I try to connect a Bluetooth device to several android apps. I want to use the same long term key(LTK) for all apps (AES256) and derive session keys from that LTK in each app to establish a secure communication tunnel. I use shared preference in private mode which allows the apps with the same bundle ID to access the same data, but unfortunately, the shared preference is not secure enough and the data is also available for other root access level requests. I am using the Android Keystore to storing the LTK, but I need to improve the solution for two scenarios: 1. Apps with the same bundle ID. and 2. Apps with the different bundle IDs using the same SDK.
I am looking for a secure way to store the LTK in the android device which is accessible by those specific apps.
Is there a solution similar to the Apple keychain available for Android now? (I think the Android key chain works differently. I prefer a solution like the Apple key chain to transfer the security trustworthy and challenges to the OS level.) OR, should I use shared preference and secure it by myself? In this regard, if I should use Android Keystore to generate and store that LTK, is the Android Keystore allow me to access the same key from different apps with different bundle IDs? please describe the different options and limitations.
In general, what is the most secure and convenient way to store pairing information and keys, as well as share them between different apps in Android?
To share a secret key(sensitive information) between different Android apps are
There is a well defined and documented way in which you can share data between apps. Android framework provides a very straight-forward way to share data among different apps using ContentProviders. The idea is simple, the app that intents to share data with other apps declares a content provider with its corresponding contract. A contract is what tells other apps on how to request data from the defined content provider. Content provider can expose all types of CRUD operations. The implementation of those operations is hidden behind the content provider implementation. This works great and serves the first part of the requirement perfectly. We can share the data from one app to another seamlessly. Here begins the interesting part of the story, how do we fulfill the second half of the requirement, the exclusive sharing of the data to only a limited set of apps.
Android provides us away to define the permissions on the content provider we define. These are the permissions the consumer of the content provider must hold in order to be able to request and receive the data from the provider.
- Badges
- Science topic