Android security- TEE (Trusted Execution Environment )

Hi All,

I was going through this research paper on Security on mobile device (Android) for key storage.

Research Paper

I wanted to know what other devs are doing in terms of Key Storage in the device.

Baseline
We observed that there are two ways that we can implement a secure key storage .

  1. TEE aka TrustZone technology aka AndroidKeyStore
  2. Bouncy Castle package

While Bouncy Castle give flexibility to be used in any device regardless of Version, TEE is fixed to couple of version. So anything above V23 will work perfectly . Below v18 we derive while using the password on runtime. Between 18 <> 23 there is no AES support so we will have to use our own package to generate but in our case this is of less importance as we will use since we will be using our own package.

So technically android runs two operating system parallely
Normal Android Os (Untrusted env)
Trusty (TEE)

According to google all cryptographic stuff should happen on TRUSTY and it provides a package called keystore to access TRUSTY . But when it comes to blockchain since our keygen packages are not supported by TEE. We generate in Untrusted Os and then pass it over to TEE for storage. via the android keyStore package.

Another aspect is the Entropy of the Keys generated itself.

What are you thoughts on this .

In India all enterprises they are suggesting a decentralize vault with HSM. But perhaps thats a totally different discussion :slight_smile:

Another paper which is more recent [
http://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/11252/KASAGIANNIS%20GEORGIOS%201515%20-%20SECURITY%20EVALUATION%20OF%20ANDROID%20KEYSTORE.pdf?sequence=3&isAllowed=y