Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing a secret key on Android

Tags:

android

My Android application uses a secret key to generate a token for authentication purposes. Is there a more secure way to store this than just putting this in the data store? I think for the iPhone, we store it in the keychain. I am aware of android.accounts.AccountManager, but this seems to give other applications potentially the ability to access the password (if the user selects the wrong option) and so seems less secure.

like image 455
Casebash Avatar asked Apr 20 '10 01:04

Casebash


People also ask

Where does Android store encryption key?

The Android Keystore system lets you store cryptographic keys in a container to make them more difficult to extract from the device. Once keys are in the keystore, you can use them for cryptographic operations, with the key material remaining non-exportable.

What is private key in Android?

Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app update is from the same source. Devices only accept updates when its signature matches the installed app's signature.

What is Keychain app on Android?

OpenKeychain is a free and open-source mobile app for the Android operating system that provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files.


1 Answers

Android (unfortunately) does not provide a way to do so. The approach I've used before is to encrypt this token with another key generated within the app.

Your app key can be algorithmically generated. This, however, is only as secure as your algorithm. Once that is known this is equivalent to storing the token in plain text.

like image 192
Prashast Avatar answered Nov 15 '22 15:11

Prashast