We keep our public keys in PKCS12 files which have a password that is used to encrypt them. But that password is just a string that is burned into our app. We don't even both to randomly generate that string since we would then have to save it in a file right next to the PKCS12 file, so what is the point? We are trying to make sure that the PKCS12 is in app only storage (so other apps can't get to it) but that's about it.
Both iOS and Android do provide for 'key stores' but they are not really useful in my personal opinion. The reason is that both just end up storing a file with the secrets encrypted using a key derived from the device key. So anyone who breaks the device key can get to those keys no problem.
In fact I would argue that the key stores are completely useless for anyone who encrypts their phone drive since that too is encrypted with a key derived from the device key.
Nevertheless if someone has a phone that isn't encrypted but does have a device key and so is 'locked' then using the key chain provides some tiny amount of protection against completely unsophisticated attackers.
So we probably should get JXCore to expose an API to access the mobile platform's key store and then use it.
The text was updated successfully, but these errors were encountered: