Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limitations of secure storage - KeyChain and KeyStore

Tags:

android

ios

android-keystore

flutter

keychain

I'm planning to use flutter_secure_storage in my app to keep some private keys and tokens. I'm looking for limitations of secure storage on both Android and iOS but I cannot find answers to some of the questions:

  1. How big is KeyChain and KeyStore storage on iOS and Android, respectively?
  2. How many keys can we store inside?
  3. How big can individual key be?
  4. What is lifetime of the storage? Does it exist only while app is installed? Is it persistent of ephemeral?

Thanks

like image 245
Andrija Avatar asked Sep 14 '20 14:09

Andrija

1 Answers

Secure storage is like Shared Prefences/NSUserDefaults. It stores data in key-value pairs. The data is encrypted and uses a key made from a unique device key to encrypt and decrypt the data stored. The data is stored somewhere in the root directory where only the OS can access it.

  1. There is no storage limitations for secure storage (There is no space limits mentioned in any docs but I do think that you cannot store large amounts of data that are 1Gb+)
  2. You can store an unlimited amount of keys inside
  3. Based on MKJParekh's answer, you can store up to 2147483647 characters.
  4. The data gets deleted once the app is uninstalled. (Take note that the data in secured storage can't be backuped in Android) Take a look at this

Do not use secure storage for storing sensitive private keys and tokens. You didn't specify what private keys and tokens you're going to store in secure storage. You might be storing your database credentials or something that another user shouldn't obtain. Although data being stored in secure storage is encrypted, it isn't entirely secure. Users can root/jailbreak their devices which gives them full control of the OS. There are tools that can intercept keys as they are provided and use it to decrypt the data. The only way to prevent that is to never give the keys to the user. You should store it in a server that you can control. (Firebase Cloud Functions, AWS ECS, or your own VPS) are examples of these severs.

When to use Secure Storage
Use secure storage to store data that should be encrypted and hidden from the user. That data should store only store user's sensitive data such as their api keys and not your server private keys.

like image 73
Uni Avatar answered Oct 16 '22 18:10

Uni
Sign in to Comment

Related questions

How to navigate from bottomsheetdialog to fragment using navigation?
Why is Kotlin accepting a null value in an attribute declared as a non-nullable string?
Using Custom Views with Jetpack Compose
Coroutines, async DiffUtil and Inconsistency detected error
Using MapBox to generate a route and directions for two locations
java.lang.IllegalStateException: Fragment no longer exists for key f0: unique id
Entry name 'org/joda/time/tz/data/Europe/Dublin' collided
App Center can't locate android project if it's not at root level
Progress indicators on Button in Android
Android devices not receiving 5% of push sent with Firebase Cloud Messaging
How to programatically select the default Chip in a ChipGroup in Android?
Allow TextView to grow until a certain point in constraint layout
How do I run Flutter in multiple iOS Simulators
How do I automatically increment the build id and version number of an Android App using Azure Pipelines
Detect 5G NR (SA/NSA) in my Android Application
NotifyDataSetChanged not working in FragmentStateAdapter with Viewpager2
How to replace last character in String when it is in an Array
FirebaseCrashlytics: Send to Reports Endpoint for non-native reports disabled
How to center crop a video thumbnail (Square thumbnail) in ffmpeg?
what does pause track mean in play console

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!