SecureStorage

Register the secure-storage tool suite to read and mutate encrypted storage values under explicit key allow-lists.

Warning: Every tool in this suite is Critical because it can expose or mutate secrets. Keep the allow-list narrow and only enable this suite when you explicitly need secure-storage inspection or repair. You must not ever distribute these tools in a release build.

Install

dotnet add package Ansight.Tools.SecureStorage

Register the Suite

using Ansight;
using Ansight.Tools.SecureStorage;

var options = Options.CreateBuilder()
    .WithSecureStorageTools(secure =>
    {
        secure.WithStorageIdentifier("MyApp");
        secure.AllowKeys("session_token", "refresh_token");
    })
    .WithReadWriteToolAccess()
    .Build();

WithReadWriteToolAccess() enables secure.get_value and secure.set_value. secure.remove_key remains blocked until you use WithAllToolAccess() or a custom ToolGuard.

Registration API

  • WithSecureStorageTools(): registers the suite with no key access until you allow-list keys.
  • WithSecureStorageTools(secure => ...): configures storage selection and key allow-lists.
  • WithStorageIdentifier(...): set both the Android encrypted-preferences name and Apple Keychain service together.
  • WithAndroidStore(...): override the Android encrypted-preferences name.
  • WithAppleService(...): override the Apple Keychain service.
  • AllowKey(...) / AllowKeys(...): allow specific keys.
  • AllowKeyPrefix(...) / AllowKeyPrefixes(...): allow groups of keys by prefix.

Specific Concerns

  • This suite is deny-all by default.
  • You must explicitly allow keys or key prefixes.
  • Values may contain credentials, tokens, or other secrets.
  • secure.remove_key is delete-scoped and stays blocked unless you use WithAllToolAccess() or a custom ToolGuard.
  • On Android, the package pulls in AndroidX Security Crypto support.

Available registration constraints:

  • WithStorageIdentifier(...)
  • WithAndroidStore(...)
  • WithAppleService(...)
  • AllowKey(...) / AllowKeys(...)
  • AllowKeyPrefix(...) / AllowKeyPrefixes(...)

WithStorageIdentifier(...) sets both the Android encrypted-preferences name and the Apple Keychain service unless you override them separately.

Tool Matrix

NameIdScopeDescriptionSecurity
Get Secure Storage Valuesecure.get_valueReadReads a decrypted value from the configured secure storage backend.Critical
Set Secure Storage Valuesecure.set_valueWriteWrites a value into the configured secure storage backend.Critical
Remove Secure Storage Keysecure.remove_keyDeleteDeletes a value from the configured secure storage backend.Critical

Get Secure Storage Value

Arguments:

  • key: required secure-storage key

Returns:

  • store
  • key
  • exists
  • value
  • capturedAtUtc

Example:

{
  "toolId": "secure.get_value",
  "arguments": {
    "key": "session_token"
  }
}

Set Secure Storage Value

Arguments:

  • key: required secure-storage key
  • value: required secure-storage value

Returns:

  • store
  • key
  • updated
  • capturedAtUtc

Example:

{
  "toolId": "secure.set_value",
  "arguments": {
    "key": "session_token",
    "value": "redacted-token"
  }
}

Remove Secure Storage Key

Arguments:

  • key: required secure-storage key

Returns:

  • store
  • key
  • removed
  • capturedAtUtc

Example:

{
  "toolId": "secure.remove_key",
  "arguments": {
    "key": "session_token"
  }
}