Login/Register
Android Keystore's password protection
Asked Answered
androidsecurityxamarinxamarin.androidandroid-keystore
C

1

9

We used Anroid Keystore to store some confidential data and set up a password for Keystore. This passwords are used in conjunction with the KeyStore class in the load, getKey and setKeyEntry methods.

The Keystore itself is encrypted and app can only view and query its own data so we can say that data are somewhat secure inside Keystore but how we can secure the password that associated with keystore account? I found many example online and most of them having hardcoded password in code or use null parameter.

Please see in below example. I want to know what is the best approach to secure hardcoded password? Want to find a safe way in android device itself to store this hardcoded password. Assume that moving it to external place like database, service call etc. options are NOT available.

Context context;
KeyStore ks;
KeyStore.PasswordProtection prot;

static readonly object fileLock = new object ();

const string FileName = "Xamarin.Social.Accounts";
static readonly char[] Password = "3295043EA18CA264B2C40E0B72051DEF2D07AD2B4593F43DDDE1515A7EC32617".ToCharArray ();

public AndroidAccountStore (Context context)
{
    this.context = context;
    ks = KeyStore.GetInstance (KeyStore.DefaultType);
    **prot = new KeyStore.PasswordProtection (Password);**
    try {
        lock (fileLock) {
            using (var s = context.OpenFileInput (FileName)) {
                ks.Load (s, Password);
            }
        }
    }
    catch (FileNotFoundException) {
        //ks.Load (null, Password);
        LoadEmptyKeyStore (Password);
    }
}
Cheryllches answered 5/8, 2016 at 6:29 Comment(4)
Possible duplicate of What is the best way to hide the keystore password in Android?Trinitarianism
Or #21647188Trinitarianism
Or #12938141Trinitarianism
@Ketan, did you ever come up with a solution to this?Hedgerow
E
1

Assume that moving it to external place like database, service call etc. is NOT possible

You want to securely store sensitive information on the local user's machine. The only way to do that is encrypting it. The most popular encryption algorithm is AES, and luckily Microsoft included an implementation of it in C#.

However, encryption uses a secret key to encrypt/decrypt the data, so we're basically moving the problem back - now we need to store that encryption key securely.

You could hard-code that key in the app, but a dedicated attacker could still get it and decrypt the password.

Instead, get that password from the user. Ask them to provide a password, hash it (using e.g. SHA256) and use the hash as the key for the encryption.

Etoile answered 23/11, 2020 at 13:54 Comment(1)
You want to securely store sensitive information on the local user's machineAffiliate

© 2022 - 2024 — McMap. All rights reserved.