Android Keystore System
Was ist Android Keystore System?
Android Keystore SystemAndroid's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
The Android Keystore System is Android's primary API for hardware-protected key material, available via `android.security.keystore` and `KeyGenParameterSpec`. When the device supports it, keys are generated and stored inside a Trusted Execution Environment (TEE — typically ARM TrustZone) or, on devices with a discrete StrongBox security chip (e.g. Pixel Titan M), inside that chip. Application code receives only opaque key references; the actual key material never enters the Android Linux kernel or app memory. Per-key policies enforced by the keystore include user-authentication-required (biometric or device credential), validity duration after authentication, attestation-required, and unlocked-device-required. Key Attestation (`KeyMint`/`Keymaster`) lets a server verify that a given public key was generated inside a real TEE/StrongBox on a Google-attested device, which is the basis for hardware-bound mobile FIDO2 / WebAuthn passkeys. Common AppSec issues include not setting `setUserAuthenticationRequired` for sensitive keys, not setting `setInvalidatedByBiometricEnrollment(true)` (so enrolling a new fingerprint silently keeps the key valid), and bypassing the keystore entirely by holding raw keys in SharedPreferences.
● Beispiele
- 01
A FIDO2 passkey app generates an EC P-256 key in StrongBox with `setUserAuthenticationRequired(true)` and presents the resulting attestation chain to its server.
- 02
A code review flags an Android app deriving an AES key with PBKDF2 at runtime and storing it in SharedPreferences, instead of generating it inside the Keystore.
● Häufige Fragen
Was ist Android Keystore System?
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating. Es gehört zur Kategorie Mobile Sicherheit der Cybersicherheit.
Was bedeutet Android Keystore System?
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
Wie funktioniert Android Keystore System?
The Android Keystore System is Android's primary API for hardware-protected key material, available via `android.security.keystore` and `KeyGenParameterSpec`. When the device supports it, keys are generated and stored inside a Trusted Execution Environment (TEE — typically ARM TrustZone) or, on devices with a discrete StrongBox security chip (e.g. Pixel Titan M), inside that chip. Application code receives only opaque key references; the actual key material never enters the Android Linux kernel or app memory. Per-key policies enforced by the keystore include user-authentication-required (biometric or device credential), validity duration after authentication, attestation-required, and unlocked-device-required. Key Attestation (`KeyMint`/`Keymaster`) lets a server verify that a given public key was generated inside a real TEE/StrongBox on a Google-attested device, which is the basis for hardware-bound mobile FIDO2 / WebAuthn passkeys. Common AppSec issues include not setting `setUserAuthenticationRequired` for sensitive keys, not setting `setInvalidatedByBiometricEnrollment(true)` (so enrolling a new fingerprint silently keeps the key valid), and bypassing the keystore entirely by holding raw keys in SharedPreferences.
Wie schützt man sich gegen Android Keystore System?
Schutzmaßnahmen gegen Android Keystore System kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Android Keystore System?
Übliche alternative Bezeichnungen: AndroidKeystore, KeyStore (Android).
● Verwandte Begriffe
- mobile-security№ 612
iOS Keychain
Apple's encrypted credential store on iOS, iPadOS, and macOS, backed by the Secure Enclave and graded by per-item accessibility classes that bind decryption to device unlock, passcode, biometric, or hardware-bound state.
- mobile-security№ 772
Sicherheit mobiler Anwendungen
Die Praxis, iOS- und Android-Apps so zu entwerfen, zu entwickeln und zu testen, dass Nutzerdaten geschuetzt sind und Reverse Engineering sowie Laufzeit-Manipulation erschwert werden.
- compliance№ 871
OWASP MASVS
OWASP Mobile Application Security Verification Standard, eine Basislinie testbarer Sicherheitsanforderungen fur iOS- und Android-Mobile-Apps.
- identity-access№ 458
FIDO2
Offener Authentifizierungsstandard der FIDO Alliance, der WebAuthn (Browser-API) und CTAP (Authenticator-Protokoll) für phishing-resistente, passwortlose Anmeldung kombiniert.
- cloud-security№ 1300
Trusted Execution Environment (TEE)
Sicherer, isolierter Ausführungskontext im Prozessor, in dem Code und Daten in Vertraulichkeit und Integrität geschützt sind — auch vor Host-OS und Hypervisor.
- identity-access№ 112
Biometrische Authentifizierung
Ein Authentifizierungsverfahren, das die Identität anhand einzigartiger körperlicher oder physiologischer Merkmale wie Fingerabdruck, Gesicht, Iris oder Stimme prüft.