Menu
How I do to store a secret key in a android device with the only possibility to use the key, not retrieve it. Eg: I import a private/generate a RSA keypair or a symmetric key from a application to this "secure storage". Now, NOBODY should be able to retrieve the secret key, not even the original application. (The non-secret part of key - the public key of a RSA keypair - but no part of a symmetric key - should still be retrieveable, especially if the key is generated in the secure storage)
The keystore should now act as a black box, providing a input for encrypted data and a output for decrypted data, eg I feed my encrypted values that I want to decrypt, and gets the decrypted values back.
Its a big plus if this is implemented in a hardware security chip in the android device, like a smart card chip, which is tamper-resistant, which would also keep the keys secure even if the device is rooted & cloned.
Any ideas which android mobile phones, that has such a tamper-resistant chip? Any ideas on how to use such a storage?
Found a similiar question: Android Secure Storage but this does not answer my questions.
825
The secure storage service provides encrypted and tamper proof storage to secure apps. All operations that modify the file system state are transactional. Files can be opened, create or deleted by name (where the name is local to the app). Open files support read, write, get-size and set-size operations.
Use external storage Because external storage can be removed by the user and also modified by any application, don't store sensitive information using external storage. To read and write files on external storage in a more secure way, consider using the Security library, which provides the EncryptedFile class.
Ionic Secure Storage is a cross-platform local database system for high performance, secure data storage on iOS and Android. It provides full SQL query and relational data support through SQLite, as well as key/value support for simpler use cases when used with the Ionic Storage utility library.
The Android Keystore provides APIs to perform cryptographic operations within this trusted environment and receive the result. It was introduced in API 18 (Android 4.3). A strongbox backed Android Keystore is currently the most secure and recommended type of keystore.
Found out what you need to do to get secure storage on Android:
You need to buy a Secure MicroSD card, one which conforms to the ASSD specification (Advanced Security SD). That is a MicroSD card that contains a Secure Element, often a PKI solution where you can generate a private key on-card so the private key is impossible to extract, but the public key can be extracted and use it to encrypt things that only the MicroSD card can decrypt.
Two examples is CertGate MicroSD (which is available as a consumer version called "SmartCard-HSM Android") and one that is no longer available in consumer version, is the G&D Mobile Security Card.
That makes it a secure storage that CANNOT be hacked by a rooted phone, and it CANNOT be copied, impossible per the definition. Only way is to brute-force the private key using the public key as verification if you hit correctly. But if you use RSA-2048, that is technically impossible too.
The reason is that the Phone Manufacturers seems to lock the built-in Phone Secure Element to manufacturer approved apps, so you cannot use it arbitrarily. Only way is actually add a Secure Element to the phone in the form of a MicroSD card.
(This answer is only valid for Android versions prior to 5.0)
200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
