Android Keystore getEntry() and generateKeyPair() throw Exceptions sometimes

Question

My Android app need to encrypt a file so that it can decrypt and read it later. This should not be decrypt-able by anybody else other than the app, even user.

Following

Answer 1

I ran into the could not generate key in keystore issue with one of my apps and after digging deep into it with one of the affected phones I discovered that some devices have it set up that the phone's unlock pattern/pass/pin is different than the password that actually unlocks the key storage. If you want to double check that that is your issue as well you can use the work here: http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html to get at the actual private system api the public KeyPairGenerator objects are calling and check the return code on it. I'm not sure why Google decided to hide the return code behind a boolean but there you have it.

You can trigger an unlock of the keystore manually by calling startActivity(new Intent("com.android.credentials.UNLOCK")); but this might not really help much. From what I've seen if a phone is in this state it is because some Device Administrator app locked the keystore in the background so it can set up VPN or email credentials. This means the user doesn't actually know the password. I'm still looking into a workaround (possibly find out how the Device Administrator apps get access to the keystore so I can unlock it that way) but it's a hairy issue to say the least. I'll try to update this if I find out more in my explorations, hopefully this at least points some people in the right direction.