Can other apps access keys in keychain?

Question

My question is pretty simple. I have an app that needs a key to sign requests sent to the server. If I store they key in the keychain can other apps access this key? If yes what is my other option to securely store the key? Is internal storage the way to go? thanks for your time.

(I know that a persistent attacker will get to the key if it's stored on the device but that's not my concern atm).

Answer 1

You can securely store in AndroidKeyStore that is specific to your app. It keeps app specific certs. It is available for API >= 18.

Android key store for app-private keys Android now offers a custom Java Security Provider in the KeyStore facility, called Android Key Store, which allows you to generate and save private keys that may be seen and used by only your app. To load the Android Key Store, pass "AndroidKeyStore" to KeyStore.getInstance().

To manage your app's private credentials in the Android Key Store, generate a new key with KeyPairGenerator with KeyPairGeneratorSpec. First get an instance of KeyPairGenerator by calling getInstance(). Then call initialize(), passing it an instance of KeyPairGeneratorSpec, which you can get using KeyPairGeneratorSpec.Builder. Finally, get your KeyPair by calling generateKeyPair().

http://developer.android.com/about/versions/android-4.3.html