I studied this paper - http://www.cs.kun.nl/~erikpoll/publications/AndroidSecureStorage.pdf which states that if attacker has root access to the device it's easy to use keystore keys with another (hacker's) application. Is it still the case?
I am thinking if I should use android keystore or BKS if I will use user-entered password and I need maximum security?
An application with root access has full control over the system and can do whatever it wants to do because it can override all (DAC type *) security restrictions. So the short answer is "yes".
(*) A root user confined via SeLinux (MAC) might be prevented from doing certain things, but that really depends on the situation. Better not rely on this.
