AndroidOptions

Specific options for Android platform for secure storage.

Provides configurable options for encryption, key wrapping, biometric enforcement, and shared preferences naming.

Properties

• biometric_prompt_subtitle - Subtitle displayed in the biometric authentication prompt.
• biometric_prompt_title - Title displayed in the biometric authentication prompt.
• enforce_biometrics - Whether to enforce biometric or PIN authentication.
• key_cipher_algorithm - Algorithm used to encrypt the secret key.
• migrate_on_algorithm_change - When the encryption algorithm changes, automatically migrate existing data to the new algorithm.
• preferences_key_prefix - Prefix for shared preference keys.
• reset_on_error - When an error is detected, automatically reset all data to prevent fatal errors with unknown keys.
• shared_preferences_name - The name of the shared preferences database to use.
• storage_cipher_algorithm - Algorithm used to encrypt stored data.

Properties

buildbiometric_prompt_subtitleclass-attributeinstance-attribute

biometric_prompt_subtitle: str = 'Use biometrics or device credentials'

Subtitle displayed in the biometric authentication prompt.

buildbiometric_prompt_titleclass-attributeinstance-attribute

biometric_prompt_title: str = 'Authenticate to access'

Title displayed in the biometric authentication prompt.

buildenforce_biometricsclass-attributeinstance-attribute

enforce_biometrics: bool = False

Whether to enforce biometric or PIN authentication.

When True:

• The plugin throws an exception if no biometric/PIN is enrolled.
• The encryption key is generated with authentication required.

When False:

• The plugin gracefully degrades if biometrics are unavailable.
• The key is generated without authentication required.

buildkey_cipher_algorithmclass-attributeinstance-attribute

key_cipher_algorithm: KeyCipherAlgorithm = KeyCipherAlgorithm.RSA_ECB_OAEP_WITH_SHA256_AND_MGF1_PADDING

Algorithm used to encrypt the secret key.

Legacy RSA/ECB/PKCS1Padding is available for backwards compatibility.

buildmigrate_on_algorithm_changeclass-attributeinstance-attribute

migrate_on_algorithm_change: bool = True

When the encryption algorithm changes, automatically migrate existing data to the new algorithm. Preserves data across algorithm upgrades.

If False, data may be lost when algorithm changes unless reset_on_error is True.

buildpreferences_key_prefixclass-attributeinstance-attribute

preferences_key_prefix: Optional[str] = None

Prefix for shared preference keys. Ensures keys are unique to your app.

An underscore (_) is added automatically.

Changing this prevents access to existing preferences.

buildreset_on_errorclass-attributeinstance-attribute

reset_on_error: bool = True

When an error is detected, automatically reset all data to prevent fatal errors with unknown keys.

Be aware that data is PERMANENTLY erased when this occurs.

buildshared_preferences_nameclass-attributeinstance-attribute

shared_preferences_name: Optional[str] = None

The name of the shared preferences database to use.

Changing this will prevent access to already saved preferences.

buildstorage_cipher_algorithmclass-attributeinstance-attribute

storage_cipher_algorithm: StorageCipherAlgorithm = StorageCipherAlgorithm.AES_GCM_NO_PADDING

Algorithm used to encrypt stored data.

Legacy AES/CBC/PKCS7Padding is available for backwards compatibility.

Disabling Auto Backup

By default Android backups data on Google Drive. It can cause exception java.security.InvalidKeyException: Failed to unwrap key. You need to:

• Disable autobackup, details
• Exclude sharedprefs used by SecureStorage

Add the following to your pyproject.toml:

[tool.flet.android.manifest_application]
"allowBackup" = "false"
"fullBackupContent" = "false"

Encryption Options

Default

AndroidOptions()

• Key Cipher: RSA/ECB/OAEPWithSHA-256AndMGF1Padding
• Storage Cipher: AES/GCM/NoPadding
• Biometric Support: No
• Description: Standard secure storage with RSA OAEP key wrapping. Strong authenticated encryption without biometrics. Recommended for most use cases.

Optional Biometrics

AndroidOptions(
    enforce_biometrics=False,
    key_cipher_algorithm=KeyCipherAlgorithm.AES_GCM_NO_PADDING,
)

• Key Cipher: AES/GCM/NoPadding
• Storage Cipher: AES/GCM/NoPadding
• Biometric Support: Optional
• Description: KeyStore-based with optional biometric authentication. Gracefully degrades if biometrics unavailable.

Required Biometrics

AndroidOptions(
    enforce_biometrics=True,
    key_cipher_algorithm=KeyCipherAlgorithm.AES_GCM_NO_PADDING,
)

• Key Cipher: AES/GCM/NoPadding
• Storage Cipher: AES/GCM/NoPadding
• Biometric Support: Required (API 28+)
• Description: KeyStore-based requiring biometric/PIN authentication. Throws error if device security not available.

Custom Cipher Combinations

For advanced users, all combinations below are supported using the AndroidOptions() constructor with custom parameters:

Key Cipher Algorithm	Storage Cipher Algorithm	Implementation	Biometric Support
RSA_ECB_PKCS1_PADDING	AES_CBC_PKCS7_PADDING	RSA-wrapped AES	No
RSA_ECB_PKCS1_PADDING	AES_GCM_NO_PADDING	RSA-wrapped AES	No
RSA_ECB_OAEP_WITH_SHA256_AND_MGF1_PADDING	AES_CBC_PKCS7_PADDING	RSA-wrapped AES	No
RSA_ECB_OAEP_WITH_SHA256_AND_MGF1_PADDING	AES_GCM_NO_PADDING	RSA-wrapped AES	No
AES_GCM_NO_PADDING	AES_CBC_PKCS7_PADDING	KeyStore AES	Optional (via enforce_biometrics)
AES_GCM_NO_PADDING	AES_GCM_NO_PADDING	KeyStore AES	Optional (via enforce_biometrics)

Biometric Authentication

Secure Storage supports biometric authentication (fingerprint, face recognition, etc.) on Android API 23+.

Required Permissions

To use biometric authentication on Android, you need to grant the necessary permissions (USE_BIOMETRIC and optionally USE_FINGERPRINT) in your project.

For configure permissions in your pyproject.toml or when building the app using flet build.

See the official Flet documentation for details: Android Permissions in Flet

Example configuration in pyproject.toml:

[tool.flet.android.permission]
"android.permission.USE_BIOMETRIC" = true
"android.permission.USE_FINGERPRINT" = true

You can also pass permissions when building your Android app:

flet build \
  --android-permissions android.permission.USE_BIOMETRIC=True \
  android.permission.USE_FINGERPRINT=True

This ensures that biometric authentication works correctly on all supported Android devices.

Using Biometric Authentication

You can enable biometric authentication:

# Optional biometric authentication (graceful degradation)
storage = SecureStorage(
  android_options=AndroidOptions(
    enforce_biometrics=False, # Default - works without biometrics
    biometric_prompt_title='Unlock to access your data',
    biometric_prompt_subtitle='Use fingerprint or face unlock',
  ),
)

# Strict biometric enforcement (requires device security)
storage = SecureStorage(
  android_options=AndroidOptions(
    enforce_biometrics=True, # Requires biometric/PIN/pattern
    biometric_prompt_title: 'Biometric authentication required',
  ),
)

Requirements

• API Level: Android 6.0 (API 23) minimum for basic encryption
• API Level: Android 9.0 (API 28) minimum for enforced biometric authentication
• Device Security: Device must have a PIN, pattern, password, or biometric enrolled (when using enforce_biometrics = True)
• Permissions: USE_BIOMETRIC permission in pyproject.toml