4

I'm new to android and security.

My app uses an encrypted DB which is encrypted by a private key. I want to find a way to store this private key in a protected place, without adding any additional password/pin code.

From what I've read, Android's keystore is the place to do it, but from my understanding, if I'll use it, it demands that I'll set a pin code for the device (which I don't want to do!).

Any suggestions regarding where to store this key and how? (any keystore related solution is acceptable as long as I don't have to set a pin code)

My direction is using some external open source keystore (any suggestions?) which I'll compile as part of my app (and because android doesn't share information between apps it will be ok to use).

I'm aware that my last assumption isn't correct when using a rooted device, but for my case I use only non-rooted devices.

I've searched a lot (here and else where) and couldn't find what I was looking for...

Any help is highly appreciated!! 10x

krushi
  • 321
  • 1
  • 3
  • 9

1 Answers1

1

One thing you need to keep in mind is that the KeyChain isn't available until API 14. If you intend on targeting earlier API versions you need another option. You could use SpongyCastle to create your own KeyStore.

If you are not going to ask the user for a password you should at the very least obscure the password.

public class MainActivity extends Activity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        KeyStore ks = null;
        try {
            ks = KeyStore.getInstance(KeyStore.getDefaultType());
            ks.load(null,null);

            // Add certs or keys

            ks.store(new FileOutputStream(new File(getFilesDir(),"out.bks")),"password".toCharArray());
        } catch (KeyStoreException e) {
            e.printStackTrace();
        } catch (CertificateException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    static {
        Security.insertProviderAt(new org.spongycastle.jce.provider.BouncyCastleProvider(), 1);
    }
}
Frohnzie
  • 3,559
  • 1
  • 21
  • 24
  • Right, I'm targeting also at earlier API versions... I don't want only to obsecure the private key, but to really protect it. I understand that this can be done only by user entering a password. I don't have a problem with that, as long as it doesn't happens everytime (like pin-code). So again - I think I need an external keystore solution... thanks – krushi Jul 02 '13 at 15:05
  • Once you get the key you can cache the key or cache the password in memory. – Frohnzie Jul 02 '13 at 15:21
  • First - thanks a lot for your help, it is appreciated a lot! I don't think saving it in memory is a good idea, since when my app goes to background, android can kill it, and next time I enter it, restore it without this data in memory... and what about the most important thing - what external "keystore" (or for this matter - protected storage) can I use? again - thanks a lot! – krushi Jul 03 '13 at 06:48
  • If you want the key to be retained between activities you can store it in the application context. If the app gets kill the user will just have to renter the password. Otherwise, you should use the Android keystore. – Frohnzie Jul 04 '13 at 01:00