Conversation

iOS and Android both support apps opting into keeping their data at rest while locked after first unlock. iOS makes this easier via dedicated data classes. However, you would be very wrong if you assumed that meant this was better in the iOS ecosystem than the Android ecosystem.

Replying to

I believe you are talking about Keyguard-bound keys in android. They don't seem to be equivalent to data class keys in iOS. Keyguard-bound keys are enforced by the OS and it remains in memory to encrypt incoming data while decrypt only when the screen is unlocked.

Replying to

and

This is because TEE has no way to know when the screen is locked. This doesn't prevent post-AFU attacks because if the OS is compromised, so will be the key.

Replying to

and

For per-app data at rest protection, Google recommends to opt system API in-app authentication (biometric or lock screen credential) together with "Require user authentication for key use" as explained here:

security.stackexchange.com

What are the security best practices to implement offline login of android apps?

My client has an android application requirement. The users of the application are workers who might have to work at places where internet connectivity is unavailable. So an offline login feature is

Daniel Micay

@DanielMicay

Replying to

@co_apprentice

It's better to use the more modern feature for making a hardware keystore key only available when unlocked rather than requiring user authentication. Molly uses StrongBox HSM when available and sets up the key this way by requiring unlocking. Integrates it with their passphase.

9:26 PM · May 28, 2022Twitter Web App