1

For an Android app managing cryptographic keys, I want to ensure that the device has had a screen lock set up continuously since the first time the app has been run.

Specifically, the app will only allow using the keys if the device has a secure look configured (which can be checked via KeyguardManager.isDeviceSecure()). But if the user disables their screen lock, someone else could potentially pick it up, re-enable the screen lock and continue to use the app pretending to be the original user. I want to prevent this, but still not require user authentication for every use of the keys (which rules out using Android KeyStore user authentication enforcement)

I currently see two ways to delete the data if the screen lock is disabled, both of which have downsides:

  1. Set up a DeviceAdminReceiver and listen for screen lock changes with onPasswordChanged, invalidating keys if the screen lock is disabled. This is problematic since it requires USES_POLICY_LIMIT_PASSWORD, which will no longer be supported in API level 29.
  2. Create a "canary" KeyStore key with user authentication enforcement and check whether it throws a KeyPermanentlyInvalidatedException when used. This solution feels very hacky, depends on implementation details (e.g. KeyPermanentlyInvalidatedException being thrown before UserNotAuthenticatedException) and is not event-based in the way solution 1 is, which means that the keys will not be deleted immediately after the screen lock is disabled.

Is there a better way to act upon the deactivation of the device screen lock?

Fabian Meumertzheim
  • 1,569
  • 1
  • 11
  • 21
  • Can't you just use the AndroidKey Store with user authentication enforcement but set a (very) high duration for the validity, see https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationValidityDurationSeconds(int)? Another possibility, depending on what you want to do exactly, could be using the Android `KeyChain`. It also requires a screen lock to be set and AFAIR (not tested) access to it is withdrawn once the screen lock is removed. – BBB Nov 14 '19 at 11:18
  • @BBB: Thanks for your comment about KeyChain. The long duration authentication enforced key is what I meant to describe in point 2. above. It has the downside that the app will have to actively check for the key to still be valid, it will not be notified if it becomes invalid. Other than that, I have found this solution to work reasonably well in practice, so maybe there is no better one post API 29. – Fabian Meumertzheim Nov 14 '19 at 13:30
  • Your welcome! However, My understanding was that that it is most important that the key becomes unusable after the user removes the screen lock. Regarding Android KeyStore user authentication enforcement, in the documentation it says: "These keys become permanently invalidated once the secure lock screen is disabled (reconfigured to None, Swipe or other mode which doesn't authenticate the user) or forcibly reset (e.g. by a Device Administrator)." Shouldn't that be enough? – BBB Nov 15 '19 at 14:31
  • The original question was more about invalidating other data depending on the screen lock setting. But I agree that the best idea in general would be to wrap the data with an encryption key that itself is bound to user authentication. – Fabian Meumertzheim Nov 15 '19 at 17:45

0 Answers0