Data Storage Security Flashcards

SECURITY › Security

What is the core security guarantee of the Android Keystore system?
Key material is non-exportable: cryptographic operations happen in a system process or secure hardware, so even a fully compromised app process can use a key but cannot read the raw key bytes out.
What is the difference between a TEE-backed key and a StrongBox-backed key?
TEE (TRUSTED_ENVIRONMENT) runs in an isolated region of the main SoC. StrongBox runs in a separate dedicated tamper-resistant secure element with its own CPU, storage, and RNG. StrongBox is stronger but slower with fewer algorithms and limited concurrency; request it via setIsStrongBoxBacked(true).
How does EncryptedSharedPreferences encrypt data, and where does its master key live?
Keys are encrypted with AES256-SIV (deterministic, so lookups work) and values with AES256-GCM (authenticated). Both use a data-encryption key wrapped by a MasterKey stored in the Android Keystore.
What should you never store in plain SharedPreferences, and why?
Auth tokens, refresh tokens, passwords, API keys, session IDs, and PII. SharedPreferences is an unencrypted XML file in app-private storage, fully readable on a rooted device, via backup, or through any data leak.
How do you make a Keystore key usable only after the user authenticates (biometric-gated key)?
Set setUserAuthenticationRequired(true) and setUserAuthenticationParameters(timeout, AUTH_BIOMETRIC_STRONG | AUTH_DEVICE_CREDENTIAL). A timeout of 0 forces per-operation auth, unlocked by passing a Cipher in BiometricPrompt.CryptoObject.
By default, what happens to a biometric-bound key when the user enrolls a new fingerprint?
The key is permanently invalidated (invalidatedByBiometricEnrollment defaults to true). This is a security feature against an attacker who enrolls their own biometric; you can opt out with setInvalidatedByBiometricEnrollment(false).
What is scoped storage and how do you access shared media or documents under it?
Scoped storage (default since Android 10/11) limits an app to its own sandboxed directories plus the MediaStore for media it owns. Other files require MediaStore queries with user consent or the Storage Access Framework; broad READ/WRITE_EXTERNAL_STORAGE is no longer granted.
Is the Jetpack Security Crypto library (EncryptedSharedPreferences) still recommended in 2026?
No. androidx.security:security-crypto was deprecated in 2024 and is no longer maintained. Recommended paths are the Keystore directly (or via Tink/keyset), or encrypting data yourself before writing it into SharedPreferences/DataStore/files.
Why encrypt sensitive data at rest if it already sits in app-private storage?
App-private storage is only a filesystem permission boundary, defeated by root, device theft with an unlocked bootloader, ADB backup, or forensic extraction. Keystore-backed encryption ties the data to hardware keys that never leave the device, so dumped bytes are useless without the device.

Back to Data Storage Security