Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are KeyStore entries lost when the application is uninstalled?

I am generating an Asymmetric key pair in the Android key store as below: I have used the public key for symmetric key wrapping and storing the wrapped key to a file. When I try to unwrap symmetric key using the private key, I am able to do so within that instance. Once my application is re-installed, I am unable to get the key store entry with the alias.

KeyPairGenerator kpg = KeyPairGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_RSA,
    "AndroidKeyStore"
);

kpg.initialize(new KeyGenParameterSpec.Builder(
        Constants.KEY_STORE_ALIAS_NAME,
        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT
    )
    .setKeySize(Constants.ASYMMETRIC_KEY_LENGTH)
    .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
    .build()
);

keyPair =  kpg.generateKeyPair();

// Code for accessing the key store entry to un wrap the symmetric key
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
KeyStore.Entry entry = ks.getEntry(Constants.KEY_STORE_ALIAS_NAME, null);
PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
like image 636
Hithendra Nath Avatar asked Jan 18 '18 13:01

Hithendra Nath


People also ask

Can multiple apps have same keystore?

A keystore is just a means to securely store the public/private key pair which is used to sign your Android apks. So yes, you can use the same keystore to sign multiple apks, without a problem.

Where are keystore files stored?

Keystore file is stored and secured in Google play. Your APKs will be signed by Google Play with app signing key and published to users. Even if you lost your upload key you can contact with Google and you can update your application after validating your account.

Should I use the same keystore for all my apps?

Note: You can use the same Keystore file for all of your Android applications. This is, in fact, recommended by Google.


1 Answers

Keys stored in Android Keystore are non-extractable. It is a security measure

Security Features

Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes

This means that the keys can not be part of the Android backup service in any way. It allows to store application data on the cloud once the application is uninstalled. See HowBackupWorks.

It would be a serious security risk that private keys could be extracted and stored in cloud or even that they remain stored in the device when the application has been uninstalled

If you need to use an encryption key that does not depend on the reinstallation, you could generate a symmetric key from a user passphrase using a key derivation algorithm

like image 182
pedrofb Avatar answered Oct 03 '22 10:10

pedrofb