Android Keystore System
Qu'est-ce que Android Keystore System ?
Android Keystore SystemAndroid's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
The Android Keystore System is Android's primary API for hardware-protected key material, available via `android.security.keystore` and `KeyGenParameterSpec`. When the device supports it, keys are generated and stored inside a Trusted Execution Environment (TEE — typically ARM TrustZone) or, on devices with a discrete StrongBox security chip (e.g. Pixel Titan M), inside that chip. Application code receives only opaque key references; the actual key material never enters the Android Linux kernel or app memory. Per-key policies enforced by the keystore include user-authentication-required (biometric or device credential), validity duration after authentication, attestation-required, and unlocked-device-required. Key Attestation (`KeyMint`/`Keymaster`) lets a server verify that a given public key was generated inside a real TEE/StrongBox on a Google-attested device, which is the basis for hardware-bound mobile FIDO2 / WebAuthn passkeys. Common AppSec issues include not setting `setUserAuthenticationRequired` for sensitive keys, not setting `setInvalidatedByBiometricEnrollment(true)` (so enrolling a new fingerprint silently keeps the key valid), and bypassing the keystore entirely by holding raw keys in SharedPreferences.
● Exemples
- 01
A FIDO2 passkey app generates an EC P-256 key in StrongBox with `setUserAuthenticationRequired(true)` and presents the resulting attestation chain to its server.
- 02
A code review flags an Android app deriving an AES key with PBKDF2 at runtime and storing it in SharedPreferences, instead of generating it inside the Keystore.
● Questions fréquentes
Qu'est-ce que Android Keystore System ?
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating. Cette notion relève de la catégorie Sécurité mobile en cybersécurité.
Que signifie Android Keystore System ?
Android's hardware-backed key container that confines cryptographic key material to a Trusted Execution Environment or StrongBox, exposing keys only by reference and enforcing per-key access policies such as biometric or device-credential gating.
Comment fonctionne Android Keystore System ?
The Android Keystore System is Android's primary API for hardware-protected key material, available via `android.security.keystore` and `KeyGenParameterSpec`. When the device supports it, keys are generated and stored inside a Trusted Execution Environment (TEE — typically ARM TrustZone) or, on devices with a discrete StrongBox security chip (e.g. Pixel Titan M), inside that chip. Application code receives only opaque key references; the actual key material never enters the Android Linux kernel or app memory. Per-key policies enforced by the keystore include user-authentication-required (biometric or device credential), validity duration after authentication, attestation-required, and unlocked-device-required. Key Attestation (`KeyMint`/`Keymaster`) lets a server verify that a given public key was generated inside a real TEE/StrongBox on a Google-attested device, which is the basis for hardware-bound mobile FIDO2 / WebAuthn passkeys. Common AppSec issues include not setting `setUserAuthenticationRequired` for sensitive keys, not setting `setInvalidatedByBiometricEnrollment(true)` (so enrolling a new fingerprint silently keeps the key valid), and bypassing the keystore entirely by holding raw keys in SharedPreferences.
Comment se défendre contre Android Keystore System ?
Les défenses contre Android Keystore System combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Android Keystore System ?
Noms alternatifs courants : AndroidKeystore, KeyStore (Android).
● Termes liés
- mobile-security№ 612
iOS Keychain
Apple's encrypted credential store on iOS, iPadOS, and macOS, backed by the Secure Enclave and graded by per-item accessibility classes that bind decryption to device unlock, passcode, biometric, or hardware-bound state.
- mobile-security№ 772
Sécurité des applications mobiles
Pratique consistant a concevoir, developper et tester des applications iOS et Android afin de proteger les donnees utilisateur, empecher la retro-ingenierie et resister a la manipulation en execution.
- compliance№ 871
OWASP MASVS
Mobile Application Security Verification Standard de l'OWASP, socle d'exigences de securite testables pour les applications mobiles iOS et Android.
- identity-access№ 458
FIDO2
Standard ouvert d'authentification de la FIDO Alliance combinant WebAuthn (API navigateur) et CTAP (protocole des authentificateurs) pour une connexion sans mot de passe et résistante à l'hameçonnage.
- cloud-security№ 1300
Environnement d'Exécution de Confiance (TEE)
Contexte d'exécution sécurisé et isolé au sein du processeur où code et données sont protégés en confidentialité et en intégrité, même vis-à-vis de l'OS hôte et de l'hyperviseur.
- identity-access№ 112
Authentification biométrique
Méthode d'authentification qui vérifie l'identité à partir de caractéristiques physiques ou physiologiques uniques comme les empreintes, le visage, l'iris ou la voix.