question

KarthikP avatar image
KarthikP asked ·

Alternatives for Keystore on clover station 2016 (Android 4.2)

We are planning to use Keystore in android to store the application keys. The KeyPairGeneratorSpec is being supported only from Android 4.3 (API 18). Is there any alternative approach for clover station 2016 which runs on Android 4.2
Clover Station
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Raymond Lee avatar image
Raymond Lee answered ·
This stackoverflow answer mentions that Android 4.x, there is a Credential Storage service you can use to store your app's secrets. It links to an article by Nikolay Elenkov with more detail: https://nelenkov.blogspot.de/2012/05/storing-appli...

He also includes a test app you can use for reference on how to use the Credential Storage service to store app secrets.

I have tested the app on a Clover Station, and it can successfully encrypt and decrypt a key using AES through this method.
1 comment Share
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Thank you for the link @Raymond Lee. I will try to implement it

0 Likes 0 · ·
Jacob Abrams avatar image
Jacob Abrams answered ·
Personally I don't recommend using the Android keystore unless you are hyper concerned with security and find it acceptable that sometimes keys will be unrecoverable. The Android keystore is overkill for most situations and it is unreliable to boot. We've seen instances of keys being lost mysteriously in the past.

https://doridori.github.io/android-security-the-fo...

Take a look at this stack overflow question I answered which is nearly identical to the one you asked:

https://stackoverflow.com/questions/28905539/use-k...
2 comments Share
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Well, we are aware of key loss scenarios and to handle it we are trying to store the keys on server side as well. Please let me know if there is any other better solution than using keystore.

0 Likes 0 · ·

As you can see in the stackoverflow links you can use a PKCS12 or PKCS8 format file to save your keys. See Android docs android.content.Context#openfileoutput for a method to get a path to private file that is only readable by your application. Here's some sample code that might help:

https://github.com/mpif/test-utf8/blob/master/src/main/java/com/codefans/java/certificate/PKCS12.java

0 Likes 0 · ·

Welcome to the
Clover Developer Community