Keystore secure data storage setup in Android

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Keystore secure data storage setup in Android
Medium
from 1 business day to 3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Setting up Keystore for Secure Data Storage in Android

Android Keystore System is not just a place to store keys. It's a hardware-isolated container (Trusted Execution Environment or Secure Element) from which the private key never leaves the device as plaintext. Crypto operations execute inside TEE. Most Android apps don't use this, storing tokens in plaintext SharedPreferences.

How to Correctly Generate and Use Keys

AES key generation in Keystore:

val keyGenerator = KeyGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_AES,
    "AndroidKeyStore"
)
keyGenerator.init(
    KeyGenParameterSpec.Builder(
        "my_secure_key_alias",
        KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
    )
    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
    .setUserAuthenticationRequired(false)  // true for biometry
    .setKeySize(256)
    .build()
)
keyGenerator.generateKey()

After this, the key lives in Keystore. Encrypt data via Cipher with this key, save the encrypted blob + IV in SharedPreferences or Room. The key is not directly accessible from Keystore — you can't export bytes, only use it for operations via JCE API.

Why GCM, not CBC. AES-GCM provides authenticated encryption: on decryption, MAC is verified, and if data is modified, Cipher.doFinal() throws AEADBadTagException. AES-CBC doesn't — corrupted data decrypts to garbage without error.

StrongBox vs TEE

On devices with Android 9+ and hardware Secure Element, StrongBox Keymaster is available. Difference from regular TEE: keys stored in physically separate chip (Pixel 3+, Samsung Galaxy S series). Enabled via flag:

.setIsStrongBoxBacked(true)

StrongBox is slower (~100ms per operation vs ~5ms for TEE), but keys survive even if main processor is compromised. For most apps, TEE is sufficient. StrongBox makes sense for critical transaction signing keys (fintech, healthcare).

Biometric Key Protection

.setUserAuthenticationRequired(true)
.setUserAuthenticationParameters(
    0,  // 0 = every time, >0 = timeout in seconds
    KeyProperties.AUTH_BIOMETRIC_STRONG or KeyProperties.AUTH_DEVICE_CREDENTIAL
)

AUTH_BIOMETRIC_STRONG on Android 11+ means only Class 3 biometry (Face ID level or fingerprint sensor passing CDD certification). Class 2 (most front cameras without dedicated secure enclave) doesn't qualify. When setUserAuthenticationRequired(true), attempting to decrypt without prior biometry throws UserNotAuthenticatedException.

Perform biometric authentication via BiometricPrompt.CryptoObject(cipher) — this links the biometric session with your specific Cipher, initialized with your key. Important: without CryptoObject, biometry doesn't authorize key use.

Key Invalidation on Biometry Change

.setInvalidatedByBiometricEnrollment(true)

Default true — key invalidates when new fingerprint is added or biometry reset. Correct behavior for data encryption keys. Handle KeyPermanentlyInvalidatedException when using invalidated key — generate new key and ask user to login again.

Process

Audit — find everything stored in plaintext SharedPreferences (tokens, cookies, session IDs). Design schema: which data to encrypt with Keystore key, which requires biometry. Implement CryptoManager with encrypt/decrypt, integrate with existing storage layer (DataStore, Room). Test on emulators API 23–34 and real devices — Keystore behavior on some custom ROMs (Huawei without GMS) differs.

Timeline: 1–3 days depending on data volume and biometric protection requirements.