Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

consistency - conventional

security

Security Hotspot

Android KeyStore is a secure container for storing key materials, in particular it prevents key materials extraction, i.e. when the application process is compromised, the attacker cannot extract keys but may still be able to use them. It’s possible to enable an Android security feature, user authentication, to restrict usage of keys to only authenticated users. The lock screen has to be unlocked with defined credentials (pattern/PIN/password, biometric).

Ask Yourself Whether

The application requires prohibiting the use of keys in case of compromise of the application process.
The key material is used in the context of a highly sensitive application like a e-banking mobile app.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to enable user authentication (by setting setUserAuthenticationRequired to true during key generation) to use keys for a limited duration of time (by setting appropriate values to setUserAuthenticationValidityDurationSeconds), after which the user must re-authenticate.

Sensitive Code Example

Any user can use the key:

KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");

KeyGenParameterSpec builder = new KeyGenParameterSpec.Builder("test_secret_key_noncompliant", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) // Noncompliant
    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
    .build();

keyGenerator.init(builder);

Compliant Solution

The use of the key is limited to authenticated users (for a duration of time defined to 60 seconds):

KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");

KeyGenParameterSpec builder = new KeyGenParameterSpec.Builder("test_secret_key", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
    .setUserAuthenticationRequired(true)
    .setUserAuthenticationParameters (60, KeyProperties.AUTH_DEVICE_CREDENTIAL)
    .build();

keyGenerator.init(builder)

See

OWASP - Top 10 2021 Category A4 - Insecure Design
OWASP - Mobile AppSec Verification Standard - Authentication and Session Management Requirements
OWASP - Mobile Top 10 2016 Category M4 - Insecure Authentication
OWASP - Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization
OWASP - Mobile Top 10 2024 Category M10 - Insufficient Cryptography
CWE - CWE-522 - Insufficiently Protected Credentials
developer.android.com - Android keystore system
developer.android.com - Require user authentication for key use

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.2

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.2

In-IDE

SaaS

Self-Hosted