAppData.setOffline(OfflinePolicy.LOCAL_FIRST, new SecureOfflineStore(getApplicationContext()));

You will also need to define a different sync Service in your manifest so that data can be decrypted before being synced with your backend:


    …  //Activity and other declarations

            android:exported="true" android:process=":backgroundsync" >
            <action android:name="com.kinvey.android.ACTION_OFFLINE_SYNC" />
            <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
            <action android:name="android.net.wifi.STATE_CHANGE" />
Got a question?