Use KeyPairGeneratorSpec for Android API level < 18?

Question

I want to store secret data in the private keystore of my app.

However, as I was working on the code to do this, Android Studio warned that KeyPairGeneratorSpec.Builder(context) requires API level 18 and I'm targeting 14 as a minimum. :-(

How can I store secret data in my app for Android API level 14 through 17 ?

Answer 1

The AndroidKeyStore which is typically backed by hardware (but not necessarily so) was formally introduced in API level 18 as you can see and is described here: http://developer.android.com/training/articles/keystore.html

Nikolay Elenkov wrote a nice little app to test the AndroidKeyStore that you can find here: https://github.com/nelenkov/android-keystore

There are some tricks that you can use to get it to kind of work on API level 17 if you dig into AOSP, but there's no guarantee it will work on every device so it's kind of pointless. You definitely won't get it working on anything before that.

It's really not necessary to use the AndroidKeyStore to store your private key unless you are super paranoid about security and demand it be backed by hardware or in an isolated process (keystore process on non-hardware-backed devices).

If you generate a keypair in your application yourself and save it in a keystore file to your data area no other Android app will be able to read your key which is secure enough for most applications. You could even allow the user to protect the keystore with a password of their choosing.

There is some good information on generating a keypair in software using Java and Android can be found here:

Android RSA Keypair Generation - Should I use Standard Java/Bouncy Castle/Spongy Castle/JSch/Other?

JAVA: How to save a private key in a pem file with password protection

https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html