7

I'm planning to use flutter_secure_storage in my app to keep some private keys and tokens. I'm looking for limitations of secure storage on both Android and iOS but I cannot find answers to some of the questions:

  1. How big is KeyChain and KeyStore storage on iOS and Android, respectively?
  2. How many keys can we store inside?
  3. How big can individual key be?
  4. What is lifetime of the storage? Does it exist only while app is installed? Is it persistent of ephemeral?

Thanks

Andrija
  • 14,037
  • 18
  • 60
  • 87

1 Answers1

10

Secure storage is like Shared Prefences/NSUserDefaults. It stores data in key-value pairs. The data is encrypted and uses a key made from a unique device key to encrypt and decrypt the data stored. The data is stored somewhere in the root directory where only the OS can access it.

  1. There is no storage limitations for secure storage (There is no space limits mentioned in any docs but I do think that you cannot store large amounts of data that are 1Gb+)
  2. You can store an unlimited amount of keys inside
  3. Based on MKJParekh's answer, you can store up to 2147483647 characters.
  4. The data gets deleted once the app is uninstalled. (Take note that the data in secured storage can't be backed up in Android) Take a look at this

Do not use secure storage for storing sensitive private keys and tokens. You didn't specify what private keys and tokens you're going to store in secure storage. You might be storing your database credentials or something that another user shouldn't obtain. Although data being stored in secure storage is encrypted, it isn't entirely secure. Users can root/jailbreak their devices which gives them full control of the OS. There are tools that can intercept keys as they are provided and use it to decrypt the data. The only way to prevent that is to never give the keys to the user. You should store it in a server that you can control. (Firebase Cloud Functions, AWS EC2, or your own VPS) are examples of these severs.

When to use Secure Storage
Use secure storage to store data that should be encrypted and hidden from the user. That data should store only store user's sensitive data such as their api keys and not your server private keys.

CoderUni
  • 5,474
  • 7
  • 26
  • 58
  • If I place anything inside secure storage, I would store it encrypted, not in plaintext. But I would use secure storage as yet another level of protection. – Andrija Sep 17 '20 at 19:15
  • I understood that this is a separate storage from internal memory, like a hardware vault inside a phone. But if it's part of phone memory, I guess it's big as phone memory is. I could not find any official documentation on this (yet). – Andrija Sep 17 '20 at 19:17
  • Yes, you can store an unlimited amount of data in the secure storage. It works like shared preferences but more secure. Regarding about the storage of your private key, I'm just really afraid that it gets stolen and hijacked. You can store it encrypted but you still need to decrypt it within your app. Your app can also be reverse engineered or hijacked to get the decryption key. I used to be like you, where I wanted to store my private keys.I've asked for many people's advice and they warned me not to.I really would like to share the same thing to people who would make the same mistake as me. – CoderUni Sep 18 '20 at 03:20
  • In terms of security, it is not a good idea to store your key in someone's device. It is like hiding my belongings from someone that has the key to my house. I could hide them somewhere obscure, but they still have the key to my house. You could store them in secure storage but its don't expect it to be hidden from the user all the time. Could you tell me what those private keys are so I could give a suggestion on what would be a better option in terms of ease of development and security? – CoderUni Sep 18 '20 at 03:26
  • Application requirement is for private keys to go into phone storage. It does not matter what are keys for, but they are important. It's up to me to investigate options how to store it securely. Is there anything wrong with using, e.g. AES-256 encryption with PIN + Biometrics + some salt to encrypt data? – Andrija Sep 18 '20 at 08:29
  • Sorry, I didn't see your previous answer. Yeah, I guess it will be up to user to physically secure device. But still, extracting from secure storage and decryption will be hard task. – Andrija Sep 18 '20 at 08:41
  • I'm relieved you won't be storing your aws server keys. Storing your user's keys really wouldn't be that much of a problem. It is the user's fault for not securing their device if their data gets stolen. Rooting/Jailbreaking a phone makes your device exposed to many vulnerabilities. Adding extra encryption would be a good choice but your biggest trade off is performance. You would have to encrypt and decrypt their data every time when you will read or write to the storage – CoderUni Sep 18 '20 at 09:10
  • Extracting the data from secure storage wouldn't be a hard task. It works like SharedPreferences. For encryption, I recommend using this package: pub.dev/packages/crypto . Based on the details you've provided, using secure storage would be enough and even better since you added encryption – CoderUni Sep 18 '20 at 09:10
  • 1
    @Andrija You should give your bounty to him if you think the answer is correct by the way. – Furkan Yurdakul Sep 23 '20 at 10:12
  • @FurkanYurdakul is that all? what else should I do? – Andrija Sep 24 '20 at 08:37
  • Well it ended so :) – Furkan Yurdakul Sep 24 '20 at 08:51
  • @FurkanYurdakul so I didn't have to do anything? – Andrija Sep 24 '20 at 17:42
  • KeyChain limitations: https://developer.apple.com/forums/thread/73314 – lnaie May 01 '23 at 20:05