Android : If not hard-coded encryption key, where to save the encryption key

Question

My android application has account, passwd and other important information needs to store in its database. So concern about security, i am now studying encrypt these data to save in the database and decrypt it again when needed.

Using salt and iteration can make the encrypt data more strong. This part i understand how to do it. But my concern here comes that there is a lot discussion that not suggest to hard-coded AES key or PBE key. But without the key, i can't decrypt the data again (I do need to decrypt it again).

Is there any good suggestion for android application to save the key?

Thanks a lot.

Here is the best discussion happened : http://stackoverflow.com/questions/1925486/android-storing-username-and-password And for ref : https://developers.google.com/identity/smartlock-passwords/android/store-credentials — Madhukar Hebbar, Nov 23 '15 at 09:45

score 1 · Answer 1 · answered Apr 20 '20 at 11:16

It is suggested that the encryption key should be managed using Android Keystore, it is the safest option available at the device end to manage the encryption key. Android Keystore went through lots of changes from the day it was available for the user applications and that is why I have categorised the recommended approach based on the API level:

API Level < 18: Android does not support Keystore for API level 17 and below. For API level 17 and below, it is recommended that the application use PBKDF2 (Password-Based Key Derivation Functions) securely such that the application should generate the encryption key on runtime while login(using user's password). The encryption key should not be stored in the device and should be dynamically generated whenever required using the user's password since there is no secure place in the device to manage the key.

API Level >=18 <23: Android supports Keystore for API level 18 and above. However, for API level 22 and below the support for AES encryption is not available. It is recommended that the application generates a random AES key using the default cryptographic provider and encrypt the AES key using RSA public key, generated using Android Keystore through keyPairGenerator. Once the encryption key is encrypted, the same can be stored in the private data storage of the application (For ex: SharedPreferences). When the application starts, the AES key can be decrypted using the RSA private key.

API Level >=23: Android supports Keystore with AES support for API level 23 and above. We can directly generate the random AES key using generateKey API and the same is managed automatically by Android Keystore.

score -2 · Accepted Answer · answered Nov 23 '15 at 09:45

-2

Save your data in .so file. you need to implement ndk integration in your project. It will make it much more difficult to hack. and you can get your value back from c++ file. Also check for package name in c++ to make sure your so file is not used in any other application.

answered Nov 23 '15 at 09:45

Farooq Arshed

1,984
2
17
26

Thank you for your suggestion. – rodent_la Nov 24 '15 at 02:11
its a bad solution everyone is considering. – Jun 14 '17 at 04:53
putting it just in so file does not make it secure. – Jun 14 '17 at 04:54

Android : If not hard-coded encryption key, where to save the encryption key

2 Answers2