Android Keystore
The Android Keystore is a system-level API that allows applications to generate, store, and use cryptographic keys within a secure container, optionally backed by hardware security modules such as a Trusted Execution Environment (TEE) or StrongBox, preventing keys from being exported or accessed by other processes.
Mobile applications frequently need to perform cryptographic operations such as encrypting local data, signing authentication tokens, or establishing secure channels. Storing the keys for these operations in application preferences or files leaves them vulnerable to extraction on rooted devices or through backup mechanisms. The Android Keystore addresses this by providing a dedicated key management facility that binds keys to the device hardware.
When a key is generated inside the Android Keystore with hardware backing, the key material never leaves the secure processor. All cryptographic operations are performed within the TEE or StrongBox module, and the application receives only the results. This design means that even if an attacker gains root access to the main operating system, they cannot extract the raw key bytes.
Developers can attach usage constraints to keys stored in the Keystore. These constraints include requiring user authentication via biometrics or device credentials before each use, restricting the key to specific algorithms and block modes, and setting expiration dates. These policies are enforced by the secure hardware, not by the application code, which provides a stronger guarantee.
Proper use of the Android Keystore is a key requirement in the OWASP MASVS data storage and cryptography categories. Applications that store sensitive keys outside the Keystore are commonly flagged during security assessments as having insecure data storage vulnerabilities.