@capgo/capacitor-updater 6.14.26 → 6.14.33

package/android/src/main/java/ee/forgr/capacitor_updater/{CryptoCipher.java → CryptoCipherV1.java}

@@ -10,6 +10,8 @@ package ee.forgr.capacitor_updater;
  * Created by Awesometic
  * It's encrypt returns Base64 encoded, and also decrypt for Base64 encoded cipher
  * references: http://stackoverflow.com/questions/12471999/rsa-encryption-decryption-in-android
+ *
+ * V1 Encryption - uses privateKey (deprecated but kept for backwards compatibility)
  */
 import android.util.Base64;
 import android.util.Log;
@@ -41,7 +43,13 @@ import javax.crypto.spec.OAEPParameterSpec;
 import javax.crypto.spec.PSource;
 import javax.crypto.spec.SecretKeySpec;
 
-public class CryptoCipher {
+public class CryptoCipherV1 {
+
+    private static Logger logger;
+
+    public static void setLogger(Logger loggerInstance) {
+        logger = loggerInstance;
+    }
 
     public static byte[] decryptRSA(byte[] source, PrivateKey privateKey)
         throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
@@ -145,10 +153,10 @@ public class CryptoCipher {
         throws IOException {
         // (str != null && !str.isEmpty())
         if (privateKey == null || privateKey.isEmpty()) {
-            Log.i(CapacitorUpdater.TAG, "Cannot found privateKey");
+            Log.i("[Capacitor-updater]", "Cannot found privateKey");
             return;
         } else if (ivSessionKey == null || ivSessionKey.isEmpty() || ivSessionKey.split(":").length != 2) {
-            Log.i(CapacitorUpdater.TAG, "Cannot found sessionKey");
+            Log.i("[Capacitor-updater]", "Cannot found sessionKey");
             return;
         }
         try {
@@ -156,9 +164,9 @@ public class CryptoCipher {
             String sessionKeyB64 = ivSessionKey.split(":")[1];
             byte[] iv = Base64.decode(ivB64.getBytes(), Base64.DEFAULT);
             byte[] sessionKey = Base64.decode(sessionKeyB64.getBytes(), Base64.DEFAULT);
-            PrivateKey pKey = CryptoCipher.stringToPrivateKey(privateKey);
-            byte[] decryptedSessionKey = CryptoCipher.decryptRSA(sessionKey, pKey);
-            SecretKey sKey = CryptoCipher.byteToSessionKey(decryptedSessionKey);
+            PrivateKey pKey = CryptoCipherV1.stringToPrivateKey(privateKey);
+            byte[] decryptedSessionKey = CryptoCipherV1.decryptRSA(sessionKey, pKey);
+            SecretKey sKey = CryptoCipherV1.byteToSessionKey(decryptedSessionKey);
             byte[] content = new byte[(int) file.length()];
 
             try (
@@ -168,14 +176,14 @@ public class CryptoCipher {
             ) {
                 dis.readFully(content);
                 dis.close();
-                byte[] decrypted = CryptoCipher.decryptAES(content, sKey, iv);
+                byte[] decrypted = CryptoCipherV1.decryptAES(content, sKey, iv);
                 // write the decrypted string to the file
                 try (final FileOutputStream fos = new FileOutputStream(file.getAbsolutePath())) {
                     fos.write(decrypted);
                 }
             }
         } catch (GeneralSecurityException e) {
-            Log.i(CapacitorUpdater.TAG, "decryptFile fail");
+            Log.i("[Capacitor-updater]", "decryptFile fail");
             e.printStackTrace();
             throw new IOException("GeneralSecurityException");
         }
@@ -193,7 +201,7 @@ public class CryptoCipher {
             }
             return String.format("%08x", crc.getValue());
         } catch (IOException e) {
-            System.err.println(CapacitorUpdater.TAG + " Cannot calc checksum: " + file.getPath() + " " + e.getMessage());
+            System.err.println("[Capacitor-updater]" + " Cannot calc checksum: " + file.getPath() + " " + e.getMessage());
             return "";
         }
     }

package/android/src/main/java/ee/forgr/capacitor_updater/CryptoCipherV2.java

@@ -10,9 +10,10 @@ package ee.forgr.capacitor_updater;
  * Created by Awesometic
  * It's encrypt returns Base64 encoded, and also decrypt for Base64 encoded cipher
  * references: http://stackoverflow.com/questions/12471999/rsa-encryption-decryption-in-android
+ *
+ * V2 Encryption - uses publicKey (modern encryption from main branch)
  */
 import android.util.Base64;
-import android.util.Log;
 import java.io.BufferedInputStream;
 import java.io.DataInputStream;
 import java.io.File;
@@ -38,6 +39,12 @@ import javax.crypto.spec.SecretKeySpec;
 
 public class CryptoCipherV2 {
 
+    private static Logger logger;
+
+    public static void setLogger(Logger loggerInstance) {
+        logger = loggerInstance;
+    }
+
     public static byte[] decryptRSA(byte[] source, PublicKey publicKey)
         throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
         Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
@@ -135,11 +142,11 @@ public class CryptoCipherV2 {
 
     public static void decryptFile(final File file, final String publicKey, final String ivSessionKey) throws IOException {
         if (publicKey.isEmpty() || ivSessionKey == null || ivSessionKey.isEmpty() || ivSessionKey.split(":").length != 2) {
-            Log.i(CapacitorUpdater.TAG, "Cannot found public key or sessionKey");
+            logger.info("Encryption not set, no public key or seesion, ignored");
             return;
         }
         if (!publicKey.startsWith("-----BEGIN RSA PUBLIC KEY-----")) {
-            Log.e(CapacitorUpdater.TAG, "The public key is not a valid RSA Public key");
+            logger.error("The public key is not a valid RSA Public key");
             return;
         }
 
@@ -168,7 +175,7 @@ public class CryptoCipherV2 {
                 }
             }
         } catch (GeneralSecurityException e) {
-            Log.i(CapacitorUpdater.TAG, "decryptFile fail");
+            logger.info("decryptFile fail");
             e.printStackTrace();
             throw new IOException("GeneralSecurityException");
         }
@@ -176,25 +183,7 @@ public class CryptoCipherV2 {
 
     public static String decryptChecksum(String checksum, String publicKey) throws IOException {
         if (publicKey.isEmpty()) {
-            Log.e(CapacitorUpdater.TAG, "The public key is empty");
-            return checksum;
-        }
-        try {
-            byte[] checksumBytes = Base64.decode(checksum, Base64.DEFAULT);
-            PublicKey pKey = CryptoCipherV2.stringToPublicKey(publicKey);
-            byte[] decryptedChecksum = CryptoCipherV2.decryptRSA(checksumBytes, pKey);
-            // return Base64.encodeToString(decryptedChecksum, Base64.DEFAULT);
-            String result = Base64.encodeToString(decryptedChecksum, Base64.DEFAULT);
-            return result.replaceAll("\\s", ""); // Remove all whitespace, including newlines
-        } catch (GeneralSecurityException e) {
-            Log.e(CapacitorUpdater.TAG, "decryptChecksum fail: " + e.getMessage());
-            throw new IOException("Decryption failed: " + e.getMessage());
-        }
-    }
-
-    public static String decryptChecksum(String checksum, String publicKey, String version) throws IOException {
-        if (publicKey.isEmpty()) {
-            Log.e(CapacitorUpdater.TAG, "The public key is empty");
+            logger.error("No encryption set (public key) ignored");
             return checksum;
         }
         try {
@@ -205,7 +194,7 @@ public class CryptoCipherV2 {
             String result = Base64.encodeToString(decryptedChecksum, Base64.DEFAULT);
             return result.replaceAll("\\s", ""); // Remove all whitespace, including newlines
         } catch (GeneralSecurityException e) {
-            Log.e(CapacitorUpdater.TAG, "decryptChecksum fail: " + e.getMessage());
+            logger.error("decryptChecksum fail: " + e.getMessage());
             throw new IOException("Decryption failed: " + e.getMessage());
         }
     }
@@ -216,7 +205,7 @@ public class CryptoCipherV2 {
         try {
             digest = MessageDigest.getInstance("SHA-256");
         } catch (java.security.NoSuchAlgorithmException e) {
-            System.err.println(CapacitorUpdater.TAG + " SHA-256 algorithm not available");
+            logger.error("SHA-256 algorithm not available");
             return "";
         }
 
@@ -235,7 +224,7 @@ public class CryptoCipherV2 {
             }
             return hexString.toString();
         } catch (IOException e) {
-            System.err.println(CapacitorUpdater.TAG + " Cannot calc checksum v2: " + file.getPath() + " " + e.getMessage());
+            logger.error("Cannot calc checksum v2: " + file.getPath() + " " + e.getMessage());
             return "";
         }
     }

package/android/src/main/java/ee/forgr/capacitor_updater/DelayCondition.java

@@ -7,15 +7,12 @@
 package ee.forgr.capacitor_updater;
 
 import androidx.annotation.NonNull;
-import com.google.gson.annotations.SerializedName;
 import java.util.Objects;
 
 public class DelayCondition {
 
-    @SerializedName("kind")
     private DelayUntilNext kind;
 
-    @SerializedName("value")
     private String value;
 
     public DelayCondition(DelayUntilNext kind, String value) {

package/android/src/main/java/ee/forgr/capacitor_updater/DelayUpdateUtils.java

@@ -0,0 +1,260 @@
+package ee.forgr.capacitor_updater;
+
+import android.content.SharedPreferences;
+import io.github.g00fy2.versioncompare.Version;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+public class DelayUpdateUtils {
+
+    private final Logger logger;
+
+    public static final String DELAY_CONDITION_PREFERENCES = "DELAY_CONDITION_PREFERENCES_CAPGO";
+    public static final String BACKGROUND_TIMESTAMP_KEY = "BACKGROUND_TIMESTAMP_KEY_CAPGO";
+
+    private final SharedPreferences prefs;
+    private final SharedPreferences.Editor editor;
+    private final Version currentVersionNative;
+
+    public DelayUpdateUtils(SharedPreferences prefs, SharedPreferences.Editor editor, Version currentVersionNative, Logger logger) {
+        this.prefs = prefs;
+        this.editor = editor;
+        this.currentVersionNative = currentVersionNative;
+        this.logger = logger;
+    }
+
+    public enum CancelDelaySource {
+        KILLED,
+        BACKGROUND,
+        FOREGROUND
+    }
+
+    public void checkCancelDelay(CancelDelaySource source) {
+        String delayUpdatePreferences = prefs.getString(DELAY_CONDITION_PREFERENCES, "[]");
+        ArrayList<DelayCondition> delayConditionList = parseDelayConditions(delayUpdatePreferences);
+        ArrayList<DelayCondition> delayConditionListToKeep = new ArrayList<>(delayConditionList.size());
+        int index = 0;
+
+        for (DelayCondition condition : delayConditionList) {
+            DelayUntilNext kind = condition.getKind();
+            String value = condition.getValue();
+            switch (kind) {
+                case background:
+                    if (source == CancelDelaySource.FOREGROUND) {
+                        long backgroundedAt = getBackgroundTimestamp();
+                        long now = System.currentTimeMillis();
+                        long delta = Math.max(0, now - backgroundedAt);
+                        long longValue = 0L;
+                        try {
+                            longValue = Long.parseLong(value);
+                        } catch (NumberFormatException e) {
+                            logger.error(
+                                "Background condition (value: " +
+                                    value +
+                                    ") had an invalid value at index " +
+                                    index +
+                                    ". We will likely remove it."
+                            );
+                        }
+
+                        if (delta > longValue) {
+                            logger.info(
+                                "Background condition (value: " +
+                                    value +
+                                    ") deleted at index " +
+                                    index +
+                                    ". Delta: " +
+                                    delta +
+                                    ", longValue: " +
+                                    longValue
+                            );
+                        }
+                    } else {
+                        delayConditionListToKeep.add(condition);
+                        logger.info(
+                            "Background delay (value: " +
+                                value +
+                                ") condition kept at index " +
+                                index +
+                                " (source: " +
+                                source.toString() +
+                                ")"
+                        );
+                    }
+                    break;
+                case kill:
+                    if (source == CancelDelaySource.KILLED) {
+                        logger.info("Kill delay (value: " + value + ") condition removed at index " + index + " after app kill");
+                    } else {
+                        delayConditionListToKeep.add(condition);
+                        logger.info(
+                            "Kill delay (value: " + value + ") condition kept at index " + index + " (source: " + source.toString() + ")"
+                        );
+                    }
+                    break;
+                case date:
+                    if (!"".equals(value)) {
+                        try {
+                            final SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS");
+                            Date date = sdf.parse(value);
+                            assert date != null;
+                            if (new Date().compareTo(date) > 0) {
+                                logger.info("Date delay (value: " + value + ") condition removed due to expired date at index " + index);
+                            } else {
+                                delayConditionListToKeep.add(condition);
+                                logger.info("Date delay (value: " + value + ") condition kept at index " + index);
+                            }
+                        } catch (final Exception e) {
+                            logger.error(
+                                "Date delay (value: " +
+                                    value +
+                                    ") condition removed due to parsing issue at index " +
+                                    index +
+                                    " " +
+                                    e.getMessage()
+                            );
+                        }
+                    } else {
+                        logger.debug("Date delay (value: " + value + ") condition removed due to empty value at index " + index);
+                    }
+                    break;
+                case nativeVersion:
+                    if (!"".equals(value)) {
+                        try {
+                            final Version versionLimit = new Version(value);
+                            if (this.currentVersionNative.isAtLeast(versionLimit)) {
+                                logger.info(
+                                    "Native version delay (value: " + value + ") condition removed due to above limit at index " + index
+                                );
+                            } else {
+                                delayConditionListToKeep.add(condition);
+                                logger.info("Native version delay (value: " + value + ") condition kept at index " + index);
+                            }
+                        } catch (final Exception e) {
+                            logger.error(
+                                "Native version delay (value: " +
+                                    value +
+                                    ") condition removed due to parsing issue at index " +
+                                    index +
+                                    " " +
+                                    e.getMessage()
+                            );
+                        }
+                    } else {
+                        logger.debug("Native version delay (value: " + value + ") condition removed due to empty value at index " + index);
+                    }
+                    break;
+            }
+            index++;
+        }
+
+        if (delayConditionListToKeep.isEmpty()) {
+            this.cancelDelay("checkCancelDelay");
+        } else {
+            this.setMultiDelay(convertDelayConditionsToJson(delayConditionListToKeep));
+        }
+    }
+
+    public ArrayList<DelayCondition> parseDelayConditions(String json) {
+        ArrayList<DelayCondition> conditions = new ArrayList<>();
+        if (json == null || json.isEmpty()) {
+            return conditions;
+        }
+        try {
+            JSONArray array = new JSONArray(json);
+            for (int i = 0; i < array.length(); i++) {
+                JSONObject item = array.optJSONObject(i);
+                if (item == null) {
+                    continue;
+                }
+                String kindValue = item.optString("kind", "");
+                String value = item.optString("value", "");
+                if (kindValue.isEmpty()) {
+                    logger.warn("Delay condition missing kind at index " + i);
+                    continue;
+                }
+                try {
+                    DelayUntilNext kind = DelayUntilNext.valueOf(kindValue);
+                    conditions.add(new DelayCondition(kind, value));
+                } catch (IllegalArgumentException e) {
+                    logger.warn("Unknown delay condition kind '" + kindValue + "' at index " + i);
+                }
+            }
+        } catch (JSONException e) {
+            logger.error("Failed to parse delay conditions: " + e.getMessage());
+        }
+        return conditions;
+    }
+
+    private String convertDelayConditionsToJson(ArrayList<DelayCondition> conditions) {
+        JSONArray array = new JSONArray();
+        for (DelayCondition condition : conditions) {
+            try {
+                JSONObject obj = new JSONObject();
+                obj.put("kind", condition.getKind().name());
+                obj.put("value", condition.getValue());
+                array.put(obj);
+            } catch (JSONException e) {
+                logger.error("Failed to serialize delay condition: " + e.getMessage());
+            }
+        }
+        return array.toString();
+    }
+
+    public Boolean setMultiDelay(String delayConditions) {
+        try {
+            this.editor.putString(DELAY_CONDITION_PREFERENCES, delayConditions);
+            this.editor.commit();
+            logger.info("Delay update saved");
+            return true;
+        } catch (final Exception e) {
+            logger.error("Failed to delay update, [Error calling '_setMultiDelay()'] " + e.getMessage());
+            return false;
+        }
+    }
+
+    public void setBackgroundTimestamp(long backgroundTimestamp) {
+        try {
+            this.editor.putLong(BACKGROUND_TIMESTAMP_KEY, backgroundTimestamp);
+            this.editor.commit();
+            logger.info("Background timestamp set");
+        } catch (final Exception e) {
+            logger.error("Failed to delay update, [Error calling '_setBackgroundTimestamp()'] " + e.getMessage());
+        }
+    }
+
+    public void unsetBackgroundTimestamp() {
+        try {
+            this.editor.remove(BACKGROUND_TIMESTAMP_KEY);
+            this.editor.commit();
+            logger.info("Background timestamp unset");
+        } catch (final Exception e) {
+            logger.error("Failed to delay update, [Error calling '_unsetBackgroundTimestamp()'] " + e.getMessage());
+        }
+    }
+
+    private long getBackgroundTimestamp() {
+        try {
+            return this.prefs.getLong(BACKGROUND_TIMESTAMP_KEY, 0);
+        } catch (final Exception e) {
+            logger.error("Failed to delay update, [Error calling '_getBackgroundTimestamp()'] " + e.getMessage());
+            return 0;
+        }
+    }
+
+    public boolean cancelDelay(String source) {
+        try {
+            this.editor.remove(DELAY_CONDITION_PREFERENCES);
+            this.editor.commit();
+            logger.info("All delays canceled from " + source);
+            return true;
+        } catch (final Exception e) {
+            logger.error("Failed to cancel update delay " + e.getMessage());
+            return false;
+        }
+    }
+}

package/android/src/main/java/ee/forgr/capacitor_updater/DeviceIdHelper.java

@@ -0,0 +1,221 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package ee.forgr.capacitor_updater;
+
+import android.content.Context;
+import android.content.SharedPreferences;
+import android.os.Build;
+import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyProperties;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.UnrecoverableEntryException;
+import java.security.cert.CertificateException;
+import java.util.UUID;
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+
+/**
+ * Helper class to manage device ID persistence across app installations.
+ * Uses Android Keystore to persist the device ID across reinstalls.
+ *
+ * The device ID is a random UUID stored in the Android Keystore, which persists
+ * even after app uninstall/reinstall on Android 6.0+ (API 23+).
+ */
+public class DeviceIdHelper {
+
+    private static final String KEYSTORE_ALIAS = "capgo_device_id_key";
+    private static final String ANDROID_KEYSTORE = "AndroidKeyStore";
+    private static final String LEGACY_PREFS_KEY = "appUUID";
+    private static final String DEVICE_ID_PREFS = "capgo_device_id";
+    private static final String DEVICE_ID_KEY = "deviceId";
+    private static final String IV_KEY = "iv";
+    private static final int GCM_TAG_LENGTH = 128;
+
+    /**
+     * Gets or creates a device ID that persists across reinstalls.
+     *
+     * This method:
+     * 1. First checks for an existing ID in Keystore-encrypted storage (persists across reinstalls)
+     * 2. Falls back to legacy SharedPreferences (for migration)
+     * 3. Generates a new UUID if neither exists
+     * 4. Stores the ID in Keystore-encrypted storage for future use
+     *
+     * @param context Application context
+     * @param legacyPrefs Legacy SharedPreferences (for migration)
+     * @return Device ID as a lowercase UUID string
+     */
+    public static String getOrCreateDeviceId(Context context, SharedPreferences legacyPrefs) {
+        // API 23+ required for Android Keystore
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
+            return getFallbackDeviceId(legacyPrefs);
+        }
+
+        try {
+            // Try to get device ID from Keystore storage
+            String deviceId = getDeviceIdFromKeystore(context);
+
+            if (deviceId != null && !deviceId.isEmpty()) {
+                return deviceId.toLowerCase();
+            }
+
+            // Migration: Check legacy SharedPreferences for existing device ID
+            deviceId = legacyPrefs.getString(LEGACY_PREFS_KEY, null);
+
+            if (deviceId == null || deviceId.isEmpty()) {
+                // Generate new device ID if none exists
+                deviceId = UUID.randomUUID().toString();
+            }
+
+            // Ensure lowercase for consistency
+            deviceId = deviceId.toLowerCase();
+
+            // Save to Keystore storage
+            saveDeviceIdToKeystore(context, deviceId);
+
+            return deviceId;
+        } catch (Exception e) {
+            // Fallback to legacy method if Keystore fails
+            return getFallbackDeviceId(legacyPrefs);
+        }
+    }
+
+    /**
+     * Retrieves the device ID from Keystore-encrypted storage.
+     *
+     * @param context Application context
+     * @return Device ID string or null if not found
+     */
+    private static String getDeviceIdFromKeystore(Context context) throws Exception {
+        SharedPreferences prefs = context.getSharedPreferences(DEVICE_ID_PREFS, Context.MODE_PRIVATE);
+        String encryptedDeviceId = prefs.getString(DEVICE_ID_KEY, null);
+        String ivString = prefs.getString(IV_KEY, null);
+
+        if (encryptedDeviceId == null || ivString == null) {
+            return null;
+        }
+
+        // Get the encryption key from Keystore
+        SecretKey key = getOrCreateKey();
+        if (key == null) {
+            return null;
+        }
+
+        // Decrypt the device ID
+        byte[] encryptedBytes = android.util.Base64.decode(encryptedDeviceId, android.util.Base64.DEFAULT);
+        byte[] iv = android.util.Base64.decode(ivString, android.util.Base64.DEFAULT);
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH, iv);
+        cipher.init(Cipher.DECRYPT_MODE, key, spec);
+
+        byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
+        return new String(decryptedBytes, StandardCharsets.UTF_8);
+    }
+
+    /**
+     * Saves the device ID to Keystore-encrypted storage.
+     *
+     * The device ID is encrypted using AES/GCM with a key stored in Android Keystore.
+     * The Keystore key persists across reinstalls on Android 6.0+ (API 23+).
+     *
+     * @param context Application context
+     * @param deviceId The device ID to save
+     */
+    private static void saveDeviceIdToKeystore(Context context, String deviceId) throws Exception {
+        // Get or create encryption key in Keystore
+        SecretKey key = getOrCreateKey();
+        if (key == null) {
+            throw new Exception("Failed to get encryption key");
+        }
+
+        // Encrypt the device ID
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        cipher.init(Cipher.ENCRYPT_MODE, key);
+
+        byte[] iv = cipher.getIV();
+        byte[] encryptedBytes = cipher.doFinal(deviceId.getBytes(StandardCharsets.UTF_8));
+
+        // Store encrypted device ID and IV in SharedPreferences
+        SharedPreferences prefs = context.getSharedPreferences(DEVICE_ID_PREFS, Context.MODE_PRIVATE);
+        prefs
+            .edit()
+            .putString(DEVICE_ID_KEY, android.util.Base64.encodeToString(encryptedBytes, android.util.Base64.DEFAULT))
+            .putString(IV_KEY, android.util.Base64.encodeToString(iv, android.util.Base64.DEFAULT))
+            .apply();
+    }
+
+    /**
+     * Gets or creates the encryption key in Android Keystore.
+     *
+     * The key is configured to persist across reinstalls and not require user authentication.
+     *
+     * @return SecretKey from Keystore or null if failed
+     */
+    private static SecretKey getOrCreateKey() {
+        try {
+            KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE);
+            keyStore.load(null);
+
+            // Check if key already exists
+            if (keyStore.containsAlias(KEYSTORE_ALIAS)) {
+                KeyStore.SecretKeyEntry entry = (KeyStore.SecretKeyEntry) keyStore.getEntry(KEYSTORE_ALIAS, null);
+                return entry.getSecretKey();
+            }
+
+            // Create new key
+            KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEYSTORE);
+
+            KeyGenParameterSpec keySpec = new KeyGenParameterSpec.Builder(
+                KEYSTORE_ALIAS,
+                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT
+            )
+                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+                .setKeySize(256)
+                .setRandomizedEncryptionRequired(true)
+                .build();
+
+            keyGenerator.init(keySpec);
+            return keyGenerator.generateKey();
+        } catch (
+            KeyStoreException
+            | CertificateException
+            | NoSuchAlgorithmException
+            | IOException
+            | NoSuchProviderException
+            | UnrecoverableEntryException e
+        ) {
+            return null;
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    /**
+     * Fallback method using legacy SharedPreferences if Keystore fails or API < 23.
+     *
+     * @param legacyPrefs Legacy SharedPreferences
+     * @return Device ID string
+     */
+    private static String getFallbackDeviceId(SharedPreferences legacyPrefs) {
+        String deviceId = legacyPrefs.getString(LEGACY_PREFS_KEY, null);
+
+        if (deviceId == null || deviceId.isEmpty()) {
+            deviceId = UUID.randomUUID().toString();
+            legacyPrefs.edit().putString(LEGACY_PREFS_KEY, deviceId).apply();
+        }
+
+        return deviceId.toLowerCase();
+    }
+}