It’s a very common error to store keys in code. Columbia University found thousands of secret keys when they analysed apps on the Play store.
You shouldn’t think of encryption as hiding secret sensitive information but instead as reducing the amount of information that needs to be hidden. It reduces a potentially large amount of information into a much smaller amount of information, the key, that still needs to be stored securely.
Don’t store decryption keys or auth tokens hard coded in code. Instead, for most apps it’s usually sufficient to store them in the private storage area. For more security sensitive apps, such as payment or banking apps, you will want to store decryption keys or auth tokens off the device either on a server or validated via a password from the user.
You obviously can’t have a user provide a 256-bit encryption key each time so instead have the key be validated from a shorter user-supplied password. An example from the Google Android blog:
public static SecretKey generateKey(char[] passphraseOrPin, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException { // Number of PBKDF2 hardening rounds to use. Larger values increase // computation time. You should select a value that causes computation // to take >100ms.
final int iterations = 1000;
// Generate a 256-bit key
final int outputKeyLength = 256;
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec keySpec = new PBEKeySpec(passphraseOrPin, salt, iterations, outputKeyLength);
SecretKey secretKey = secretKeyFactory.generateSecret(keySpec);
return secretKey;
}
There’s are also some further solutions but only for when we know the app will be run on a particular known type of device. This might be, for example, if you are using Android hardware for a kiosk-like solution on Android 4.4 and later.
It’s possible, using private APIs, to store keys in Android’s credentials storage but this isn’t recommended as the private API might change and this functionality isn’t guaranteed to work on every device. However, this technique might be useful for vertical apps that will be known to only run on particular device(s).
If you are only developing on Android 4.3 and later and again know you will be running on particular device with hardware-backed key storage, take a look at the new API for creating and manipulating RSA keys. Hardware-backed key storage protects keys even when the device has been rooted or a vulnerability allows running of code as root. Note that there’s a keystore vulnerability which means the above two solutions are not secure in Android 4.3 (only).
