86

Is there an equivalent to iOS's Keychain on Android?

My understanding of the Preferences API is that it is not encrypted. For my application it doesn't matter whether these credentials are persisted across devices (i.e. a different use-case to iPhone-like Keychain in Android?)

I also looked at the KeyStore API but it seems to leave the actual storage of user credentials up to the application developer.

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
FXbeckers
  • 1,071
  • 1
  • 8
  • 10

4 Answers4

10

Short answer, there isn't one. But you can expect the filesystem to be secure.

Each app operates under a different user, and the filesystem used to store app data is secured by normal UNIX user permissions. So each app's file access is sandboxed by default. The filesystem also may be encrypted.

This page from the developer's site explains it better: http://developer.android.com/guide/topics/security/security.html

nmr
  • 16,625
  • 10
  • 53
  • 67
6

Actually there is:

By integrating Smart Lock for Passwords into your Android app, you can automatically sign users in to your app using the credentials they have saved. Users can save both username-password credentials and federated identity provider credentials.

Integrate Smart Lock for Passwords into your app by using the Credentials API to retrieve saved credentials on sign-in. Use successfully retrieved credentials to sign the user in, or use the Credentials API to rapidly on-board new users by partially completing your app's sign in or sign up form. Prompt users after sign-in or sign-up to store their credentials for future automatic authentication.

https://developers.google.com/identity/smartlock-passwords/android/

neteinstein
  • 17,529
  • 11
  • 93
  • 123
  • 3
    This API does not really facilitate storing arbitrary OAuth tokens etc. It seems to more provide a way for the user to sign into your app. For apps which are providing secured access to other services, its not useful. Doesn't really answer the original question – yano Jul 03 '17 at 18:17
  • You can look at it from a different perspective. If you can only store user and password why don't you persist that only and maintain the token in memory only. Whenever the app restarts it re-authenticates. Not brilliant, but currently seems the safest way. – neteinstein Nov 15 '17 at 16:10
  • 1
    I will repeat that "this is not equivalent or appropriate approach" for such task. Smart Lock is equivalent of "Save Credentials/Password" in Browser. You can use "username/password" saved in browser in mobile apps and vice versa. Also This library requires Google Play Services, which is not feasible for all devices. – Jemshit Feb 18 '21 at 09:45
  • this is totally wrong and different, I'm afraid – Fattie Jun 27 '22 at 14:26
4

Expanding upon @DJPlayer's answer:

Some relevant articles. The third includes a github app that demonstrates using the keystore provider to generate keys and then encrypt strings.

Also see Android Storage Options for ways to store the encrypted password - my recommendation is Shared Preferences.

Note that according to the second article with root access and a bit of knowledge of how your app uses the keystore (which might be obtainable from decompiling your apk), it's possible to hijack the private key and use it to decrypt encrypted material (ex: the persisted password)

Stan Kurdziel
  • 5,476
  • 1
  • 43
  • 42
  • 1
    For the third article, once the keys are generated and then used to encrypt plaintext, where are the encrypted strings then stored? – Android Noob Dec 24 '15 at 16:12
-3

http://developer.android.com/reference/android/security/KeyChain.html

Keychain for OS 4.0

DJPlayer
  • 3,244
  • 2
  • 33
  • 40