Overview › Persistence & Storage
Persistence & Storage
Room with migrations + DataStore + EncryptDecrypt utilities.
72
SCORE
Summary
Storage uses Room 2.8.4 with multiple DAOs, DataStore preferences, and an EncryptDecryptUtils abstraction for sensitive data. Schema migrations are tracked under schemas/.
Strengths
PASS
Room with explicit schema export
8+ schema versions under the schemas directory — required for safe migrations.
PASS
DataStore + encryption helper
DataStorePrefManagerImpl + EncryptDecryptUtils.shared/storage/src/main/java/com/costco/app/storage/EncryptDecryptUtils.kt
Findings
MEDIUM
Encryption library audit
Confirm the encryption primitive used in
EncryptDecryptUtils: Tink/Jetpack Security EncryptedSharedPreferences/EncryptedFile are the recommended choices. Hand-rolled AES is risky.Recommendation: Use Jetpack Security or Tink and pin to AES-GCM with hardware-backed Keystore; document key rotation policy.
MEDIUM
SharedPreferences vs DataStore
Mixed usage of legacy
SharedPreferences alongside DataStore can mean inconsistent threading.Recommendation: Migrate remaining
SharedPreferences reads/writes to Preferences DataStore; for typed schemas use Proto DataStore.LOW
Migration testing
Confirm Room
MigrationTestHelper is used for every schema bump.Recommendation: Make migration tests mandatory in CI; fail the build on missing migration test for a new schema version.
INFO
Backup posture
android:allowBackup=false in the manifest is conservative and correct for a retail app handling membership data.Costco Android · Code Review Report · Generated 2026-05-07 · 626 machine-curated findings