An overview of Android Keystore System

KeyStore

KeyStore can be defined as a database, API or even a class depending on the context. To make it simple, KeyStore can be defined as a secure collection of aliased keys and certificates. Typically, KeyStores are saved in the file storage, protected with password.

Android keystore system

If we read the official documentation, it says

The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.

So, from the above statement we can infer that, it lets us,

• Store cryptographic keys (private, public keys)
• Perform cryptographic operations using stored keys (encrypt, decrypt, sign, verify, etc.)

Actually, it stores the credentials in a system credential storage or KeyStore either by the KeyChain API or by the AndroidKeyStore provider feature. For better understanding, let's know a little bit about their history,

A system KeyStore was introduced in Android 1.6 (Donut). But unfortunately, at that time, apps were not able to access it as it's access was only limited to VPNs and for Wifi authentication. Therefore, apps were maintaining their own KeyStore. It was okay but sometimes it was causing manageability issues when multiple apps were wanting to share common credentials among them. To address this problem, Android 4.0 (ICS) introduced the KeyChain API which allowed apps to access the system KeyStore with user's permission.

KeyChain

With KeyChain API, apps can request user to install or choose credentials by prompting system dialog. It also allows apps to list and access their allowed credentials stored in the system KeyStore. Most interestingly, the apps don't have to use separate password to protect the system keystore as it is protected by lock screen and device administration. The credentials that are imported by any app can be accessed by other apps with the user's permission. You can also see the list of user credentials in the System Settings by navigating to Settings > Security & lock screen > Encryption & credentials > User credentials. (The settings path and menu may vary depending on the device manufacturer and OS version. It is given based on Oneplus 6)

AndroidKeyStore provider feature

This feature was introduced in Android 4.3 (API level 18) to let apps generate, store their credentials in the system keystore which can only be accessed by the app itself. To perform operations, no user interaction is required.