Skip to content

Crypto Security and Android Development: Building an Offline Secrets Manager with Kivy

I built a secure, offline secrets manager for Android using Kivy and Buildozer, avoiding Java/Kotlin while ensuring strong encryption. Inspired by Piggydb, I designed the app to let users encrypt and export their data securely, making it portable across devices. Along the way, I tackled challenges like third-party package compatibility, encryption implementation, and database selection to create a reliable and privacy-focused solution.

Building My First Android App: A Secure Offline Secrets Manager

When I first started getting into cryptocurrency, one thing became abundantly clear: securely storing seed phrases and private keys is absolutely critical. But keeping them in plaintext was simply too risky. I needed a way to encrypt my sensitive data, which led me down a rabbit hole of learning about encryption and database management on Android. Since I already knew Python and didn't want to deal with the complexity of Java or Kotlin, I decided to build my first Android app using Kivy.

Why Kivy and Buildozer?

I had never built an Android app before, and jumping into Java or Kotlin seemed like overkill for what I needed. Kivy, a Python-based framework for cross-platform applications, was a perfect fit. The only tricky part was compiling the app into an APK. I used a Docker image that contained the Buildozer environment, which made the process incredibly smooth. If you're interested, you can read more about that setup here.

Security Philosophy

I was inspired by a project called Piggydb, a note-taking application that allows users to export a portable database in a .pig file. The Piggydb UI lets users import the exported database, making it very useful across devices.

I wanted a similar approach for my application. My goal was to have users enter their encryption key and store their secrets securely, with the ability to export them to the Android filesystem for safekeeping. Additionally, users should be able to import the same encrypted database with the correct encryption key to retrieve their saved data.

App Overview: Secure Offline Secrets Manager

This app is a secure, encrypted, and offline secrets manager designed to store sensitive information like cryptocurrency keys, passwords, and private notes.

Key Features

  • PIN Protection – A customizable numeric PIN (default is 1984, modifiable before compilation)
  • Fernet and AES-CBC Encryption – All stored data is encrypted with a combination of Fernet and AES-CBC encryption
  • Portable Database – Encrypted databases can be imported/exported across devices
  • Secure Clipboard Operations – Prevents plaintext exposure of sensitive data
  • User-Friendly Interface – Simple add, remove, and export/import functionality

How It Works

  1. Launch the app – Enter the default PIN (1984, customizable before compilation).
  2. Set your encryption key – The app prompts you for an AES encryption key, which is crucial for securing and decrypting stored data.
  3. Use the main interface:
  4. Add a new entry (encrypted before storage)
  5. Export the encrypted database
  6. Import an existing encrypted database
  7. Copy or delete individual entries

The Technical Challenges

1. Implementing Encryption Securely

Since security was the primary goal, I dove deep into encryption. I used a combination of Fernet and AES-CBC encryption to ensure all stored data remains protected. When a user enters their encryption key, it's used to encrypt all stored data before saving it to the database. This way, even if the file is accessed outside the app, the data remains unreadable without the key.

2. Choosing the Right Database Format

I needed a simple and efficient data storage system, similar to CSV or a key-value store. My initial choice was Python's shelve module, but I ran into compatibility issues on ARM devices, where shelve sometimes chunks data across multiple files unpredictably. Instead, I found pysos, which behaves similarly but works consistently across different architectures, including ARM.

3. Dealing with Third-Party Package Compatibility

Getting third-party packages to work with Kivy and Buildozer was hit or miss. This is because of how Kivy and Buildozer function under the hood—Kivy turns Python code into Cython, which is then compiled into an Android app. Some packages, like pandas and numpy, are notoriously difficult to Cythonize because they were originally written in C++ and later adapted for Python via .wheel packages.

This issue also affects the cryptography library used in Python. Fortunately, I found a package by Oz Tiram called Python-Fernet, which provides a pure Python implementation of Fernet encryption. This package relies on pyaes, a lightweight AES implementation written entirely in Python by Richard Moore. Because both are written in pure Python, they can be Cythonized and compiled for Android without any issues.

4. Ensuring Data Security

To maintain a high level of security:

  • The encryption key is never stored – Users must enter it every time they access their data.
  • No plaintext storage – Even exported databases remain encrypted.
  • The app clears the clipboard automatically – To prevent sensitive data from lingering in the system clipboard.

Lessons Learned

Building this app was a huge learning experience. I discovered:

  • Android development doesn't have to involve Java/Kotlin – Kivy + Python worked great.
  • Using Docker for Buildozer makes life easier – Setting up Buildozer manually can be a headache, but the Dockerized version just worked.
  • Encryption is deceptively complex – AES is powerful but requires careful key management.
  • Databases behave differently on different architectures – Choosing the right storage backend matters, especially on mobile.

Final Thoughts

This project reinforced my belief that security should never be an afterthought, especially when handling sensitive information like cryptocurrency keys. If you're interested in a simple, offline, and fully encrypted secrets manager for Android, you can check out the code on GitHub.

If you've ever built a security-focused app, I'd love to hear about your experience—especially if you've tackled similar encryption challenges!