Reputation: 5325
Extract Key from android keystore
From the Android Keystore Docs
Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes.
I am not able to understand it completely.
by preventing extraction of the key material from application processes
- What does it mean? Any application process in the device can not extract the key from the store?
- So once key is put in the store, there's no way to get it from the store (in case I want to use it somewhere else as well). So if I want to do that, how do I implement my own custom keystore, which allows to extract the key for only my app's process and no-one else.
Upvotes: 3
Views: 3627
Answers (2)
Reputation: 537
I would also add that privateKey.getEncoded() method will return null if you retrieve the privateKey from the AndroidKeyStore.
So considering the code below:
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
KeyStore.Entry keyStoreEntry = keyStore.getEntry(alias, null);
PrivateKey privateKey = ((KeyStore.PrivateKeyEntry)
keyStoreEntry).getPrivateKey();
byte[] privateKeyData = privateKey.getEncoded();
privateKeyData will be null. This is what it means that
"Android Keystore system protects key material from unauthorized use"
Upvotes: 1
Reputation: 21427
What does it mean? Any application process in the device can not extract the key from the store?
"Preventing extraction" in the context of the documentation you linked means "preventing extraction of the key material by an adversary." It doesn't mean that your own application cannot use the key from the keystore to encrypt/decrypt data. It does means you will never be able to obtain something like a key file from the Android KeyStore, copy that somewhere else, and reuse it.
Furthermore, say you need to send encrypted messages between client and server on your app. You naively generate a key and store the file ("key material") in the internal storage for your app. An adversary gains root access to the device. They can now access your key file and use your key. Even if you use a password for the key, if your app process is compromised then because the adversary has access to the key material (i.e., the key file) there is still a danger.
The advantage being talked about in the documentation is exactly the opposite of these faults. The Android Keystore cryptographic transformation takes place outside of the application process (as a system process) and may be bound to secure hardware. None of the key material (key files etc.) is exposed for an adversary to reuse somehow (to decrypt messages or to sign an email, for instance).
Note, if you want a key to be used with multiple applications then you might need the KeyChain API rather than the keystore.
Upvotes: 5
Related Questions
- Save and Retrieve KeyPair in AndroidKeystore
- Checking keystore file in Android Studio
- Can we extract public/private keys from the Android Keystore?
- android - how to recover keystore file
- Android KeyStore get raw bytes/string of stored key
- Generate SecretKey from AndroidKeyStore
- Convert Key object to PrivateKey
- KeyStore getKey() returning null in Android
- Find keystore of an apk file
- Extract Keystore file from apk file