I'm struggling with coming up with a decent security strategy to bootstrap
some keys in android (api >= 16). I am storing some reasonably sensitive
data locally, and don't want to just write the data to a DB or a file
locally without any sort of encryption.
That means I need an encryption key (AES 256) somewhere to encrypt, say,
entries in SharedPreferences, or a file, or whatever. So far so good.
But how do I protect that AES key? I've tried using the KeyStore
("AndroidKeyStore") to generate an RSA keypair, which I use to wrap/unwrap
the AES key (apparently generating an AES key in the keystore isn't
supported in lower api levels, and even this strategy doesn't work < api
18). The hope is that that keypair is at least semi-securely stored
somewhere, preferably with hardware support on phones that have it.
This seems to mostly work on Android 4 and 5, but on Android 6, as soon as
the app restarts, and I retrieve the keypair from the KeyStore, the key is
unusable and I get "InvalidKeyException: Need RSA private or public key".
Is there a known (but unknown to me) bug in Android 6? Some new security
quirk that won't let me get the keypair back?
Anyone dealt with this sort of security-bootstrapping in android? Is there
some well-known and workable strategy people have used?
Regards,
jan
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
