How to save a private key locally in security?

Asked

Viewed 112 times

1

I am developing an application for Android/iOS mobile devices, in this application the communication with the server is done in encrypted form. The user application, when first started, generates a public/private key. The public key is sent to the server where it will be stored and the private key is stored on the client’s device. In this aspect, I believe it works in a similar way to the messaging application Whatsapp. However, I don’t know how to protect this private password stored on the device. It cannot be captured by third parties, so as not to compromise user safety. How to deal with this?

  • 1

    If the keys are not stored in a specific hardware (HSM, TPM...) they can be extracted at some point. Whatsapp is an example, it already has systems to extract the keys, even without root. Android, in particular, has the "Keystorage", which serves for this (https://developer.android.com/training/articles/keystore.html?hl=pt-br), iOS must have something similar.

  • Very interesting, I’ve always been curious to know how these applications were protecting the keys. But I believe there is a way to make this process difficult, to avoid at least being accessible to anyone, and so I will have to deal only with these tools and a smaller number of users with enough Skill to extract the keys.

1 answer

1

I don’t know about Android, but iOS has a concept of reserved area for each application, IE no application gets access to which directories of other application, so just that you store the private key in the reserved area with NSKeyedArchiver.

I do not know the android platform, but I believe it is the same way.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.