Hardware-backed security

Most newer Android devices, and all newer Apple mobile devices, and many desktop machines, provide hardware-backed key management and encryption. This should be used when available. The hardware will store keys and will enforce rate limits on brute-force cracking attempts. Then even a weak password or a 4-digit PIN can provide relatively high security.

The Android Keystore and iOS Keychain is already used… ?

I searched the source code on github and didn’t find any suitable hits. Maybe I was using the wrong search strings. Sorry about that.

Same API calls either way, so it’s not going to be obvious unless the code calls something like keyInfo.isInsideSecureHardware() and does something special. Or calls getEncoded() on a private key and does something with the result - because that would be a null value if the device has a Trusted Execution Environment, since you can’t take private keys out of it.

But if you look at the significant part of the code…

… none of that is happening. The code is just passing objects around. On a device with a TEE, the objects are just holding references to the private key and the crypto operations (cipher.doFinal()) are actually executed within the TEE by the KeyMaster module. But that’s a layer underneath the KeyStore API and happens transparently to the calling code.

It’s very kind of you to explain in detail. Thanks.