Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store secretkey in Android securely?

I'm reading about store a secretkey (to encrypt/to decrypt data) and seems there is no way achieve that. One can only increase difficult for an attacker accomplish this.

It's really like that?

What I've got so far:

Store in shared preference ( private mode ) - Rooted phone will be able to retrieve it.

NDK C/C++ native code, create .so file - Hard to decompile, but one could call this .so file and retrieve it.

A webserver to store the key, looks useless, if a have to send credentials, a malicious ware could log key taps.

Am I too paranoic?

like image 243
ramires.cabral Avatar asked Dec 14 '22 01:12

ramires.cabral


1 Answers

Why do not you use Android Keystore?it is designed for this purpose https://developer.android.com/training/articles/keystore.html

The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device

It has considerable advantages over shared preferences or private files like extraction prevention or key use authorization I do not consider storing private keys on the server

Security Features

Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes.

In some devices with dedicated hardware it is implemented on it. As a programmer you can know is a key is hardware-protected

The concept is similar to iOS KeyChain, but whereas IOS KeyChain can store passwords, generate and import cryptographic keys, Android KeyStore only allows to generate cryptographic secret keys by the application ( no import functions)

The keys also can be protected requiring user to unlock the device and / or presenting the fingerprint

For example, to secure a password, is possible to generate a cipher key protected with fingerprint, and use it to encrypt user's credentials that could be stored in preferences

like image 172
pedrofb Avatar answered Dec 16 '22 13:12

pedrofb