Require user authentication for SecureStore on Android?

#1

With iOS, it’s possible to set the keychainAccess option to something like Expo.SecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY, which improves security for sensitive items by guaranteeing that items in the store can only be accessed when the device has a passcode set. However, it doesn’t seem like there’s a similar option in SecureStore for Android. Native Android does have a mechanism for only allowing a key in the keystore to be accessed when the user has authenticated via passcode/pattern/etc. (docs) – is there a way that I’m missing to configure SecureStore to use this, or is this a feature you’d consider adding in a future release to provide parity with iOS?

0 Likes

#2

From the docs:
https://docs.expo.io/versions/latest/sdk/securestore

Android: Values are stored in SharedPreferences, encrypted with Android’s Keystore system.

If you would like and android equivalent added to keychainaccessible then opening a canny will be the best approach. https://expo.canny.io/feature-requests

AFAIK there is no timeline for adding this to Expo.

0 Likes

#3

Right – and Android’s Keystore allows apps to specify authorized uses of their key (i.e. only when the user has unlocked the device) but I couldn’t find anything in the docs about how to use that restriction on Android (only for the iOS equivalent).

Makes sense, I just wanted to make sure I wasn’t missing anything in the docs, or that adding an equivalent security control on Android wasn’t already considered and rejected for some reason.

1 Like

#4

Cool! I appreciate your consideration for duplicate posts :blue_heart::heart_eyes: please link the canny if you happen to make it so other devs can find it and upvote :grin:

0 Likes

#5

Submitted to canny: https://expo.canny.io/feature-requests/p/support-requiring-user-authentication-for-securestore-on-android

0 Likes

closed #6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

0 Likes