Android app storing client certificates in a secure and proper way

Question

I am building an Android application that will need Certificate based authentication. I'm not so familiar with Java/Kotlin programming paradigms.

The certificates will be issued one of two ways, via an API (which I control) or via a Device Management tool such as MobiControl (this is the only one, currently, but we may have to use other device management tools).

I need a way to store the certificates securely, but in a way that we can deploy them automatically using a Device Management suite and they will persist indefinitely. Is the certificate store sufficient? https://developer.android.com/reference/java/security/cert/CertStore

In unix, I'd store them in /etc/ssl/certs but I don't know if this is a valid Android approach.

Answer 1

If an app want's to store a client certificate that is only used by this app I strongly recommend to use the AndroidKeyStore system. See also this blog entry.

If the device supports the private key is stored encrypted and can't be accessed by apps (only used). Event the app itself can't extract the private key, however it can use the private key for e.g. signing or decrypting data using a java Cipher instance.

Furthermore you can set by just one flag that using the certificate requires an device authentication (e.g. via fingerprint) before the app can use it.