Android credential storage: where to keep secret keys?

Question

Android credential storage: where to keep secret keys?

My application contains protected content that I want to encrypt. I want to store the secret key locally (mainly because my users do not use the authentication mechanism to log in).

These are the solutions that I found on Android

Android Keystore System : this sounds like the perfect solution, it greatly enhances the security of locally stored keys, but offers only encryption protocols for APIS 18+, while my application should support API 14.
KeyChain API : it mainly helps to distribute security keys between applications, and also requires user participation in the selection of certificate chains.
From Android Security and design , how to save the Android public key:
To protect your public key from malicious users and hackers, do not paste it into any code as a literal string. Instead, build a string at runtime from fragments or use bit manipulation (like XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want a hacker or an attacker to replace the public key with another key.
Although this sounds like good advice, in reality it does not greatly increase security.

So what is the best practice for saving private keys without asking for user authentication?

+6

android security

Ilya_Gazman Oct 08 '15 at 8:55

source share

1 answer

h22 · Answer 1 · 2017-06-26T11:55:24+0000

Android will not allow other applications to access the contents of personal general settings, so this may be a storage location that does not use access rights, and not fact data that is not stored there.

However, it is important to generate keys using a secure, random and non-related application. .Apk content is much less secure and can be accessed on any root device.

Android credential storage: where to keep secret keys?

So what is the best practice for saving private keys without asking for user authentication?

More articles: