I need to keep and use a 3DES key in an Android application in order to communicate with a legacy sytem. I would like to use the Android Keystore provider for its high security features, but it seems it doesn't support 3DES.
My understanding is that in an Android application, you can either use the default Keystore provider and manage your own protection passwords, or you can use the Android Keystore provider, which is far more secure and manages the protection passwords for you. I understand that if you don't provide a KeyStore.PasswordProtection when creating/loading a keystore with the default Keystore provider, the entire keystore is stored as plaintext and the keys are vulnerable to being directly extracted by an attacker.
What are the best choices for safely storing and using a 3DES key in Android?
My idea is to generate an AES key using the Android Keystore provider and generate a random password to protect my 3DES key. Then, I can create a default provider keystore, protect it with the generated password and store the 3DES key inside. Then, I use the AES key to encrypt the password and store the encrypted password in SharedPreferences. Now, I can fetch the encrypted password from SharedPreferences, decrypt it via the Android Keystore provider, use it to unlock the default Keystore Provider and then just use the 3DES key for encryption/decryption.
Does this approach have any critical vulnerability? Could you suggest another?
