Yeah pretty much Android team doesn't seem to care much about security. We all have 0day they are not prepared to compensate for nor seem eager to fix...
-- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen On Sep 26, 2014 8:01 AM, "Joseph Birr-Pixton" <[email protected]> wrote: > Hi Yogesh, > > I would counsel against using the keystore for storing anything. Apart > from (as you've found) deleting things[1] all the time, it also > sometimes leaks your private keys to other apps[2]. > > I reported to that vulnerability to the Android security team in March > (and sent a patch!). Aside from an initial acknowledgement, the > security team don't reply to email, and it hasn't been fixed. > > The difference in security response between the Android team and > Google itself is startling. > > Cheers, > Joe > > [1]: https://code.google.com/p/android/issues/detail?id=61989 > [2]: http://jbp.io/2014/04/07/android-keystore-leak/ > > On 23 September 2014 13:13, Yogesh Lanjekar <[email protected]> > wrote: > > Hi, > > I am currently working on android application which is based on > > Client-server architecture. For data security, I am using Public-Private > key > > pair for data encryption and signing. I am using AndroidKeyStore for > storing > > key pair. Below is the code to generate key pair : > > > > > > KeyPairGeneratorSpec spec = new > > KeyPairGeneratorSpec.Builder( > > mContext) > > .setAlias(mPrivateKeyAlias) > > .setSubject(new X500Principal("CN=" + > > mPrivateKeyAlias)) > > .setSerialNumber( > > > > BigInteger.valueOf(System.currentTimeMillis())) > > .setStartDate(start.getTime()) > > > .setEndDate(end.getTime()).setKeySize(2048).build(); > > > > > > KeyPairGenerator kpGenerator = > KeyPairGenerator.getInstance( > > "RSA", > > "AndroidKeyStore"); > > > > > > kpGenerator.initialize(spec); > > // Key Pair will be saved in AndroidKeyStore > > KeyPair pair = kpGenerator.generateKeyPair(); > > > > > > > > After executing this code, Keystore releated files (CERT and PKEY files) > > will be generated at '/data/misc/keystore/user_0/' directory. > > I am encrypting application sensitive data like auth-token and saving it > to > > Shared Pref for security reasons. > > > > But now when user changes device password or pin, keystore files are > getting > > deleted as Masterkey used for keystore encryption is generated using > device > > credentials. > > > > Now to fix this issue, I tried to keep Public-Private key pair in RAM and > > when password gets changed. From onPasswordChanged(Context context, > Intent > > intent) method of DeviceAdminReceiver, I am executing below code : > > > > > > KeyStore keyStore = KeyStore > > .getInstance("AndroidKeyStore"); > > keyStore.load(null); > > keyStore.setKeyEntry(mPrivateKeyAlias, > > mPrivateKey.getPrivateKey(), > > null, new Certificate[] { > mPrivateKey.getCertificate() > > }); > > > > > > But, after this code only CERT file gets created at > > '/data/misc/keystore/user_0/' directory and while decryption using > private > > key, giving some invalid signature error. > > > > Also, I have shared my public key with server, encrypted data with > private > > key, so creating new key pair would not be better solution. > > > > So, how I can retain my public private key pair after device password > change > > ? If there is no work around, what is the exact use of AndroidKeyStore? > > Where can I use it ? > > > > Please help me. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To post to this group, send email to > > [email protected]. > > Visit this group at > http://groups.google.com/group/android-security-discuss. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
