How do you securely store sensitive data on platforms such as mobile?

Presumably a mobile app/device cannot be [completely] trusted to store cryptographic keys to a keystore or database that stores sensitive data. If so, how can you cryptographically store data so that the keys cannot be derived, most likely by decompiling the app or through MITM attacks? For example, could an authorised second party - a web server for example, maintain some secret, part of a key, so that the app itself must engage in some kind of challenge/response or handshake to get a shared key use to decrypt the database. And could this be achieved in a way which is secure? One possible solution appears to be Diffie-Hellman key exchange to get a shared key. So you would encrypt the data using a shared key, but not store that key locally and only request it from a web server when it is necessary to decrypt the data. (of course, the problem then is that the data has been decrypted as is now plaintext somewhere in memory, but I think thats another question entirely) Are there any other [better] ways of storing sensitive data on a device/app?
Answer:

Use a good cryptographic keystore of your own using a well respected library (ie. Bouncycastle) or write an algorithm yourself if you don't trust libraries. Have the end user type in the passphrase himself which is used with a password based key derivation function to create the key used to encrypt the keystore. In this scenario, keying material is held in the users brain. The phone contains the encrypted keystore.

William Emmanuel Yu at Quora Visit the source

Was this solution helpful to you?

Other answers

You can mix parts of your private key into native and java code so it will be really hard to reverse engineer this. But it is still possible. Or you can use google way for this (http://android-developers.blogspot.ru/2013/01/verifying-back-end-calls-from-android.html). I think there is no other trusted methods...

Dmitry Lukashev

Using PUF methods, keys can be encrypted by "hardware keys" which are extracted from hardware properties of the phone.

Ãetin Kaya KoÃ§

Starting from Android 4.3 you can use new secure key-value storages that are backed in hardware trusted zone: http://developer.android.com/about/versions/android-4.3.html#Security http://developer.android.com/reference/android/security/KeyChain.html

Alexey Golubev

Facebook has released Conceal library (https://code.facebook.com/posts/1419122541659395/introducing-conceal-efficient-storage-encryption-for-android/) for this purpose as well. According to their experiments, it is faster than other libraries.

Ildar Muslukhov

Related Q & A:

How long can you store beer?Best solution by Yahoo! Answers
Is Using Gmail to Store Application Data a Violation of their Terms of Service?Best solution by Quora
How to do grouping of analytics data?Best solution by Stack Overflow
How does Google play store list apps?Best solution by Quora
How to store json data in jquery?Best solution by Stack Overflow

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.