Secure Storage

Tokens, credentials, and any sensitive data MUST use platform secure storage. Never store secrets in plaintext configuration files, app settings, or unencrypted preference stores.

Swift

Use Keychain Services for tokens, credentials, and any sensitive data. Never store secrets in UserDefaults or plists.

Kotlin

Use EncryptedSharedPreferences or the Android Keystore for tokens, credentials, and sensitive data. Never store secrets in plain SharedPreferences.

C#

  • Use DPAPI (ProtectedData.Protect/Unprotect with DataProtectionScope.CurrentUser) for Windows-only local secrets
  • Use User Secrets (Microsoft.Extensions.Configuration.UserSecrets) for development-time secrets only (plaintext JSON — not for production)
  • Never store tokens or credentials in plaintext config files or app settings
version
1.0.0
platforms
kotlin, swift, windows
tags
secure-storage, security
author
Mike Fullerton
modified
2026-03-27
references
learn.microsoft.com/en-us/aspnet/core/security/app-secretslearn.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata

Change History

Version Date Author Summary
1.0.0 2026-03-27 Mike Fullerton Initial creation