Android Keystore System
¿Qué es Android Keystore System?
Android Keystore SystemAndroid's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
The Android Keystore System is Android's primary API for hardware-protected key material, available via `android.security.keystore` and `KeyGenParameterSpec`. When the device supports it, keys are generated and stored inside a Trusted Execution Environment (TEE — typically ARM TrustZone) or, on devices with a discrete StrongBox security chip (e.g. Pixel Titan M), inside that chip. Application code receives only opaque key references; the actual key material never enters the Android Linux kernel or app memory. Per-key policies enforced by the keystore include user-authentication-required (biometric or device credential), validity duration after authentication, attestation-required, and unlocked-device-required. Key Attestation (`KeyMint`/`Keymaster`) lets a server verify that a given public key was generated inside a real TEE/StrongBox on a Google-attested device, which is the basis for hardware-bound mobile FIDO2 / WebAuthn passkeys. Common AppSec issues include not setting `setUserAuthenticationRequired` for sensitive keys, not setting `setInvalidatedByBiometricEnrollment(true)` (so enrolling a new fingerprint silently keeps the key valid), and bypassing the keystore entirely by holding raw keys in SharedPreferences.
● Ejemplos
- 01
A FIDO2 passkey app generates an EC P-256 key in StrongBox with `setUserAuthenticationRequired(true)` and presents the resulting attestation chain to its server.
- 02
A code review flags an Android app deriving an AES key with PBKDF2 at runtime and storing it in SharedPreferences, instead of generating it inside the Keystore.
● Preguntas frecuentes
¿Qué es Android Keystore System?
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating. Pertenece a la categoría de Seguridad móvil en ciberseguridad.
¿Qué significa Android Keystore System?
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
¿Cómo funciona Android Keystore System?
The Android Keystore System is Android's primary API for hardware-protected key material, available via `android.security.keystore` and `KeyGenParameterSpec`. When the device supports it, keys are generated and stored inside a Trusted Execution Environment (TEE — typically ARM TrustZone) or, on devices with a discrete StrongBox security chip (e.g. Pixel Titan M), inside that chip. Application code receives only opaque key references; the actual key material never enters the Android Linux kernel or app memory. Per-key policies enforced by the keystore include user-authentication-required (biometric or device credential), validity duration after authentication, attestation-required, and unlocked-device-required. Key Attestation (`KeyMint`/`Keymaster`) lets a server verify that a given public key was generated inside a real TEE/StrongBox on a Google-attested device, which is the basis for hardware-bound mobile FIDO2 / WebAuthn passkeys. Common AppSec issues include not setting `setUserAuthenticationRequired` for sensitive keys, not setting `setInvalidatedByBiometricEnrollment(true)` (so enrolling a new fingerprint silently keeps the key valid), and bypassing the keystore entirely by holding raw keys in SharedPreferences.
¿Cómo defenderse de Android Keystore System?
Las defensas contra Android Keystore System combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para Android Keystore System?
Nombres alternativos comunes: AndroidKeystore, KeyStore (Android).
● Términos relacionados
- mobile-security№ 612
iOS Keychain
Apple's encrypted credential store on iOS, iPadOS, and macOS, backed by the Secure Enclave and graded by per-item accessibility classes that bind decryption to device unlock, passcode, biometric, or hardware-bound state.
- mobile-security№ 772
Seguridad de aplicaciones móviles
Práctica de diseñar, desarrollar y probar aplicaciones iOS y Android para proteger los datos del usuario, evitar la ingeniería inversa y resistir manipulación en tiempo de ejecución.
- compliance№ 871
OWASP MASVS
Mobile Application Security Verification Standard de OWASP, conjunto base de requisitos de seguridad verificables para aplicaciones moviles iOS y Android.
- identity-access№ 458
FIDO2
Estándar abierto de autenticación de la FIDO Alliance que combina WebAuthn (API del navegador) y CTAP (protocolo del autenticador) para un inicio de sesión sin contraseña y resistente al phishing.
- cloud-security№ 1300
Entorno de Ejecución Confiable (TEE)
Contexto de ejecución seguro y aislado dentro del procesador donde el código y los datos están protegidos en confidencialidad e integridad, incluso frente al SO y al hipervisor.
- identity-access№ 112
Autenticación biométrica
Método de autenticación que verifica la identidad a partir de rasgos físicos o fisiológicos únicos, como huellas, rostro, iris o voz.