0

I'm trying to store a keypair into Android's keystore. So far, i have this test code : 

KeyPairGenerator keygen = KeyPairGenerator.getInstance("RSA");
keygen.initialize(2048);
KeyPair keypair = keygen.generateKeyPair();
PrivateKey priv = keypair.getPrivate();
PublicKey pub = keypair.getPublic();
String passwd = "Insert some strong password here.";
Certificate[] certChain = new Certificate[1];
certChain[0] = generateCertificate(keypair);
ks.setKeyEntry("test", priv, passwd.toCharArray(), certChain);

The generateCertificate method is using Bouncy Castle library.

When i run this code, i get a java.security.KeyStoreException: entries cannot be protected with passwords

Which is stange, since setKeyEntry do have a password argument. How can i get rid of this ? And is using a strong-string password stored in app's source code safe ?

Thanks.

Rogue
  • 751
  • 1
  • 17
  • 36
  • 1
    A password stored in the source is never safe, does not matter if it is strong or not. – Henry Dec 19 '14 at 23:40

1 Answers1

2

Apparently despite the fact that the method takes a password parameter, the AndroidKeystore implementation does not support this, take a look at line 200 in the source.

In any case, a password, whether strong or weak that is stored anywhere on the device is unsafe. This is especially true of source code (including source code in general, non-android contexts). If I get my hands on your app's APK, I can use one of several excellent APK analysis tools to access the class's constant pool, which will contain the password in plain text. No amount of obfuscation could prevent this, or even make it more difficult. This is perhaps the reason that the AndroidKeystore implementation doesn't allow this.

The whole point of the key store service on android device (it's actually implemented as a separate process you can talk to via a unix socket) is to protect access to sensitive material by requiring a users passcode to unlock it, so there's no point in putting a password on your key pairs or other secrets.. In more recent phones, this is all implmented in hardware, which provides very strong security.

jjm
  • 6,028
  • 2
  • 24
  • 27
  • Got it, no harcoded password. I re-build a solution, right here : http://pastebin.com/ay4VwRX6 This is a safer one, isn't it ? – Rogue Dec 19 '14 at 23:59
  • @Rogue, it's safer in that you're no longer hardcoding a password, yes. But to really say whether it's actually safe in general, I'd have to know more about what you're going to do with the key. – jjm Dec 20 '14 at 04:23
  • Oh, Well I'll use it to encrypt strings, and send encrypted datas to a server. (and thanks for answering btw :)) – Rogue Dec 20 '14 at 09:33
  • What if I have this scenario ?http://stackoverflow.com/questions/40548551/how-to-generate-keypair-in-android-keystore-protected-by-custom-password . This way my keypair password will not be stored in apk, it will be entered by user. How can I apply password protection? – Dadroid Nov 11 '16 at 15:21