Data encryption is important in every Android application. You need to know a few ways to secure your data, secure your Android files, secure shared preferences data, the keys used in your application. The fact is, even after applying some coding techniques, your data may be retrieved by some experts, but your goal is how to make it harder for them to retrieve the data by Provide some additional layers of security inside your application. In this blog, we will learn how to encrypt data securely on devices and use AndroidKeyStore to store keys in Android. Let's get started
Jetpack Security Library
At Google I / O 19, the Jetpack Security library was introduced to allow us to easily encrypt data, files and shared preferences. It provides strong security, a great balance between encryption and good performance. In addition, for applications that require hardware-enabled Keystore, it provides maximum security. So all we need to do is use this library without thinking about the work it does in the backend.
But Android OS is very secure and we have a separate file-based encryption system, so why use Android's Jetpack Security Library? There are many different reasons, some of which are:
- If you are working on a rooted device, the file system will be unlocked and some attackers can easily access the data even though you have encrypted the entire memory.
- Another reason might be to secure the keys or tokens in your application because you don't want your users to use them.
Therefore, this Jetpack Security Library is used to encrypt on phone memory and is provided for Android version 6.0 and above. All you need to do is add this library to your build.gradle file.
1 2 3 4 5 | dependencies { ... implementation 'androidx.security:security-crypto:1.0.0-alpha01' } |
Key management
The keys we use in Android apps must be secure because if we don't secure our Android keys it can be used against us in some way. So to protect our keys from being used by others, we have something called the Android Keystore System in Android. It protects your key material from unauthorized use. Therefore, to use it, you must be authorized. It has hardware support which means it runs on a separate memory space on the device. So even though your application has access to the key, your application doesn't know what the key material is and in this way, your key material is secure. For API 28 and above, you can use the StrongBox Keymaster located in the hardware security module and it is an implementation of the Keymaster HAL. The module has its own CPU and safe storage. So it will provide an extra layer of encryption for your keys.
In Jetpack Security we have a class called MasterKeys allows us to create private keys (by default, the ASE256 encryption standard is used).
1 2 3 | <span class="token keyword">val</span> keyGenParameterSpec <span class="token operator">=</span> MasterKeys <span class="token punctuation">.</span> AES256_GCM_SPEC <span class="token keyword">val</span> masterKeyAlias <span class="token operator">=</span> MasterKeys <span class="token punctuation">.</span> <span class="token function">getOrCreate</span> <span class="token punctuation">(</span> keyGenParameterSpec <span class="token punctuation">)</span> |
Here, we're using dungblock mode GCM_SPEC no padding. If you want to encrypt a small data the size of the key, then you do not need any buffer or blocking. But when the encrypted data is longer than the key size, we use buffering and blocking.
It is not always necessary to use 256-bit keys or use GCM without buffers. You have other options like setBlockModes() , setEncryptPaddings , setKeySize() , setUserAuthenticationRequired() , setUnlockedDeviceRequired() , and more.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | <span class="token keyword">val</span> someAdvanceSpec <span class="token operator">=</span> KeyGenParameterSpec <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> <span class="token string">"master_key"</span> <span class="token punctuation">,</span> KeyProperties <span class="token punctuation">.</span> PURPOSE_ENCRYPT <span class="token operator">or</span> KeyProperties <span class="token punctuation">.</span> PURPOSE_DECRYPT <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">apply</span> <span class="token punctuation">{</span> <span class="token function">setBlockModes</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> BLOCK_MODE_GCM <span class="token punctuation">)</span> <span class="token function">setEncryptionPaddings</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> ENCRYPTION_PADDING_NONE <span class="token punctuation">)</span> <span class="token function">setKeySize</span> <span class="token punctuation">(</span> <span class="token number">256</span> <span class="token punctuation">)</span> <span class="token function">setUserAuthenticationRequired</span> <span class="token punctuation">(</span> <span class="token boolean">true</span> <span class="token punctuation">)</span> <span class="token function">setUserAuthenticationValidityDurationSeconds</span> <span class="token punctuation">(</span> <span class="token number">30</span> <span class="token punctuation">)</span> <span class="token keyword">if</span> <span class="token punctuation">(</span> Build <span class="token punctuation">.</span> VERSION <span class="token punctuation">.</span> SDK_INT <span class="token operator">>=</span> Build <span class="token punctuation">.</span> VERSION_CODES_P <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">//Android P or higher</span> <span class="token function">setUnlockedDeviceRequired</span> <span class="token punctuation">(</span> <span class="token boolean">true</span> <span class="token punctuation">)</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token keyword">val</span> advKey <span class="token operator">=</span> MasterKeys <span class="token punctuation">.</span> <span class="token function">getOrCreate</span> <span class="token punctuation">(</span> someAdvanceSpec <span class="token punctuation">)</span> |
You can also generate new EC key pairs using the KeyPairGenerator API.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <span class="token keyword">val</span> kpg <span class="token operator">:</span> KeyPairGenerator <span class="token operator">=</span> KeyPairGenerator <span class="token punctuation">.</span> <span class="token function">getInstance</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> KEY_ALGORITHM_EC <span class="token punctuation">,</span> <span class="token string">"AndroidKeyStore"</span> <span class="token punctuation">)</span> <span class="token keyword">val</span> parameterSpec <span class="token operator">:</span> KeyGenParameterSpec <span class="token operator">=</span> KeyGenParameterSpec <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> alias <span class="token punctuation">,</span> KeyProperties <span class="token punctuation">.</span> PURPOSE_SIGN <span class="token operator">or</span> KeyProperties <span class="token punctuation">.</span> PURPOSE_VERIFY <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">run</span> <span class="token punctuation">{</span> <span class="token function">setDigests</span> <span class="token punctuation">(</span> KeyProperties <span class="token punctuation">.</span> DIGEST_SHA256 <span class="token punctuation">,</span> KeyProperties <span class="token punctuation">.</span> DIGEST_SHA512 <span class="token punctuation">)</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">}</span> kpg <span class="token punctuation">.</span> <span class="token function">initialize</span> <span class="token punctuation">(</span> parameterSpec <span class="token punctuation">)</span> <span class="token keyword">val</span> kp <span class="token operator">=</span> kpg <span class="token punctuation">.</span> <span class="token function">generateKeyPair</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> |
Now we have a key, and we can use it for many purposes, such as encrypting files. Let's see how we do it
File Encryption
With the help of the Jetpack Security library, you can encrypt files included in your application. It uses Streaming AES to process files of all sizes. All you need to do is create a file and then make this file encrypted. After receiving the encrypted file, if you want to write some data to the encrypted file, you can use the openFileOutput() and if you want to read data from your encrypted file, you have You can use the openFileInput() . Here is the implementation code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | <span class="token keyword">val</span> secretFile <span class="token operator">=</span> <span class="token function">File</span> <span class="token punctuation">(</span> filesDirectory <span class="token punctuation">,</span> <span class="token string">"super_secret"</span> <span class="token punctuation">)</span> <span class="token keyword">val</span> encryptedFile <span class="token operator">=</span> EncryptedFile <span class="token punctuation">.</span> <span class="token function">Builder</span> <span class="token punctuation">(</span> secretFile <span class="token punctuation">,</span> applicationContext <span class="token punctuation">,</span> advancedKeyAlias <span class="token punctuation">,</span> FileEncryptionScheme <span class="token punctuation">.</span> AES256_GCM_HKDF_4KB <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">setKeysetAlias</span> <span class="token punctuation">(</span> <span class="token string">"file_key"</span> <span class="token punctuation">)</span> <span class="token comment">//this is optional</span> <span class="token punctuation">.</span> <span class="token function">setKeysetPrefName</span> <span class="token punctuation">(</span> <span class="token string">"secret_shared_prefs"</span> <span class="token punctuation">)</span> <span class="token comment">//this is optional</span> <span class="token punctuation">.</span> <span class="token function">build</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token operator">..</span> <span class="token punctuation">.</span> encryptedFile <span class="token punctuation">.</span> <span class="token function">openFileOutput</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">use</span> <span class="token punctuation">{</span> outputStream <span class="token operator">-></span> <span class="token comment">//write data from your encrypted file</span> <span class="token punctuation">}</span> encryptedFile <span class="token punctuation">.</span> <span class="token function">openFileInput</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">use</span> <span class="token punctuation">{</span> inputStream <span class="token operator">-></span> <span class="token comment">//read file from your encrypted file</span> <span class="token punctuation">}</span> |
Everything is encrypted and decoded right where you call the data, you don't need to worry about how it works.
SharedPreferences Encryption
We store data in SharedPreferences because it's easy to use. But besides that, it was too easy to attack and get key-values from SharedPreferences. So we need to encrypt the SharedPreferences data and this is completely easy when using EncryptedSharedPreferences. It works with Android 6.0 and higher.
To use EncryptedSharedPreferences, simply create or receive a Master Key from AndroidKeyStore:
1 2 | <span class="token keyword">val</span> myMaterKeyAlias <span class="token operator">=</span> MasterKeys <span class="token punctuation">.</span> <span class="token function">getOrCreate</span> <span class="token punctuation">(</span> MasterKeys <span class="token punctuation">.</span> AES256_GCM_SPEC <span class="token punctuation">)</span> |
After receiving the Master Key, now initialize an instance of EncryptedSharedPreferences:
1 2 3 4 5 6 7 8 | <span class="token keyword">val</span> mySharedPreferences <span class="token operator">=</span> EncryptedSharedPreferences <span class="token punctuation">.</span> <span class="token function">create</span> <span class="token punctuation">(</span> <span class="token string">"my_preference_file_name"</span> <span class="token punctuation">,</span> myMasterKeyAlias <span class="token punctuation">,</span> applicationContext <span class="token punctuation">,</span> EncryptedSharedPreferences <span class="token punctuation">.</span> PrefKeyEncryptionScheme <span class="token punctuation">.</span> AES256_SIV <span class="token punctuation">,</span> <span class="token comment">//for encrypting Keys</span> EncryptedSharedPreferences <span class="token punctuation">.</span> PrefValueEncryptionScheme <span class="token punctuation">.</span> AES256_GCM <span class="token comment">////for encrypting Values</span> <span class="token punctuation">)</span> |
And then, you can save the data and read it from EncryptedSharedPreferences as always
1 2 3 4 5 6 7 8 | <span class="token comment">//save data</span> mySharedPreferences <span class="token punctuation">.</span> <span class="token function">edit</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">putString</span> <span class="token punctuation">(</span> <span class="token string">"MY_DATA"</span> <span class="token punctuation">,</span> saveText <span class="token punctuation">.</span> text <span class="token punctuation">.</span> <span class="token function">toString</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token punctuation">.</span> <span class="token function">apply</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token comment">//read data</span> <span class="token keyword">val</span> someValue <span class="token operator">=</span> mySharedPreferences <span class="token punctuation">.</span> <span class="token function">getString</span> <span class="token punctuation">(</span> <span class="token string">"MY_DATA"</span> <span class="token punctuation">,</span> <span class="token string">""</span> <span class="token punctuation">)</span> |
In this blog, we have learned how to secure our keys with the help of AndroidKeyStore and with the help of these keys, we can secure our files and SharedPreferences. If you want some advanced encryption, you can use Tink, which is Google's open source library also used by Jetpack Security Library. It has cross-platform security that provides security for different Android versions and for different mobile devices. You can learn more about Tink from here .
Hope you learned something new today.
Source: How to encrypt data safely on the device and use the AndroidKeyStore?