How older version of android before 4.0 store data like password, accesstoken securly?

Question

I am building an android application that needs to store secure data on android device which also support older version of android before 4.0. I know that android 4.0 and version after that support key chain but my application needs to support older version. So can any one help and let me know which method used in older os version of Android.

Answer 1

On Android versions previous to ICS you can use KeyStore, here is an example of storing to KeyStore:

public boolean setEntry(String alias, String secretKey) {

    boolean keyStoreEntryWritten = false;

    if (mKeystore != null && secretKey != null) {
        // store something in the key store
        SecretKeySpec sks = new SecretKeySpec(secretKey.getBytes(), "MD5");
        KeyStore.SecretKeyEntry ske = new KeyStore.SecretKeyEntry(sks);
        KeyStore.ProtectionParameter pp = new KeyStore.PasswordProtection(null);

        try {
            mKeystore.setEntry(alias, ske, pp);

            // save key store
            boolean success = saveKeyStore();

            if (success) {
                keyStoreEntryWritten = true;
            }
        } catch (KeyStoreException ex) {
            Log.e(TAG, "Failed to read keystore" + mKeyStoreName);
        }
    }
    return keyStoreEntryWritten;
}


private boolean saveKeyStore() {

    FileOutputStream fos = null;
    boolean keyStoreSaved = true;

    // generate key store path
    String keyStoreFilePath = generateKeyStoreFilePath(mKeyStoreName, mKeystoreDirectoryPath);


    try {
        fos = new FileOutputStream(keyStoreFilePath);
        mKeystore.store(fos, mKeyStorePassword.toCharArray());
    } catch (Exception ex) {
        keyStoreSaved = false;
        Log.e(TAG, "Failed to save keystore " + mKeyStoreName);
    } finally {
        if (fos != null) {
            try {
                fos.close();
            } catch (IOException ex) {
                keyStoreSaved = false;
                Log.e(TAG, "Failed to close FileOutputStream");
            }
        }
    }
    return keyStoreSaved;
}

You can find some more info here: http://developer.android.com/reference/java/security/KeyStore.html

EDIT: Here is how you retrieve a key:

public String getEntry(String alias) {

    String secretStr = null;
    byte[] secret = null;

    if (mKeystore != null) {



        try {
            if (!mKeystore.containsAlias(alias)) {
                Log.w(TAG, new StringBuilder().append("Keystore ").append(mKeyStoreName)
                        .append(" does not contain entry ").append(alias).toString());
                return null;
            }
        } catch (KeyStoreException ex) {
            Log.e(TAG, "Failed to read keystore entry " + alias);
        }

        // get my entry from the key store
        KeyStore.ProtectionParameter pp = new KeyStore.PasswordProtection(null);
        KeyStore.SecretKeyEntry ske = null;
        try {
            ske = (KeyStore.SecretKeyEntry) mKeystore.getEntry(alias, pp);
        } catch (Exception ex) {
            Log.e(TAG, "Failed to read keystore entry " + alias);
        }

        if (ske != null) {
            SecretKeySpec sks = (SecretKeySpec) ske.getSecretKey();
            secret = sks.getEncoded();

            if (secret != null) {
                secretStr = new String(secret);


            } else {
                Log.e(TAG, new StringBuilder().append("Read empty keystore entry ").append(alias).toString());
            }
        } else {
            Log.e(TAG, "Failed to read keystore entry " + alias);
        }
    }
    return secretStr;
}