15

Android supports cloud and local backup of APK files, application data, and so on. Is the device keystore included in the backup?

(I don't think you can extract private keys from an hardware-backed keystore even in rooted devices, not so sure about the software-based version used when there is no hardware support.)

Daniel
  • 2,380
  • 29
  • 44

3 Answers3

11

No. The whole point behind the hardware-backed keystore is that it's resistant to even privileged attacks with root access.

For this reason, not even the OS can access raw key material from the hardware-backed keystore.

While it would be theoretically possible for the OS to do a keystore backup on lower end devices with a software-backed keystore, this is simply not done or allowed by the OS for security reasons.

Trevor Johns
  • 15,682
  • 3
  • 55
  • 54
1

You cannot back up the Keystore, so when your encrypted data will be restored you won't be able to decrypt it.

You have to find a different way to backup data, for example:

  • Store user data one backend
  • Use a user-stored token to decrypt the backup
  • Have a static password for all apps
  • Export backup manually by the user in settings

I wrote about it more here: https://medium.com/@thecodeside/android-auto-backup-keystore-encryption-broken-heart-love-story-8277c8b10505

Artur Latoszewski
  • 735
  • 1
  • 10
  • 21
-3

A July 13 2016 check with official says no:

"What gets backed up with Android Backup Service

Google Calendar settings

Wi-Fi networks & passwords

Home screen wallpapers

Gmail settings

Apps installed through Google Play (backed up on the Play Store app)

Display settings (Brightness & Sleep)

Language & Input settings

Date & Time

Third-party app settings & data (varies by app) Note: Not all apps use Android Backup Service. Some apps may not back up and restore all data."

Of course backing up and restoring apps that use the KeyStore without the KeyStore itself being backed up and restored with the account makes little or no sense.

Though it's possible they did not update their docs my best guess is that the KeyStore is backed up but that information is not made widely available.

Possibly due to the backup not being encrypted prior to transport which is the Google back up standard. They may have made an exception for the keystore but that would indicate all other data isn't as secure when transported nor when received by their servers (they do encrypt the data once they receive it).

Community
  • 1
  • 1
  • Sorry, but this this is totally incorrect. The Android Keystore is simply not backed up, by design. On hardware-backed keystores, the raw key material isn't even accessible to the OS. – Trevor Johns Aug 08 '18 at 18:08