Applications often store both low-risk settings and high-risk secrets. Interviewers want to see whether you can distinguish convenience data from credentials and choose the right storage approach.
Explain how you would handle secure storage of user preferences versus truly sensitive data such as access tokens, refresh tokens, API keys, or passwords.
Address these points:
You do not need to design a full production security platform. Focus on practical engineering decisions, clear threat modeling, and the trade-offs between usability, performance, and security. A strong answer should distinguish harmless settings from secrets, explain why “encrypt everything” is not always the full answer, and describe how platform-provided secure storage changes the design.