4

I'm working on an Android multi module (multiple apps) project and encountered a use case where I have to save some secret information that could be accessed by all these apps. My idea is to encrypt the secret information using a private key that is saved inside the KeyStore, and save this information in a file that I'm planning to store in the device (not external storage). My question is, would I be able to access this private key inside the KeyStore from another application and then use it to decrypt the secret information that is saved in the device?

I was looking at Android's KeyStore documentation, and if I understood it correctly, I can use the KeyStore APIs to save the cryptographic keys and use them with in the same application. But also the KeyChain documentation says I can use these cryptographic keys across multiple apps with in the system. I'm quite confused about how I can combine these two APIs and make it work for my use case. Any help is appreciated. Thank you.

Prudhvi
  • 2,276
  • 7
  • 34
  • 54
  • Did you find an answer to this? I am trying something similar. I could do this with Content Provider and Account Manager but not with keychain and Keystore – abhishek maharajpet Oct 14 '20 at 08:04

2 Answers2

0

My idea is to encrypt the secret information using a private key

You encrypt with a public key, never with the private key. The private key is used for decryption.

If you create public keys for all the apps then you can decrypt with individual private keys for these apps. Of course you'd have to trust these apps and the public key pair of each app in advance; I'm not familiar enough with your setup to make any recommendations in that regard.

To be honest the KeyChain API seems more about TLS authentication than anything else and I don't think it fits your use case. The API of the choosePrivateKeyAlias for instance only talks about authentication and a server requesting a key chain.

Key stores can be can in principle be distributed. Or course, to access / decrypt them you'd still need a key distributed within each app. You can share the information for specific signed applications only it seems. Possibly just the security of sharing the data privately without encryption already fulfills your use case? Key management is tricky, after all.

Caveat: I'm not terribly well known with the Android security model; hopefully my general knowledge of cryptography & security steers you in the right direction.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thank you for answering. You're right about using public key to encrypt in case of asymmetric encryption. I was thinking more about symmetric encryption case. May be I should have used the term "secret key" instead of "private key". – Prudhvi Jan 31 '20 at 15:55
0

There is android:sharedUserId property. From the doc:

Apps with the same user ID can access each other's data and, if desired, run in the same process.

Unfortunately, it was deprecated in API 29 without proper replacement.

sdex
  • 3,169
  • 15
  • 28