androidiosflutterkeychainandroid-keystore

Limitations of secure storage - KeyChain and KeyStore

I'm planning to use flutter_secure_storage in my app to keep some private keys and tokens. I'm looking for limitations of secure storage on both Android and iOS but I cannot find answers to some of the questions:

  1. How big is KeyChain and KeyStore storage on iOS and Android, respectively?
  2. How many keys can we store inside?
  3. How big can individual key be?
  4. What is lifetime of the storage? Does it exist only while app is installed? Is it persistent of ephemeral?

Thanks

Solution

  • Secure storage is like Shared Prefences/NSUserDefaults. It stores data in key-value pairs. The data is encrypted and uses a key made from a unique device key to encrypt and decrypt the data stored. The data is stored somewhere in the root directory where only the OS can access it.

    1. There is no storage limitations for secure storage (There is no space limits mentioned in any docs but I do think that you cannot store large amounts of data that are 1Gb+)
    2. You can store an unlimited amount of keys inside
    3. Based on MKJParekh's answer, you can store up to 2147483647 characters.
    4. The data gets deleted once the app is uninstalled. (Take note that the data in secured storage can't be backed up in Android) Take a look at this

    Do not use secure storage for storing sensitive private keys and tokens. You didn't specify what private keys and tokens you're going to store in secure storage. You might be storing your database credentials or something that another user shouldn't obtain. Although data being stored in secure storage is encrypted, it isn't entirely secure. Users can root/jailbreak their devices which gives them full control of the OS. There are tools that can intercept keys as they are provided and use it to decrypt the data. The only way to prevent that is to never give the keys to the user. You should store it in a server that you can control. (Firebase Cloud Functions, AWS EC2, or your own VPS) are examples of these severs.

    When to use Secure Storage
    Use secure storage to store data that should be encrypted and hidden from the user. That data should store only store user's sensitive data such as their api keys and not your server private keys.