I was going through this research paper on Security on mobile device (Android) for key storage.
I wanted to know what other devs are doing in terms of Key Storage in the device.
We observed that there are two ways that we can implement a secure key storage .
- TEE aka TrustZone technology aka AndroidKeyStore
- Bouncy Castle package
While Bouncy Castle give flexibility to be used in any device regardless of Version, TEE is fixed to couple of version. So anything above V23 will work perfectly . Below v18 we derive while using the password on runtime. Between 18 <> 23 there is no AES support so we will have to use our own package to generate but in our case this is of less importance as we will use since we will be using our own package.
So technically android runs two operating system parallely
Normal Android Os (Untrusted env)
According to google all cryptographic stuff should happen on TRUSTY and it provides a package called keystore to access TRUSTY . But when it comes to blockchain since our keygen packages are not supported by TEE. We generate in Untrusted Os and then pass it over to TEE for storage. via the android keyStore package.
Another aspect is the Entropy of the Keys generated itself.
What are you thoughts on this .
In India all enterprises they are suggesting a decentralize vault with HSM. But perhaps thats a totally different discussion