The goal is to store a key inside an Android device which is protected by the fingerprint, faceprint, or passcode, depending on which are available.
The key should not be accessible in software without providing a valid fingerprint.
The key should not be stored outside of the device unless a valid fingerprint is provided.
The key should not be accessible outside of hardware, meaning that compromised software implementations should not be able to access the key.
This is similar to the iOS KeyChain.
The question is how this can be achieved. I have done extensive research, and most implementations simply return a boolean to indicate whether biometric authentication was successful.
Any thoughts or ideas are appreciated.
Have you looked at the authenticate(CryptoObject) API? Here's a demo app.
Related
I'm working on an Android multi module (multiple apps) project and encountered a use case where I have to save some secret information that could be accessed by all these apps. My idea is to encrypt the secret information using a private key that is saved inside the KeyStore, and save this information in a file that I'm planning to store in the device (not external storage). My question is, would I be able to access this private key inside the KeyStore from another application and then use it to decrypt the secret information that is saved in the device?
I was looking at Android's KeyStore documentation, and if I understood it correctly, I can use the KeyStore APIs to save the cryptographic keys and use them with in the same application. But also the KeyChain documentation says I can use these cryptographic keys across multiple apps with in the system. I'm quite confused about how I can combine these two APIs and make it work for my use case. Any help is appreciated. Thank you.
My idea is to encrypt the secret information using a private key
You encrypt with a public key, never with the private key. The private key is used for decryption.
If you create public keys for all the apps then you can decrypt with individual private keys for these apps. Of course you'd have to trust these apps and the public key pair of each app in advance; I'm not familiar enough with your setup to make any recommendations in that regard.
To be honest the KeyChain API seems more about TLS authentication than anything else and I don't think it fits your use case. The API of the choosePrivateKeyAlias for instance only talks about authentication and a server requesting a key chain.
Key stores can be can in principle be distributed. Or course, to access / decrypt them you'd still need a key distributed within each app. You can share the information for specific signed applications only it seems. Possibly just the security of sharing the data privately without encryption already fulfills your use case? Key management is tricky, after all.
Caveat: I'm not terribly well known with the Android security model; hopefully my general knowledge of cryptography & security steers you in the right direction.
There is android:sharedUserId property. From the doc:
Apps with the same user ID can access each other's data and, if desired, run in the same process.
Unfortunately, it was deprecated in API 29 without proper replacement.
I'm reading about store a secretkey (to encrypt/to decrypt data) and seems there is no way achieve that. One can only increase difficult for an attacker accomplish this.
It's really like that?
What I've got so far:
Store in shared preference ( private mode ) - Rooted phone will be able to retrieve it.
NDK C/C++ native code, create .so file - Hard to decompile, but one could call this .so file and retrieve it.
A webserver to store the key, looks useless, if a have to send credentials, a malicious ware could log key taps.
Am I too paranoic?
Why do not you use Android Keystore?it is designed for this purpose
https://developer.android.com/training/articles/keystore.html
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device
It has considerable advantages over shared preferences or private files like extraction prevention or key use authorization I do not consider storing private keys on the server
Security Features
Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes.
In some devices with dedicated hardware it is implemented on it. As a programmer you can know is a key is hardware-protected
The concept is similar to iOS KeyChain, but whereas IOS KeyChain can store passwords, generate and import cryptographic keys, Android KeyStore only allows to generate cryptographic secret keys by the application ( no import functions)
The keys also can be protected requiring user to unlock the device and / or presenting the fingerprint
For example, to secure a password, is possible to generate a cipher key protected with fingerprint, and use it to encrypt user's credentials that could be stored in preferences
You are correct. Most security experts will tell you there is no such thing as an absolutely secure system. The proper way to think of it is in terms of the level of resources an attacker must use to break your system.
You then balance your security measures between the value of the data and other considerations like the complexity of your solution and other costs.
To elaborate on your examples, assuming you aren't worried about the legitimate owner/user of the phone being the attacker, you can assess as follows:
Rooting a phone is a risk if an attacker gets physical possession. To assess, how valuable is the data versus the likelihood of a phone getting lost/stolen, the person who then has it caring to get the key and knowing how to root a phone.
Obscuring secret information is generally considered useless. I personally think it depends a little bit on the circumstances. Here, again, an attacker would need to root the phone, etc. The problem with obscuring secret information is it only takes one person to figure out what you've done and make that information available to completely lose the value in doing it.
If you have a key logger, what security do you have anyway?
You should look at the possibility of using a "secure element". See this post on the security Stack Exchange for some good information.
I am trying to find an answer to the question of, if I have a database of fingerprints or fingerprint hashes, can I use the iOs or Android fingerprint scanners to compare the fingerprint being offered and my database and not against the local fingerprint copy? In practical application I want to enroll people into a program that uses fingerprints to secure the account and i want the exact same fingerprint to allow access to the account on the handheld device.
Thanks
In iOS, you can't. Touch ID scanner uses on system level, you only have access to checking of validation. You can authenticate user with LocalAutentification framework. You can check example from Apple documentation.
I cannot speak to the Android answer of this, but with iOS; No, that is not possible.
Apple restricts the use of Touch ID to it's own internal database per device as a security precaution. You are not able to retrieve, store, or view any fingerprint data from a user. If you want to use Touch ID in your app, you must implement the relevant LocalAuthentication framework from iOS and it will do the work for you. Returning only a grant or deny.
I'm looking into ways to secure data on mobile via fingerprint verification.
The situtation on iOS seems fairly straight-forward by securing data in the Keychain via Touch.
But can something like this be done on Android where a piece of data is secured via a fingerprint? Or would we have to handle the association of data and fingerprint internally within the app?
UPDATE:
So having done a little bit more reading on this on Android I'm assuming the best way of doing this would be to encrypt the data within the app but secure the key being used with FingerprintManager and the Android Keystore?
Yes, you're heading into the right direction ;-)
Basically the Keystore is just for creating / storing key material and cannot be compared to something like the SharedPreferences. You could use the Keystore APIs to create a new cryptographic key which requires user authentication and with the generated key you could then en-/decrypt data. In order to access the key inside the Keystore the user needs to authenticate (e.g. through fingerprint authentication).
I have created a demo project for the new Keystore APIs (including fingerprint authentication) which you can find on GitHub: https://github.com/flschweiger/SafeApp
I want to hide some data that is entered by user in user's phone encrypted. As far as I know I can encrypt/decrypt data using a key/seed value, but if I hide the key value in code, I know it can be found somehow (e.g. decompiling the Java code).
Do you have any suggestions to make the process harder?
It is impossible to hide the key in the app such that a resourceful hacker won't be able to pull it out. You can try to obfuscate the key and make it difficult to find but it will always be do able.
See this: https://www.excelsior-usa.com/articles/java-obfuscators.html#examples
The best option would be to require your users to specify a PIN or password and to use that as the encryption key. That way if the device is lost or stolen the key is still safe and it also prevents someone from decompiling your app and getting the encryption key for all instances of your application.
One of the new features in Ice Cream Sandwich (Android 4.0) is the keychain API. From the Platform Highlights page (emphasis mine):
Android 4.0 makes it easier for applications to manage authentication
and secure sessions. A new keychain API and underlying encrypted
storage let applications store and retrieve private keys and their
corresponding certificate chains. Any application can use the keychain
API to install and store user certificates and CAs securely.
If you're doing this for username/password data, you should checkout implementing an Authenticator.
Since android does not have any secure storage on it ( at least as of 2.2), you would have to write your own.
The only way to do this really securely is to encrypt with a key derived from a user supplied password (PBKDF2/ RFc2898 being the way to that). Crypto is only as secure as your key and if you store that on the phone in anyway, then someone can find it and use it. This allows you to have the user store the key without actually remembering a large AES key.
There may be libraries that do this for android. I wrote one for windows phone that can be found here if you want some basis for how to do it.
If encryption/decryption all happens on the handset, a determined hacker will be able to crack it. You can make life harder by using obfustication, or (if appropriate for your application), adding user input into the encrypt/decrypt code.
If your application requires network connectivity, it might be worth off-loading some of the code to a server running elsewhere, so that encrypted data lives on the device, but keys are downloaded at run-time. Still not hack-proof, but it reduces risks to confidential data on a stolen device.