Limitations of secure storage - KeyChain and KeyStore

android ios flutter keychain android-keystore
1,389

Secure storage is like Shared Prefences/NSUserDefaults. It stores data in key-value pairs. The data is encrypted and uses a key made from a unique device key to encrypt and decrypt the data stored. The data is stored somewhere in the root directory where only the OS can access it.

  1. There is no storage limitations for secure storage (There is no space limits mentioned in any docs but I do think that you cannot store large amounts of data that are 1Gb+)
  2. You can store an unlimited amount of keys inside
  3. Based on MKJParekh's answer, you can store up to 2147483647 characters.
  4. The data gets deleted once the app is uninstalled. (Take note that the data in secured storage can't be backuped in Android) Take a look at this

Do not use secure storage for storing sensitive private keys and tokens. You didn't specify what private keys and tokens you're going to store in secure storage. You might be storing your database credentials or something that another user shouldn't obtain. Although data being stored in secure storage is encrypted, it isn't entirely secure. Users can root/jailbreak their devices which gives them full control of the OS. There are tools that can intercept keys as they are provided and use it to decrypt the data. The only way to prevent that is to never give the keys to the user. You should store it in a server that you can control. (Firebase Cloud Functions, AWS ECS, or your own VPS) are examples of these severs.

When to use Secure Storage
Use secure storage to store data that should be encrypted and hidden from the user. That data should store only store user's sensitive data such as their api keys and not your server private keys.

Share:
1,389
Andrija
Author by

Andrija

Software developer

Updated on December 14, 2022

Comments

  • Andrija
    Andrija over 1 year

    I'm planning to use flutter_secure_storage in my app to keep some private keys and tokens. I'm looking for limitations of secure storage on both Android and iOS but I cannot find answers to some of the questions:

    1. How big is KeyChain and KeyStore storage on iOS and Android, respectively?
    2. How many keys can we store inside?
    3. How big can individual key be?
    4. What is lifetime of the storage? Does it exist only while app is installed? Is it persistent of ephemeral?

    Thanks

  • Andrija
    Andrija over 3 years
    If I place anything inside secure storage, I would store it encrypted, not in plaintext. But I would use secure storage as yet another level of protection.
  • Andrija
    Andrija over 3 years
    I understood that this is a separate storage from internal memory, like a hardware vault inside a phone. But if it's part of phone memory, I guess it's big as phone memory is. I could not find any official documentation on this (yet).
  • CoderUni
    CoderUni over 3 years
    Yes, you can store an unlimited amount of data in the secure storage. It works like shared preferences but more secure. Regarding about the storage of your private key, I'm just really afraid that it gets stolen and hijacked. You can store it encrypted but you still need to decrypt it within your app. Your app can also be reverse engineered or hijacked to get the decryption key. I used to be like you, where I wanted to store my private keys.I've asked for many people's advice and they warned me not to.I really would like to share the same thing to people who would make the same mistake as me.
  • CoderUni
    CoderUni over 3 years
    In terms of security, it is not a good idea to store your key in someone's device. It is like hiding my belongings from someone that has the key to my house. I could hide them somewhere obscure, but they still have the key to my house. You could store them in secure storage but its don't expect it to be hidden from the user all the time. Could you tell me what those private keys are so I could give a suggestion on what would be a better option in terms of ease of development and security?
  • Andrija
    Andrija over 3 years
    Application requirement is for private keys to go into phone storage. It does not matter what are keys for, but they are important. It's up to me to investigate options how to store it securely. Is there anything wrong with using, e.g. AES-256 encryption with PIN + Biometrics + some salt to encrypt data?
  • Andrija
    Andrija over 3 years
    Sorry, I didn't see your previous answer. Yeah, I guess it will be up to user to physically secure device. But still, extracting from secure storage and decryption will be hard task.
  • CoderUni
    CoderUni over 3 years
    I'm relieved you won't be storing your aws server keys. Storing your user's keys really wouldn't be that much of a problem. It is the user's fault for not securing their device if their data gets stolen. Rooting/Jailbreaking a phone makes your device exposed to many vulnerabilities. Adding extra encryption would be a good choice but your biggest trade off is performance. You would have to encrypt and decrypt their data every time when you will read or write to the storage
  • CoderUni
    CoderUni over 3 years
    Extracting the data from secure storage wouldn't be a hard task. It works like SharedPreferences. For encryption, I recommend using this package: pub.dev/packages/crypto . Based on the details you've provided, using secure storage would be enough and even better since you added encryption
  • Furkan Yurdakul
    Furkan Yurdakul over 3 years
    @Andrija You should give your bounty to him if you think the answer is correct by the way.
  • Andrija
    Andrija over 3 years
    @FurkanYurdakul is that all? what else should I do?
  • Furkan Yurdakul
    Furkan Yurdakul over 3 years
    Well it ended so :)
  • Andrija
    Andrija over 3 years
    @FurkanYurdakul so I didn't have to do anything?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Comparaing Two PinCode textfield in flutter test
Implementing snapConfiguration to SliverPersistentHeader
Cannot mix 2018 and 2021 terms in call to TextTheme() constructor
Unable to build iOS or Android app after upgrade to Flutter 3.0
Does flutter_background_geolocation fetch the location even when app is killed?
FlutterError : The key [LabeledGlobalKey<FormState>] was used by multiple widgets
LateInitializationError: Field 'snapshot' has not been initialized
Do we need Android SDK , IOS SDK separately along with flutter SDK for flutter applications
Flutter Tab Bar View
Flutter: How to make a text editor?