How to store Android KeyStore passwords securely

Asked 17/1, 2017 at 7:13 Answered 4/3, 2017 at 8:35

android security passwords keystore android-keystore

In one application I use the Android KeyStore. I have set up a password for the whole KeyStore and for each password entry. Since these passwords are strings they are stored in string members in code.

Oviously this is not safe if I want to publish the app, because a potential attacker could decompile an apk and get the password since it is hardcoded in the app.

My questions are:

In the scenario above: Would the attacker be able to read my keystore file or (on unrooted phones) may the file only be accessible by my app, so that the passwords alone are not sufficient?
What is the best practice to handle KeyStore passwords? I looked around but did not find a definitive answer how to handle this.

Edit for clearification: I do not talk about app signing but about storing cryptographic keys in the Android KeyStore protected with passwords. The app has to have access to the password during runtime to retrieve the key entries.

Example of the current code:

String keyStorePwd = "password1";
String keyEntryPwd = "password2";

FileInputStream fis = getApplicationContext().openFileInput("sms.keystore");
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

ks.load(fis, keyStorePwd.toCharArray());

SecretKey key = (SecretKey) ks.getKey("aes_key_sms_notifier", keyEntryPwd.toCharArray());
fis.close();

Particia answered 17/1, 2017 at 7:13 Comment(4)

Maybe you could use github.com/scottyab/secure-preferences – Cirque 17/1, 2017 at 7:15

@Cirque Bad idea. For one- why would you trust a random library on github for security of all things? For a second- to encrypt a secure preference, you'd need the key. WHich means the key is in your app. Which makes it a pointless speed bump. – Chevrotain 17/1, 2017 at 7:17

using grade.properties.. store your pass there – Croak 17/1, 2017 at 8:3

@Croak how would I access the passwords during app runtime? e.g. I have stored AES keys in the KeyStore? – Particia 17/1, 2017 at 10:42

It is not recommended to store passwords in your APK. Much more when we're talking about keystore passwords. Yes, attackers can and will find ways to read passwords because that's what they do. Read recklessly included passwords in the APK. There's a way specified using gradle on how to store keystore passwords, assuming you use gradle.

PROPERTIES FILE
If you are using version control, modify your .gitignore file to exclude keystore.properties, which is a file that will contain your passwords. Then push it into the repo. Doing this will prevent other developers in a shared project from knowing the keystore details. You can now create the actual keystore.properties file in the root of your project. The file should contain the following:

keyAlias yourKeyAlias  
keyPassword yourKeyPassword  
storeFile pathOfYourKeyStoreFile  
storePassword passwordOfYourKeyStoreFile

GRADLE
After setting up your keystore.properties file, modify your module-level gradle build file by defining a properties variable outside your android { ... } clause such as:

def keystorePropertiesFile= rootProject.file("keystore.properties")  
def keystoreProperties = new Properties()  
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))  

android { ... }

Inside android { ... }, declare signingConfigs { ... } such that:

android {
  signingConfigs {
    config {
      keyAlias keystoreProperties['keyAlias']
      keyPassword keystoreProperties['keyPassword']
      storeFile file(keystoreProperties['storeFile'])
      storePassword keystoreProperties['storePassword']
    }
  }

  ...........  

}

Finally, still inside android { ... } inside of your module-level gradle build file, you're supposed to have buildTypes { ... } clause which contains debug { ... } and release { ... } configs as default. Modify the release configurations such that:

  buildTypes {
    debug {
      *insert debug configs here*
    }
    release {
      *insert release configs here*

      signingConfig signingConfigs.config
    }
  }

Defining signingConfig signingConfigs.config in release { ... } will allow you to automatically sign your APK whenever you choose to create a release build, all of these without storing your keystore passwords in your APK. Cheers!

Syblesybley answered 17/1, 2017 at 7:59 Comment(7)

If I use the key store to store keys for AES encryption and I need to access the KeyStore password from my app, how would I do that? Is it possible with this gradle solution? – Particia 17/1, 2017 at 9:17

@Particia can you describe what it is that you're trying to accomplish? I think AES keys are not what you actually need. – Escapement 15/4, 2017 at 4:37

I wanted to implement a secure communication between a desktop computer and an app. To achieve that I wanted to store keys and certificates in the keystore. My thinking was how to store the password to this keystore securely so that no one can access the key store secrets. – Particia 15/4, 2017 at 5:36

Are you sure that the passwords will not be in apk with this method? – Deed 19/3, 2018 at 8:45

I don't think this is answering the question. Handling passwords of the local keystore where Android studio resides is reasonably trivial (the answer is good for that) but securely storing a password that the app needs to use at run time is difficult if the password is not user give, but needs to be stored at build time. – Identical 15/5, 2019 at 7:39

@Deed yes, you decide where to put the keystore.properties file. You could put it on a usb drive if you wanted to. – Jasik 3/11, 2021 at 15:45

Doesn't keystore.properties need to have an equals sign between each key/value pair? (Agreed that this doesn't answer the question, but this is what I was looking for: how to get the passwords out of the gradle files). – Mcgean 6/11, 2021 at 19:11

It is impossible to make an absolute solution to protect passwords in Android applications (.apk files). But you can try to protect it by:

Obfuscate your source code. Others will take a lot of time to find out the method you used to protect information.
Obfuscate all strings in your source code. All clear-text strings will be hidden, no one can see it easily.

You can do it by two way:

Obfuscate all strings manually, then use Proguard for obfuscating source code.
Use: Bg+ Anti Decompiler/Obfuscator. It's is a new solution for protecting Android Java Source by obfuscating, hiding, faking, checking,... techniques

Ophthalmic answered 4/3, 2017 at 8:35 Comment(0)

Recommended topics

Hot tags