Storing keys in Android

As the page says:

Use the KeyChain API when you want system-wide credentials

The purpose of the KeyChain API is to use username/password credentials to get a 'token' that this app (and potential other apps) can use. The KeyChain is also used a lot for syncing private information (like mails) in the background.

But in your case it sounds that you just want to store a private RSA key. In this case the Keystore is a better solution. Note that the Keystore only works on devices 4.3+, this is because it uses hardware supported secure storage (like ARM Trustzone and other secure execution environments) in order to store its private keys (if a hardware module is present). This feature was added in Android 4.3.

To use the Keystore you need to generate a certificate with the public key and save it with the private key in the Keystore. The Keystore uses the users lockscreen pattern/pin/etc. (if present) to encrypt the private key. Note that this sometimes lead to the irritating fact that the user cannot disable its lock-screen anymore as long as the user doesn't wipe it's certificate store or remove the app (under Android <= 5), so make sure to delete the certificate when the key is no longer needed. The Keystore will save the private key in the hardware module (if present) so it's much harder to extract the private key, or for other apps to encrypt data using the private key. Still it's not 100% fool-proof, since new exploits are found and root can circumvent (in some way) this extra layer of protection. But it's still better than saving your private key in a file.

Also if you want a deeper understanding of how this all works 'under the hood', I would recommend reading this paper that goes in great detail about the Keystore and other security mechanisms in Android.

Recommended topics

Hot tags