Hard-coded encryption key on Android

95 views

Skip to first unread message

Jinyoung Hur

unread,

Oct 29, 2021, 2:14:57 PM10/29/21

to Chromium-dev

Hi,

I've noticed that on Android, login data is encrypted via a hard-coded key. [1]

According to Chrome Security FAQ [2], it seems that in other major platforms, Chromium generates and stores an encrption key using OS's user storage.

I'm curious if we have a plan for improving the hard-coded key on Android using platforms's secure storage, like Android keystore system. [3]

Or, has there been any security decision like, a hard-coded key is safe enough especially on Android platform because login data is stored in app local storage?

Thanks in advance!

[1] https://source.chromium.org/chromium/chromium/src/+/main:components/os_crypt/os_crypt_posix.cc;l=44-45;drc=c497cafe09858c478aa9daa3061e345f0683e61d

[2] https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#does-the-password-manager-store-my-passwords-encrypted-on-disk

[3] https://developer.android.com/training/articles/keystore#java

[4] https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model