Please note that the contents of this offline web site may be out of date. To access the most recent documentation visit the online version .
Note that links that point to online resources are green in color and will open in a new window.
We would love it if you could give us feedback about this material by filling this form (You have to be online to fill it)
  • Building Apps with
    User Info & Location
  • Building Apps for
    Wearables
  • Best Practices for
    Interaction & Engagement
  • Best Practices for
    User Interface
  • Best Practices for
    User Input
  • Best Practices for
    Background Jobs
  • Best Practices for
    Performance
  • Best Practices for
    Security & Privacy
  • Best Practices for
    Testing
  • Using Google Play to
    Distribute & Monetize

    • Android Keystore System

    Previous Next Get started

    The Android Keystore system lets you store private keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the private key material remaining non-exportable.

    The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18). This document goes over when and how to use the Android Keystore provider.

    Choosing Between a Keychain or the Android Keystore Provider

    Use the KeyChain API when you want system-wide credentials. When an app requests the use of any credential through the KeyChain API, users get to choose, through a system-provided UI, which of the installed credentials an app can access. This allows several apps to use the same set of credentials with user consent.

    Use the Android Keystore provider to let an individual app store its own credentials that only the app itself can access. This provides a way for apps to manage credentials that are usable only by itself while providing the same security benefits that the KeyChain API provides for system-wide credentials. This method requires no user interaction to select the credentials.

    Using Android Keystore Provider

    To use this feature, you use the standard KeyStore and KeyPairGenerator classes along with the AndroidKeyStore provider introduced in Android 4.3 (API level 18).

    AndroidKeyStore is registered as a KeyStore type for use with the KeyStore.getInstance(type) method and as a provider for use with the KeyPairGenerator.getInstance(algorithm, provider) method.

    Generating a New Private Key

    Generating a new PrivateKey requires that you also specify the initial X.509 attributes that the self-signed certificate will have. You can replace the certificate at a later time with a certificate signed by a Certificate Authority.

    To generate the key, use a KeyPairGenerator with KeyPairGeneratorSpec : 

           /*
 * Generate a new entry in the KeyStore by using the
 * KeyPairGenerator API. We have to specify the attributes for a
 * self-signed X.509 certificate here so the KeyStore can attach
 * the public key part to it. It can be replaced later with a
 * certificate signed by a Certificate Authority (CA) if needed.
 */
Calendar cal = Calendar.getInstance();
Date now = cal.getTime();
cal.add(Calendar.YEAR, 1);
Date end = cal.getTime();

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
kpg.initialize(new KeyPairGeneratorSpec.Builder(getApplicationContext())
        .setAlias(alias)
        .setStartDate(now)
        .setEndDate(end)
        .setSerialNumber(BigInteger.valueOf(1))
        .setSubject(new X500Principal("CN=test1"))
        .build());

KeyPair kp = kpg.generateKeyPair();

    Working with Keystore Entries

    Using the AndroidKeyStore provider takes place through all the standard KeyStore APIs.

    Listing Entries

    List entries in the keystore by calling the aliases() method: 

           /*
 * Load the Android KeyStore instance using the the
 * "AndroidKeyStore" provider to list out what entries are
 * currently stored.
 */
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
Enumeration<String> aliases = ks.aliases();

    Signing and Verifying Data

    Sign data by fetching the KeyStore.Entry from the keystore and using the Signature APIs, such as sign() : 

           /*
 * Use a PrivateKey in the KeyStore to create a signature over
 * some data.
 */
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
KeyStore.Entry entry = ks.getEntry(alias, null);
if (!(entry instanceof PrivateKeyEntry)) {
    Log.w(TAG, "Not an instance of a PrivateKeyEntry");
    return null;
}
Signature s = Signature.getInstance("SHA256withRSA");
s.initSign(((PrivateKeyEntry) entry).getPrivateKey());
s.update(data);
byte[] signature = s.sign();

    Similarly, verify data with the verify(byte[]) method: 

           /*
 * Verify a signature previously made by a PrivateKey in our
 * KeyStore. This uses the X.509 certificate attached to our
 * private key in the KeyStore to validate a previously
 * generated signature.
 */
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
KeyStore.Entry entry = ks.getEntry(alias, null);
if (!(entry instanceof PrivateKeyEntry)) {
    Log.w(TAG, "Not an instance of a PrivateKeyEntry");
    return false;
}
Signature s = Signature.getInstance("SHA256withRSA");
s.initVerify(((PrivateKeyEntry) entry).getCertificate());
s.update(data);
boolean valid = s.verify(signature);
    Next Get started Next class