Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store secretkey in Android securely?

Tags:

android

security

cryptography

android-ndk

I'm reading about store a secretkey (to encrypt/to decrypt data) and seems there is no way achieve that. One can only increase difficult for an attacker accomplish this.

It's really like that?

What I've got so far:

Store in shared preference ( private mode ) - Rooted phone will be able to retrieve it.

NDK C/C++ native code, create .so file - Hard to decompile, but one could call this .so file and retrieve it.

A webserver to store the key, looks useless, if a have to send credentials, a malicious ware could log key taps.

Am I too paranoic?

like image 243
ramires.cabral Avatar asked Dec 14 '22 01:12

ramires.cabral

1 Answers

Why do not you use Android Keystore?it is designed for this purpose https://developer.android.com/training/articles/keystore.html

The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device

It has considerable advantages over shared preferences or private files like extraction prevention or key use authorization I do not consider storing private keys on the server

Security Features

Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes.

In some devices with dedicated hardware it is implemented on it. As a programmer you can know is a key is hardware-protected

The concept is similar to iOS KeyChain, but whereas IOS KeyChain can store passwords, generate and import cryptographic keys, Android KeyStore only allows to generate cryptographic secret keys by the application ( no import functions)

The keys also can be protected requiring user to unlock the device and / or presenting the fingerprint

For example, to secure a password, is possible to generate a cipher key protected with fingerprint, and use it to encrypt user's credentials that could be stored in preferences

like image 172
pedrofb Avatar answered Dec 16 '22 13:12

pedrofb
Sign in to Comment

Related questions

How to pass data between fragment in viewpager?
Firebase: Is it Possible to do custom notification for the FCM [duplicate]
I received in my server a message that could be from a hacker [closed]
How to zoom simultaneously on two ImageViews?
new line when user press enter in edit text in android
Plugin with id 'com.google.gms.google-services' not found
adb logcat filter by package name [duplicate]
set Toolbar in an Activity
Android ConstraintLayout getWidth return 0 [closed]
retrofit httpLogInterceptor java.lang.NoSuchMethodError:
java.lang.NoClassDefFoundError: Failed resolution of: Lcom/squareup/okhttp/OkHttpClient error when using Picasso offline capability - Android
Get random images in Android Studio
Connect my project to gitlab with android studio
Android Spinner two-way binding with @InverseBindingAdapter / AttrChanged doesn't work
FCM notification title remains "FCM Message"
How to return apostrophe when using Google Translate API for Android?
Android pass value from activity to adapter
Xamarin Android Simple Input Text Popup
How to remove sensitive data (API_KEY) across git commit history?
Implement Eclipse MQTT Android Client using single connection instance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!