CODEWITHSUNDEEP
androidkeystoreandroid-keystore
fernandohur
fernandohur

Reputation: 7144

Securely storing a symmetric key in using the Android KeyChain

Given that it is not possible to store a symmetric key using the Android KeyChain API, is the following a secure way to store a symmetric key:

Part One: Key Generation and Storage

  1. Generate symmetric_key
  2. Generate (private_key, public_key), store them in the KeyChain
  3. Encrypt the symmetric_key using the public_key as follows: encrypted_symmetric_key = public_encrypt(symmetric_key)
  4. Store encrypted_symmetric_key in local storage (SharedPreferences, SQLite, etc.)

Part Two: Using the symmetric_key

When the app wants to encrypt/decrypt something it:

  1. Loads the private_key into memory from the KeyChain
  2. Loads the encrypted_symmetric_key from disk
  3. Obtains symmetric_key := private_decrypt(encrypted_symmetric_key)
  4. encrypt(symmetric_key, some_message) or decrypt(symmetric_key, some_ciphertext)

Concerns:

  1. Would a rooted user be able to obtain the (private_key, public_key) pair?
  2. If the phone is not rooted, is the app that created the (private_key, public_key) pair the only user that can read the keypair?

Upvotes: 5

Views: 2225

Answers (1)

FunkSoulBrother
FunkSoulBrother

Reputation: 2167

According to the documentation (https://developer.android.com/reference/android/security/KeyChain.html): The KeyChain class provides access to private keys and their corresponding certificate chains in credential storage.

Private key means that it's asymmetric (the private and public key are the two parts of an asymmetric key).

In your part 1 - you describe the preferred way to store a symmetric key on an Android device. Your part 2 is correct as well (at least to my knowledge).

As for your concerns - you are also correct. On a rooted device - the keys stored on the devices are vulnerable , and can be obtained by a person with access to that device. On a non rooted device - only the app will have access to the keys it creates.

In regard to rooting - you can use a root detection lib like RootShell (https://github.com/Stericson/RootShell) to detect if the device is rooted and then act accordingly (disable you app on that device or something similar) and you should also look into Google's SafetyNet (https://developer.android.com/training/safetynet/index.html) to detect if the device is tampered with (it detects rooting as well).

Upvotes: 1

Related Questions