Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securely storing a symmetric key in using the Android KeyChain

Tags:

android

keystore

android-keystore

Given that it is not possible to store a symmetric key using the Android KeyChain API, is the following a secure way to store a symmetric key:

Part One: Key Generation and Storage

  1. Generate symmetric_key
  2. Generate (private_key, public_key), store them in the KeyChain
  3. Encrypt the symmetric_key using the public_key as follows: encrypted_symmetric_key = public_encrypt(symmetric_key)
  4. Store encrypted_symmetric_key in local storage (SharedPreferences, SQLite, etc.)

Part Two: Using the symmetric_key

When the app wants to encrypt/decrypt something it:

  1. Loads the private_key into memory from the KeyChain
  2. Loads the encrypted_symmetric_key from disk
  3. Obtains symmetric_key := private_decrypt(encrypted_symmetric_key)
  4. encrypt(symmetric_key, some_message) or decrypt(symmetric_key, some_ciphertext)

Concerns:

  1. Would a rooted user be able to obtain the (private_key, public_key) pair?
  2. If the phone is not rooted, is the app that created the (private_key, public_key) pair the only user that can read the keypair?
like image 991
fernandohur Avatar asked Nov 10 '22 18:11

fernandohur

1 Answers

According to the documentation (https://developer.android.com/reference/android/security/KeyChain.html): The KeyChain class provides access to private keys and their corresponding certificate chains in credential storage.

Private key means that it's asymmetric (the private and public key are the two parts of an asymmetric key).

In your part 1 - you describe the preferred way to store a symmetric key on an Android device. Your part 2 is correct as well (at least to my knowledge).

As for your concerns - you are also correct. On a rooted device - the keys stored on the devices are vulnerable , and can be obtained by a person with access to that device. On a non rooted device - only the app will have access to the keys it creates.

In regard to rooting - you can use a root detection lib like RootShell (https://github.com/Stericson/RootShell) to detect if the device is rooted and then act accordingly (disable you app on that device or something similar) and you should also look into Google's SafetyNet (https://developer.android.com/training/safetynet/index.html) to detect if the device is tampered with (it detects rooting as well).

like image 70
FunkSoulBrother Avatar answered Nov 14 '22 23:11

FunkSoulBrother
Sign in to Comment

Related questions

Centering block on android chrome
cannot run cordova application on device or emulators error running
Android example for google cloud storage
Hexagon button with hexagon touch area
Android Camera: fixed lens focus
cordova and crashlytics beta build script
EditText background color samsung devices
Expandable ListView Child return wrong view after scroll down
How to create an account from Smack 4.1
Using pre-built libraries and jni in Android Studio
Calendar style date picker in Hybrid Apps (Cordova/Phonegap)
Crashlytics error during build - could not read the build_id as a value string
How can I display specific CSV content to the clicked list item?
How to attach Visual Studio 2015 debugger to an android app
Play Install Referrer Library Adding WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions
Activity life cycle methods : onPostResume significance
Scene transition with hero elements throws Layer exceeds max. dimensions supported by the GPU
How can I create icons for menu items in Android's ListView?
GridLayout spitting out "inconsistent constraint" debug-level logs
How to implement Search Bar like gmail app in android? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!