3. ANDROID KEYSTORE QUICK INTRO
• PROTECTS KEYS WITH HARDWARE
• IMPLEMENTED USING TEE OR HARDWARE (TITAN CHIP ON PIXELS)
• KEYS ARE NOT EXPORTABLE
• INTEGRATES WITH LOCK SCREEN AND BIOMETRICS
• KEYS MIGHT REQUIRE AUTHENTICATION TO USE
• PROVIDES KEY ATTESTATION
• VERIFIABLE INFO ABOUT DEVICE THAT GENERATED KEY
2
6. BRIEF SPECS
• ONLY SYMMETRIC KEYS ARE SUPPORTED (AES)
• LOCAL KEYS ARE WRAPPED USING AES-GCM PLATFORM KEY
• KEYSTORE SNAPSHOTS ENCRYPTED WITH CLOUD PUBLIC KEY AND KEY BASED ON PIN
• AKA: ‘LOCK SCREEN KNOWLEDGE FACTOR’ (LSKF)
• ONLY SYSTEM APPS CAN GENERATE AND RESTORE RECOVERABLE KEYS
• REQUIRES RECOVER_KEYSTORE (SYSTEM|PRIVILEGED) PERMISSION
• KEYS ARE BACKED UP TO GOOGLE CLOUD KEY VAULT SERVICE (CKV)
• HTTPS://DEVELOPER.ANDROID.COM/ABOUT/VERSIONS/PIE/SECURITY/CKV-WHITEPAPER
5
11. USERS OF RECOVERABLE KEYSTORE
• CURRENTLY ONLY GOOGLE PLAY SERVICE (GMS)
• HAS RECOVER_KEYSTORE PERMISSION
• CAN KICK OFF KEYSTORE SNAPSHOT AND RECOVERY
• GMS.AUTH.FOLSOM.START_RECOVERY
• ACTION.RECOVERABLE_KEYSTORE_SNAPSHOT
• PACKAGE COM.GOOGLE.ANDROID.GMS.AUTH.FOLSOM/*
• FOLSOMGCMTASKCHIMERASERVICE
• FOLSOMPUBLICKEYUPDATESERVICE
• FOLSOMMODULEINITINTENTOPERATION
• KEYSYNCINTENTOPERATION
• KEYRECOVERYINTENTOPERATION 10
12. SUMMARY
• ANDROID 9-10 HAVE RECOVERABLE KEYSTORE PROTECTED BY LOCKSCREEN PIN
• CAN BE MIGRATED TO NEW DEVICE
• LINKED TO GOOGLE ACCOUNT
• ONLY SYMMETRIC KEYS SUPPORTED ATM
• GOOGLE PLAY SERVICES ACTS AS A RECOVERY AGENT
• RECOVERABLE KEY ALLOWS SECURE RECOVERY OF ARBITRARY DATA
• FULL DEVICE BACKUP, ETC.
11
13. REFERENCES
• INSIDER ATTACK RESISTANCE IN THE ANDROID ECOSYSTEM, ENIGMA 2019
• HTTPS://SECURITY.GOOGLEBLOG.COM/2018/10/GOOGLE-AND-ANDROID-HAVE-YOUR-BACK-BY.HTML
• HTTPS://DEVELOPER.ANDROID.COM/GUIDE/TOPICS/DATA/BACKUP
• HTTPS://WWW.NCCGROUP.TRUST/US/OUR-RESEARCH/ANDROID-CLOUD-BACKUPRESTORE/
12