This article addresses a security improvement by using SecureCredentialsManager class instead of the CredentialsManager. The user access tokens are stored in plaintext in Android SharedPreferences when using the CredentialsManager class. SecureCredentialsManager automatically encrypts credentials before persisting them, thereby improving security.

• Auth0.Android SDK
• Token Storage
• Credentials Management
• Native Android
• CredentialsManager
• SecureCredentialsManager

The CredentialsManager class, when used with the default Android SharedPreferences Storage, stores user credentials (including Access and Refresh Tokens) in a plaintext XML file within the application's internal storage. This behavior is by design for simplicity in older examples, but is not suitable for production applications where security is a priority. An attacker with root privileges or physical access to an unlocked device could potentially access this file and compromise the user's account.

The recommended approach is to replace CredentialsManager with SecureCredentialsManager. This class is a drop-in replacement that extends CredentialsManager and automatically handles the encryption and decryption of credentials using the Android Keystore system. This ensures that tokens are always stored securely.