feat(android): Android production setup with Firebase & secure storage #333
Conversation
- Add Firebase SDK (BoM 34.8.0, firebase-messaging) for push notifications - Create PageSpaceSecureStoragePlugin with AES-256-GCM encrypted storage - Register secure storage plugin in MainActivity - Update Gradle plugin to 8.9.1 and compileSdk/targetSdk to 36 - Update google-services plugin to 4.4.4 - Add google-services.json for Firebase project - Configure Google OAuth client ID in capacitor.config.ts Security: Uses Android Keystore-backed master key with hardware security module when available. Same JS interface as iOS PageSpaceKeychainPlugin. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bfdd9c6bb4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| } catch (Exception e) { | ||
| // Fallback to regular SharedPreferences if encryption fails | ||
| // This should rarely happen but prevents app crashes | ||
| sharedPreferences = getContext() | ||
| .getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE); |
There was a problem hiding this comment.
When EncryptedSharedPreferences.create(...) throws (e.g., keystore corruption, device policy restrictions, or missing secure hardware), the plugin silently swaps to regular SharedPreferences. In that scenario, callers still use PageSpaceKeychain and will store tokens/credentials unencrypted without any error signal, which defeats the “secure storage” contract and can leak sensitive data on affected devices. Consider rejecting plugin calls or surfacing an initialization error instead of silently persisting plaintext.
Useful? React with 👍 / 👎.
Instead of silently falling back to unencrypted SharedPreferences when EncryptedSharedPreferences fails to initialize (keystore corruption, device policy, missing secure hardware), now explicitly reject all plugin calls with an error message. This prevents silent plaintext credential storage that would defeat the zero-trust security contract. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Security
The secure storage plugin uses:
PageSpaceKeychainpluginFiles Changed
android/build.gradleandroid/variables.gradleandroid/app/build.gradlePageSpaceSecureStoragePlugin.javaMainActivity.javacapacitor.config.tsgoogle-services.jsonTest plan
./gradlew assembleDebugpasses🤖 Generated with Claude Code