Is there an equivalent to iOS's Keychain for user credentials on Android?

Asked 4/2, 2011 at 12:7 Answered 28/6, 2017 at 11:1

Is there an equivalent to iOS's Keychain on Android?

My understanding of the Preferences API is that it is not encrypted. For my application it doesn't matter whether these credentials are persisted across devices (i.e. a different use-case to iPhone-like Keychain in Android?)

I also looked at the KeyStore API but it seems to leave the actual storage of user credentials up to the application developer.

Brighten answered 4/2, 2011 at 12:7 Comment(0)

Short answer, there isn't one. But you can expect the filesystem to be secure.

Each app operates under a different user, and the filesystem used to store app data is secured by normal UNIX user permissions. So each app's file access is sandboxed by default. The filesystem also may be encrypted.

This page from the developer's site explains it better: http://developer.android.com/guide/topics/security/security.html

Latvina answered 16/3, 2011 at 16:13 Comment(5)

When you lock an iOS device with a password or pin code, those are used as part of the private key. The 6-minute hack is only applicable to unlocked devices. – Grubstake 2/2, 2012 at 5:9

what happens when the user changes the iOS passcode? it de/re-encrypts the keychain? – Ophiology 10/10, 2012 at 16:43

Every iOS runs in its own sanbox too. So the UNIX user separation is no excuse. Permissions separation is no alternative for an encrypted store! – Orsola 27/1, 2014 at 9:12

How do you persist the key on Android even when the user uninstalls and reinstalls the app? – Bastia 23/12, 2015 at 9:54

there is one, see the answer about SmartLock below (which is the correct answer). – Bax 16/6, 2019 at 8:38

Actually there is:

By integrating Smart Lock for Passwords into your Android app, you can automatically sign users in to your app using the credentials they have saved. Users can save both username-password credentials and federated identity provider credentials.

Integrate Smart Lock for Passwords into your app by using the Credentials API to retrieve saved credentials on sign-in. Use successfully retrieved credentials to sign the user in, or use the Credentials API to rapidly on-board new users by partially completing your app's sign in or sign up form. Prompt users after sign-in or sign-up to store their credentials for future automatic authentication.

https://developers.google.com/identity/smartlock-passwords/android/

Jarad answered 28/6, 2017 at 11:1 Comment(3)

This API does not really facilitate storing arbitrary OAuth tokens etc. It seems to more provide a way for the user to sign into your app. For apps which are providing secured access to other services, its not useful. Doesn't really answer the original question – Greybeard 3/7, 2017 at 18:17

You can look at it from a different perspective. If you can only store user and password why don't you persist that only and maintain the token in memory only. Whenever the app restarts it re-authenticates. Not brilliant, but currently seems the safest way. – Jarad 15/11, 2017 at 16:10

I will repeat that "this is not equivalent or appropriate approach" for such task. Smart Lock is equivalent of "Save Credentials/Password" in Browser. You can use "username/password" saved in browser in mobile apps and vice versa. Also This library requires Google Play Services, which is not feasible for all devices. – Landre 18/2, 2021 at 9:45

Expanding upon @DJPlayer's answer:

Some relevant articles. The third includes a github app that demonstrates using the keystore provider to generate keys and then encrypt strings.

Also see Android Storage Options for ways to store the encrypted password - my recommendation is Shared Preferences.

Note that according to the second article with root access and a bit of knowledge of how your app uses the keystore (which might be obtainable from decompiling your apk), it's possible to hijack the private key and use it to decrypt encrypted material (ex: the persisted password)

Tacket answered 12/10, 2015 at 8:34 Comment(1)

For the third article, once the keys are generated and then used to encrypt plaintext, where are the encrypted strings then stored? – Skyscape 24/12, 2015 at 16:12

-3

http://developer.android.com/reference/android/security/KeyChain.html

Keychain for OS 4.0

Stout answered 19/10, 2011 at 15:4 Comment(4)

... which appears to only store keys and certs, and not user credentials, which is what the questioner is interested in. – Dewie 6/12, 2011 at 17:6

@SixtenOtto you can store user credentials encrypted with some key, and store that key in keychain. There is, of course, more work to be done but it's doable. – Presignify 1/4, 2014 at 8:37

@DmitryZaytsev your suggestion from 2014 is implemented in Jetpack Security lib now :D – Landre 18/2, 2021 at 9:47

@JemshitIskenderov haha, nice. It only took 6 years :D – Presignify 21/2, 2021 at 10:21

Recommended topics

Hot tags