Reputation: 5896
Android android.credentials.UNLOCK Initializing keystore without password
Having a random key to encrypt local credentials through AES, I'm following the below tutorial to try to store securely that key and then be able to decrypt later on:
nelenkov.blogspot.co.uk storing applicationsecrets in androids
This tutorial explains how access to the system keystore and store your passwords in it.
The issue I'm facing it's focused in the call to UNLOCK (android.credentials.UNLOCK) the KeyStore. Devices (at the moment with API below 14) that don't have KeyStore initialized, they are showing a dialog requesting a 8 digits password.
The tutorial works fine however showing this dialog even do being only once, it's going to bother most of the users.
are there any way to skip this dialog?
I would be even happier if someone described a better way to keep locally a Key.
Upvotes: 3
Views: 7188
Answers (2)
Reputation: 9272
KeyStore can appear locked not only on pre-ICS devices. The simplest way to get KeyStore locked is:
- Initialize KeyStore by setting KeyGuard (pattern, pin, or password on the Screen Lock)
- Add keys or whatever you store in the KeyStore
- Go to Settings > Security and change Screen Lock to something "not secure", for example, Slide.
- Reboot your device.
After the device is booted, KeyStore will be LOCKED. com.android.credentials.UNLOCK intent will start com.android.settings.CredentialStorage activity, which, in turn, will show UnlockDialog, prompting for a password.
* KeyStore: LOCKED
* KeyGuard: OFF/ON
* Action: old unlock dialog
* Notes: assume old password, need to use it to unlock.
* if unlock, ensure key guard before install.
* if reset, treat as UNINITALIZED/OFF
KeyStore gets reset after 5 attempts to enter incorrect password. But resetting KeyStore actually doesn't turn it off or uninitialize. KeyStore remains locked and the only way to uninitialize it seems to call for com.android.credentials.RESET. But this will reset both KeyStore and KeyChain (user installed certificates).
If you want to reset KeyStore and KeyChain silently, without user confirmation, you can do it by binding to IKeyChainService and calling its reset() method.
But I'd not recommend doing this. A better solution could be to display some notification message asking user to set Screen Lock manually
Upvotes: 5
Reputation: 52936
The 8 digit password is enforced by the your custom device firmware or a device administrator. There is no such requirement on most devices. If want to store something securely, you have to have a PIN code, Android uses it to derive the encryption key. Other options are to derive a key from your input yourself: you get to control the timing of dialogs and caching of keys, but it's the same process. Finally, you can just generate a master key and store it as a private file, other apps won't be able to read it, so you'll be fine on non-rooted devices. This is the approach recommended on the Android Developers Blog:
http://android-developers.blogspot.jp/2013/02/using-cryptography-to-store-credentials.html
Upvotes: 2
Related Questions
- Android KeyStore Initialization
- Key user not authenticated when using a SecretKey directly as loaded from keystore
- How do I require user authentication only for decryption but not encryption
- Is android-keystore's password empty?
- Storing credentials in the Android app
- KeyStore API AES Key Generation NoSuchAlgorithmException
- how to set key entry with password in android keystore
- How to initialize the Keystore
- accessing keystore doesn't ask for password
- Android keystore password field