For my link archive:
- [WayBack] android – Using AES with AndroidKeyStore – Stack Overflow
- [WayBack] Android keystore system | Android Developers
- [WayBack] java – AES-encrypted key store – Code Review Stack Exchange (especially the review comments)
- [WayBack] Keystore redesign in Android M (which is version 6 with API level 23, and allowed storing symmetric keys in the keystore)
- [WayBack] Encryptor and Decryptor for data encryption.decryption using the Android KeyStore. · GitHub, via:
- [WayBack] How to display Java keystore SecretKeyEntry from command line – Stack Overflow
- [WayBack] KeyStore Explorer:
KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.
- [WayBack] android-ConfirmCredential/MainActivity.java at master · googlesamples/android-ConfirmCredential · GitHub
- [WayBack] Android Security: The Forgetful Keystore – SystemDotRun – Dorian Cussen’s Super Blog
- [WayBack] encryption – When using AES and CBC, is it necessary to keep the IV secret? – Information Security Stack Exchange
- [WayBack] Storing application secrets in Android’s credential storage
- [WayBack] KeyStore.SecretKeyEntry | Android Developers
- [WayBack] SecretKeySpec | Android Developers
Basically:
- storing encrypted data plus IV in preferences is OK
- store the symmetric encryption key (for instance an AES one) in the keystore for the application
- likely a salt is also needed, then store the salt with the IV and encrypted data
–jeroen
Presumptions:
- The keystore of a specific application UUID is only accessible by only that application UUID when the device has been unlocked by the user
- The keystore saves credentials in a secure way
- It is OK to save both the encrypted data and associated IV
Approach (plain data is “hashed application PIN”, encrypted data is “encrypted hashed application PIN”:
- store a symmetric AES key in the application key store
- after entering application PIN:
- hash the application PIN
- use the hashed application PIN to to enter the application
- from the keystore, obtain the symmetric AES key
- create a cipher based on the AES key
- use the cipher to obtain an IV, and to encrypt the hashed application PIN
- store the encrypted hashed application PIN and IV both in the application preferences
- when needing to enter the application, present the user to either enter the application PIN again or proof that they can pass the device unlock sequence (using an unlock activity)
- if the user provided the application PIN, then:
- hash the application PIN
- try to enter the application with the hashed application PIN
- proved the device unlock, then:
- from the preferences, obtain the IV and encrypted hashed application PIN
- from the keystore, obtain the symmetric AES key
- create a cipher based on the AES key
- decrypt the encrypted hashed application PIN using the cipher and the IV into the hashed application PIN
- try to enter the application with the hashed application PIN
- if the user provided the application PIN, then:
