Android Keystore System Notes

Similar to KDEWallet

Security Features

  • Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable. (extraction prevention)
  • Moreover, it offers facilities to restrict when and how keys can be used, such as requiring user authentication for key use or restricting keys to be used only in certain cryptographic modes. (Key Use Authorizations)

Extraction Prevention

The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature.
Key material never enters the application process.
Key material may be bound to the secure hardware.

Key Use Authorizations

Android Keystore lets apps specify authorized uses of their keys when generating or importing the keys. Once a key is generated or imported, its authorizations can not be changed.

Supported key use authorizations:

  • cryptography: authorized key algorithm, operations or purposes (encrypt, decrypt, sign, verify), padding schemes, block modes, digests with which the key can be used;
  • temporal validity interval: interval of time during which the key is authorized for use;
  • user authentication: the key can only be used if the user has been authenticated recently enough.

Keychain vs Keystore Provider

KeyChain: system-wide credentials, need users to choose which credential an app can access, allows several apps to use the same set of credentials with user consent.
Keystore provider: let an individual app store its own credentials that only the app itself can access, requires no user interaction to select the credentials.


Android Keystore System