How secure are SQLite and SharedPreferences files on Android?

Question

First, a bit of my background. I have been working on large web systems for over a decade, Android is something I have been looking at for the past two months; as you can imagine, the gap is quite wide :)

Looking at Android's Security and Permissions and Data Storage part of documentation, talking directly to developers, reading books and tutorials, it is pretty clear how entire model works. However, I was unable to find an answer whether SQLite and SharedPreferences files are secure enough to store delicate non-encrypted information (for example, OAuth tokens). Is it possible for someone to grab them in any way? Quoting Android's documentation:

Any data stored by an application will be assigned that application's user ID, and not normally accessible to other packages.

It's the not normally accessible part giving me additional grey hair :)

Thank you, helpful answers are appreciated :)

Answer 1

Well, there is a bunch of SharedPreferences editor apps on the market, so they're definitely not secure. Also on rooted devices database can pull off easily, since user have full access to the phones filesystem. Hence, if you want your app be totally secured, encrypt your data.

Answer 2

Is it possible for someone to grab them in any way?

That depends on the someone. As Mr. Burov indicates, users of rooted phones can get at whatever they want. Ordinary users and other applications can't, by default.

It's the not normally accessible part giving me additional grey hair :)

By default, files are secure. You can make them world-readable or world-writable if you choose.

Wouldn't it be possible to decompile apk file and find encryption key as well in that case?

That depends on who you are defending against. If you are defending against other apps, have the user supply the encryption key. If you are defending against the user, you're screwed, just as all implementations of DRM are screwed.