Is there some way to restrict private key visibility on Android?

Question

I am developing and application that would need to certify data created by end users.

I know that I could use KeyChain API for that, but this API has what I believe would be a flaw for our application. Since KeyChain requires user access to certificates and therefore access to private keys, our application could be accused of stealing identity and forging data. I would need some way of certifying this data with user private key without being able to 'copy' the private key or sending somewhere else.

Is there anyway I could to this?

I am now looking forward smart cards and usb tokens, but would be glad if anyone else could share experience of implementations to solve similar issues or even suggesting something.

Answer 1

The KeyChain API will not allow to copy the private key if it is implemented with a hardware key store. Unfortionally only the Google Nexus devices with Android 4.1+ implement a hardware keystore. Other vendors might also do this or might use the standard insecure software implementation.

I think there are specialized SD Cards with smart card support on them but these are not cheap and I don't know if they work on all telephones.

Also in Android 4.1+ you don't get access to the private key. You only get an object which can be used as private key in signing/decrypting/encryption but you don't get the actual key. See more details on the implementation here: http://nelenkov.blogspot.de/2012/07/jelly-bean-hardware-backed-credential.html

Answer 2

If you will return object than access and use private varables if two class in same file.

private class test_A
{
    private int num;

    private test_A getObject()
    {
        return this;
    }

}

private class test_B
{
    private void test()
    {
        test_A __object__ = new test_A().getObject();
        __object__.num = 3;
    }
}*