Android KeyStore reset when lock screen is set to "none"

Question

The following problem was tested with android version 4.3 and a nexus 7

When using the KeyStore with Android version 4.3, the key are deleted after setting the lock screen to none, it doesn't matter if the lock screen was set none before.

To reproduce this, you can use the provided android sample located under
"sdk\samples\android-18\security\keystore\BasicAndroidKeyStore".

After running the application:

• List item
• sign (should be null)
• generate a key
• sign (will sign something)
• close the application
• start again
• sign (will sign something)
• set the Screen Lock to "none" (even if it was none before) (this is found under settings -> security -> Screen Security).
• go back to the application and try to sign again (will return null)

While examining the android source code i found out, that in line 639 the keystore seemed to be reseted. See: https://android.googlesource.com/platform/frameworks/base/+/52c489cd63cca0361f374f7cb392018fabfa8bcc/core/java/com/android/internal/widget/LockPatternUtils.java

Any one knows why this happens? I reported this to the android community https://code.google.com/p/android/issues/detail?id=60176

Edit: In the android version 4.2 you couldn't set the lock screen to none if some key's were saved. you had to delete your credential first before doing so.

Answer 1

This appears to be a bug in Android from 4.3 onwards. There's a very good article on it here:

Android Security: The Forgetful Keystore

The author says that some people claim this is a feature rather than a bug, but I disagree. If encrypted data is about to be rendered unreadable the platform should at least inform the user, if not prevent them from proceeding altogether.