AndroidKeystoreSecureArea

An implementation of SecureArea using Android Keystore.

Keys created using this implementation are hardware-backed, that is the private key material is designed to never leave Secure Hardware. In this context Secure Hardware can mean either the TEE (Trusted Execution Environment) or an SE (Secure Element), specifically anything meeting the definition of an *Isolated Execution Environment as per section 9.11 of the Android CDD.

Any key created will be attested to by the Secure Hardware, using Android Keystore Key Attestation. This gives remote parties (such as real-world identity document issuers) a high level of assurance that the private part of the key exists only in Secure Hardware and also gives a strong signal about the general state of the device (including whether verified boot is enabled, latest patch level, etc.) and which particular Android application (identified by Application Id) created the key.

Curve EcCurve.P256 for signing using algorithm Algorithm.ES256 is guaranteed to be implemented in Secure Hardware on any Android device shipping with Android 8.1 or later. As of 2024 this includes nearly all Android devices.

If the device has a StrongBox Android Keystore, keys can be stored there using CreateKeySettings.Builder.setUseStrongBox.

Other optional features may be available depending on the version of the underlying software (called Keymint) running in the Secure Area. The Capabilities helper class can be used to determine what the device supports.

This implementation works only on Android and requires API level 24 or later.

Use AndroidKeystoreSecureArea.create to create an instance of this class.