Data Storage Security Flashcards
SECURITY › Security
- What is the core security guarantee of the Android Keystore system?
- Key material is non-exportable: cryptographic operations happen in a system process or secure hardware, so even a fully compromised app process can use a key but cannot read the raw key bytes out.
- What is the difference between a TEE-backed key and a StrongBox-backed key?
- TEE (TRUSTED_ENVIRONMENT) runs in an isolated region of the main SoC. StrongBox runs in a separate dedicated tamper-resistant secure element with its own CPU, storage, and RNG. StrongBox is stronger but slower with fewer algorithms and limited concurrency; request it via setIsStrongBoxBacked(true).
- How does EncryptedSharedPreferences encrypt data, and where does its master key live?
- Keys are encrypted with AES256-SIV (deterministic, so lookups work) and values with AES256-GCM (authenticated). Both use a data-encryption key wrapped by a MasterKey stored in the Android Keystore.
- What should you never store in plain SharedPreferences, and why?
- Auth tokens, refresh tokens, passwords, API keys, session IDs, and PII. SharedPreferences is an unencrypted XML file in app-private storage, fully readable on a rooted device, via backup, or through any data leak.
- How do you make a Keystore key usable only after the user authenticates (biometric-gated key)?
- Set setUserAuthenticationRequired(true) and setUserAuthenticationParameters(timeout, AUTH_BIOMETRIC_STRONG | AUTH_DEVICE_CREDENTIAL). A timeout of 0 forces per-operation auth, unlocked by passing a Cipher in BiometricPrompt.CryptoObject.
- By default, what happens to a biometric-bound key when the user enrolls a new fingerprint?
- The key is permanently invalidated (invalidatedByBiometricEnrollment defaults to true). This is a security feature against an attacker who enrolls their own biometric; you can opt out with setInvalidatedByBiometricEnrollment(false).
- What is scoped storage and how do you access shared media or documents under it?
- Scoped storage (default since Android 10/11) limits an app to its own sandboxed directories plus the MediaStore for media it owns. Other files require MediaStore queries with user consent or the Storage Access Framework; broad READ/WRITE_EXTERNAL_STORAGE is no longer granted.
- Is the Jetpack Security Crypto library (EncryptedSharedPreferences) still recommended in 2026?
- No. androidx.security:security-crypto was deprecated in 2024 and is no longer maintained. Recommended paths are the Keystore directly (or via Tink/keyset), or encrypting data yourself before writing it into SharedPreferences/DataStore/files.
- Why encrypt sensitive data at rest if it already sits in app-private storage?
- App-private storage is only a filesystem permission boundary, defeated by root, device theft with an unlocked bootloader, ADB backup, or forensic extraction. Keystore-backed encryption ties the data to hardware keys that never leave the device, so dumped bytes are useless without the device.