Login/Register
Limitations of secure storage - KeyChain and KeyStore
Asked Answered
Solved androidiosflutterkeychainandroid-keystore
T

1

7

I'm planning to use flutter_secure_storage in my app to keep some private keys and tokens. I'm looking for limitations of secure storage on both Android and iOS but I cannot find answers to some of the questions:

  1. How big is KeyChain and KeyStore storage on iOS and Android, respectively?
  2. How many keys can we store inside?
  3. How big can individual key be?
  4. What is lifetime of the storage? Does it exist only while app is installed? Is it persistent of ephemeral?

Thanks

Trumantrumann answered 14/9, 2020 at 14:59 Comment(0)
W
13

Secure storage is like Shared Prefences/NSUserDefaults. It stores data in key-value pairs. The data is encrypted and uses a key made from a unique device key to encrypt and decrypt the data stored. The data is stored somewhere in the root directory where only the OS can access it.

  1. There is no storage limitations for secure storage (There is no space limits mentioned in any docs but I do think that you cannot store large amounts of data that are 1Gb+)
  2. You can store an unlimited amount of keys inside
  3. Based on MKJParekh's answer, you can store up to 2147483647 characters.
  4. The data gets deleted once the app is uninstalled. (Take note that the data in secured storage can't be backed up in Android) Take a look at this

Do not use secure storage for storing sensitive private keys and tokens. You didn't specify what private keys and tokens you're going to store in secure storage. You might be storing your database credentials or something that another user shouldn't obtain. Although data being stored in secure storage is encrypted, it isn't entirely secure. Users can root/jailbreak their devices which gives them full control of the OS. There are tools that can intercept keys as they are provided and use it to decrypt the data. The only way to prevent that is to never give the keys to the user. You should store it in a server that you can control. (Firebase Cloud Functions, AWS EC2, or your own VPS) are examples of these severs.

When to use Secure Storage
Use secure storage to store data that should be encrypted and hidden from the user. That data should store only store user's sensitive data such as their api keys and not your server private keys.

Wellknit answered 17/9, 2020 at 13:19 Comment(13)
If I place anything inside secure storage, I would store it encrypted, not in plaintext. But I would use secure storage as yet another level of protection.Trumantrumann
I understood that this is a separate storage from internal memory, like a hardware vault inside a phone. But if it's part of phone memory, I guess it's big as phone memory is. I could not find any official documentation on this (yet).Trumantrumann
Yes, you can store an unlimited amount of data in the secure storage. It works like shared preferences but more secure. Regarding about the storage of your private key, I'm just really afraid that it gets stolen and hijacked. You can store it encrypted but you still need to decrypt it within your app. Your app can also be reverse engineered or hijacked to get the decryption key. I used to be like you, where I wanted to store my private keys.I've asked for many people's advice and they warned me not to.I really would like to share the same thing to people who would make the same mistake as me.Wellknit
In terms of security, it is not a good idea to store your key in someone's device. It is like hiding my belongings from someone that has the key to my house. I could hide them somewhere obscure, but they still have the key to my house. You could store them in secure storage but its don't expect it to be hidden from the user all the time. Could you tell me what those private keys are so I could give a suggestion on what would be a better option in terms of ease of development and security?Wellknit
Application requirement is for private keys to go into phone storage. It does not matter what are keys for, but they are important. It's up to me to investigate options how to store it securely. Is there anything wrong with using, e.g. AES-256 encryption with PIN + Biometrics + some salt to encrypt data?Trumantrumann
Sorry, I didn't see your previous answer. Yeah, I guess it will be up to user to physically secure device. But still, extracting from secure storage and decryption will be hard task.Trumantrumann
I'm relieved you won't be storing your aws server keys. Storing your user's keys really wouldn't be that much of a problem. It is the user's fault for not securing their device if their data gets stolen. Rooting/Jailbreaking a phone makes your device exposed to many vulnerabilities. Adding extra encryption would be a good choice but your biggest trade off is performance. You would have to encrypt and decrypt their data every time when you will read or write to the storageWellknit
Extracting the data from secure storage wouldn't be a hard task. It works like SharedPreferences. For encryption, I recommend using this package: pub.dev/packages/crypto . Based on the details you've provided, using secure storage would be enough and even better since you added encryptionWellknit
@Trumantrumann You should give your bounty to him if you think the answer is correct by the way.Downe
@FurkanYurdakul is that all? what else should I do?Trumantrumann
Well it ended so :)Downe
@FurkanYurdakul so I didn't have to do anything?Trumantrumann
KeyChain limitations: developer.apple.com/forums/thread/73314Ichthyic

© 2022 - 2024 — McMap. All rights reserved.