I want to know how to securely store encryption key in Android? What is the best scenario to protect encryption and secrete keys?
5 Answers
Answers 1
From your comments, you need to encrypt data using a local key for current Android versions and the old ones
Android Keystore is designed to generate and protect your keys. But it is not available for API level below 18 and it has some limitations until API level 23.
You will need a random symmetric encryption key, for example AES. The AES key is used to encrypt and decrypt you data. I'm going to summarize your options to generate and store it safely depending on Android API level.
API Level < 18: Android Keystore not present. Request a password to the user, derive an encryption key from the password, The drawback is that you need to prompt for the password when application starts. The encryption key it is not stored in the device. It is calculated each time when the application is started using the password
API Level >=18 <23: Android Keystore available without AES support. Generate a random AES key using the default cryptographic provider (not using AndroidKeystore). Generate a RSA key pair into Android Keystore, and encrypt the AES key using RSA public key. Store encrypted AES key into Android SharedPreferences. When application starts, decrypt the AES key using RSA private key
API Level >=23: Android Keystore available with AES support. Generate a random AES key using into Android Keystore. You can use it directly.
To encrypt to can use AES/CBC/PKCS7Padding
algorithm. It requires also a random initialization vector (IV) to encrypt your data, but it can be public.
Alternatives:
API level >14: Android Key Chain: KeyChain is a system-wide credential storage. You can install certificates with private keys that can be used by applications. Use a preinstalled key to encrypt/decrypt your AES key as shown in the second case above.
External token: The protected keys are not stored in the device. You can use an external token containing a private/public key pair that allows you to encrypt the AES key. The token can be accesed using bluetooth or NFC
Answers 2
You cannot place the encryption key inside your apk file. You may want to keep it in a remote server and decrypt using server. Or you may make it difficult for others by encoding the key and keeping it in non-obvious places. But there's no bullet proof solution for this.
Answers 3
There is no way to securely save your private api keys into code. But you can use NDK to securely save private keys. It is not trivial to get key from NDK. Secue Key With NDK Example
Answers 4
You can use Android Keystore system to store and retrieve sensitive information. Read this 5 minute article to understand how it works. Using the Android Keystore system to store and retrieve sensitive information
Answers 5
You will need a random symmetric encryption key, for example AES. The AES key is used to encrypt and decrypt you data. I'm going to summarize your options to generate and store it safely depending on Android API level
0 comments:
Post a Comment