How to save secret key securely in android

Question

I just read this article http://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html where I learnt to generate security key.

I want to know how to save this generated key securely so hackers wont get this even phone is rooted.

If we save this SharedPreference, Storage then hacker can get this.

Thanks.

Answer 1

This is the overall problem with keeping access to the sensitive data. There is always a way to decrypt, then the encryption key might leak.

You might use EncryptedPreferences to store simple data in an encrypted way.

However just a quick look into source code reveals, that you must pass a password on app init.

EncryptedPreferences encryptedPreferences = new EncryptedPreferences.Builder(this).withEncryptionPassword("password").build();

This is security leak, if the password is hardcoded. This is not preferred method.

You might make use of the link you provided and generate a One-time pad.

public static SecretKey generateKey() throws NoSuchAlgorithmException {
    // Generate a 256-bit key
    final int outputKeyLength = 256;

    SecureRandom secureRandom = new SecureRandom();
    // Do *not* seed secureRandom! Automatically seeded from system entropy.
    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
    keyGenerator.init(outputKeyLength, secureRandom);
    SecretKey key = keyGenerator.generateKey();
    return key;
}

Of course an ideal situation is taken into account, where the key generating function is ideally random.

Generate this key on first application start and use it in the library, which link I provided before.

Advantage: the key is different for each application installation. That means if the cracker got to know the method how cipher works, he is still unable to decrypt other devices as long as he does not have an access to such device's SharedPreferences.

Answer 2

if Android is rooted, there is no way to secure any thing, so you should better look for architectural changes in your application.

---

Example : WhatsApp

Upon installation, WhatsApp creates a user account using one’s phone number as the username (Jabber ID: [phone number]@s.whatsapp.net). A password is generated using an unknown algorithm on the server end and sent to the client.

But if phone is rooted you can easily extract this password as mention here.

WhatsApp uses End-to-End Encryption, it stores all its data in encrypted form in internal storage.

---

Example : Snapchat

Snapchat has stated that Snapchatters using a Rooted Android device will be blocked from logging in.

---

Suggestion

What you can do is to use the mixture of techniques by both giant applications WhatsApp and Snapchat i.e

• Block the phones that are rooted
• Make sure to make password "User-Specific" (every user has it's own key) rather than "App-specific" (the same on all devices)
• Save password on Server, and fetch it on every start of the application (validate and delete, do not store)
• Make sure all your data is in encrypted form