I want to store some small but critical piece of information such as AES keys in my Android application. What would be the recommended way to do this? I do not want to hardcode keys as part of my application.

I look at KeyStore but it does not really solve my problem. It can store my keys given that I can provide a password. Then I need to find a secure place to store this password which is same as my original problem.

Is there a built in Android class to perform this task? Or should I look for third party libraries? Using NDK is also acceptable for me.


I was hoping to find an Android API for storage such that guarantees that only the application that stored some information can retrieve it back. Android OS could have enforced this based on signing signatures of the application. This way my application can generate a random key on first run and store it in secure storage for later use. Are there any API for this?

Szere Dyeri
  • 13,926
  • 10
  • 35
  • 40
  • 2
    Well if you store data in the application's `/data/data//` then only that application can access it. This isn't true if the phone is rooted though. But other than that, you should be ok storing password data there. – Falmarri Jul 27 '10 at 06:42

3 Answers3


Is there a built in Android class to perform this task?

Other than java.io.File, no.

Or should I look for third party libraries?

You can try, but I suspect most will look like the solution you already rejected. Most secure data stores involve passwords and assume the passwords are held elsewhere (e.g., in a user's head). For example, OI Safe has an Intent-based system of allowing applications to store stuff in the safe, but then the user is involved in unlocking the safe, IIRC.

  • 910,778
  • 176
  • 2,215
  • 2,253
  • Thank you for the answer. It does not really solve my problem but it is good to know the limitations. – Szere Dyeri Jul 27 '10 at 03:07
  • @Szere Dyeri: "I was hoping to find an Android API for storage such that guarantees that only the application that stored some information can retrieve it back." -- there is no such API in Android, sorry. – CommonsWare Jul 27 '10 at 04:32
  • 2
    What do you mean there is no such API? This guarantee is the default behavior for all files the app stores on internal storage, since each application is given a unique user ID and the default mode of files an app creates is to be only readable/writeable by the creator's uid. The only except to this is (a) files placed on external storage, and (b) files created with the flag to make them world readable/writeable. The only way another application can run with your uid is if both (a) it is signed with your cert and (b) you both have the same android:sharedUserId. – hackbod Jul 27 '10 at 11:26
  • 4
    @hackbod: I was under the impression that the OP was seeking something that would survive a rooted device. Your solution, while entirely apropos otherwise, can be trivially defeated by rooting. However, a root-proof solution is definitely an assumption of mine, and I apologize to the OP if rooting is not a particular concern. – CommonsWare Jul 27 '10 at 12:17
  • 2
    Oh if the user has root, there is no data you can protect, period, end of story. You can try to make things more difficult, but actual protection is gone. – hackbod Jul 28 '10 at 01:29
  • Assuming you are willing to accept networking requirements upon the app, you could run a simple store for key (device-id specific) on a server and ensure HTTPS is used for fetching that key on startup? Then there are the disaster recovery problems and (alter?) scale concerns? – Aidanapword Apr 09 '12 at 15:03
  • Is this still the same after 3 years? – Héctor Júdez Sapena Jul 26 '13 at 12:20
  • @HéctorJúdezSapena: Yes. Internal storage is protected against other apps, but not against rooted device users. – CommonsWare Jul 26 '13 at 12:26
  • @Aidanapword: According to what I've read about the subject, if the attacker can reverse-engineer the .apk (even an obfuscated one for that matter, despite the additional difficulty), the key retrieval HTTPS request can be figured out and simulated in order to acquire the remote key. – Piovezan Oct 03 '13 at 16:50
  • 1
    @hackbod That isn't true. Although ARM chips might not support it. With chips that support the specifications of the Trusted Computing Group you can create a private key that can only be accessed by code with a certain hash. It's the job of the hardware to make sure this protection is in place, and rooting the device doesn't change this. So it's technically possible, but I'm not sure if ARM chips implement this technology. – runeks Apr 19 '14 at 16:42

One solution, if you end up with using the KeyStore API, is to generate your password dynamically at run time every time the app needs to access the KeyStore. If you base your password algorithm on a simple, but changeable, variable tied to the specific installation such as the device MEID (or other specific ID of the physical device gained at run time) you could provide a key to the lock that becomes increasingly difficult to pick.

Example: use an ID from the physical device, cut in three positions and append them to the end position in the ID string, then append your initials to the string programmatically. I would think this approach would give a layer of security that cannot be easily broken unless the cracker knows how you made the key (i.e. has your source code).

MEID = MEID + "fluffy" + "2008";

Where MEID is a string with some ID from the device, "fluffy" is the name of your best friends cat, and "2008" is the year of an important event in your life. Then feed this new string into an array, parse through a number that suits you (the day of the month that you got your drivers licence for example), grab three chars out and drop those chars at the end of the string. Clip from the front of the string to the number of positions you need for your key and away you go. This should not be a very processor intensive task so, with some fault tolerance code for the variables, you should be able to run this in your main process even with out too much worry of getting an ANR from the system. If you really want to get froggy, convert the string to bits at some point and 'bitwise op' the changes. Viola, a low overhead, dynamic key that is unique to the device it is run on!


As @RedWarp pointed out, decompiling an .apk is always within the realm of possiblility for any object code with the proper tools and motivation. If the "key" generation is a really important process then abstracting the key gen outside the scope of the app is a must.

The real point that I am trying to make with this answer is that a little fore thought can go a ways with regards to minimal security. Stronger security is more in depth than a simple answer from me.

  • 1,828
  • 2
  • 23
  • 36
  • 3
    Security through obscurity may only delay a persistent attacker. It sure adds spice to the recipe. It should not be used as an only viable option. – Samuel Aug 01 '12 at 05:47
  • @SamQuest Of course this is not presented as an only viable option, but is a start, to get one to think in other and unique ways in regard to key security. But unless the app in question is a financial application or other high security implementation, this should provide sufficient obscurity. Another option could be to remotely provide the obscured key through a RPC script or something, but this approach will likely include additional complexity. – Kingsolmn Aug 01 '12 at 16:08
  • 3
    It's quite easy to reverse an .apk, and therefor get the algorythm – Redwarp Nov 26 '12 at 12:44

You have to distinguish here between keys and app data.

The "AndroidKeyStore" KeyPairGenerator and KeyGenerator stores the keys they generate from your app under an alias in the KeyStore and associates the keys to your app. If the device has "secure hardware" you can specify that it be used and the keys will be stored there.

There is no password for the keys. You use the alias to specify which key you want to use. Only your app can retrieve the keys it had generated.


For your app's private data, if I understand ".. an Android API for storage such that guarantees that only the application that stored some information can retrieve it back. ..", you might look at these:

https://developer.android.com/guide/topics/data/data-storage.html#filesInternal https://developer.android.com/guide/topics/data/data-storage.html#db