1

My client has an android application requirement. The users of the application are workers who might have to work at places where internet connectivity is unavailable. So an offline login feature is necessary. At the moment, it is implemented by setting a pin code during the first sign in by a user into the app for a device. Next time when offline login is attempted, the pin is checked locally and guid is used to cross verify the device check and offline access is granted.

The user can use the app as normal, update any field he wants and the data is stored locally. When internet connectivity is restored the app will send them to the server. No other check is implemented here.

Is this secure enough from a security perspective? What things can be done here to improve the security of this feature?

Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33

1 Answers1

1

Instead of using custom user sign in, you can use android system API that can perform in-app authentication backed by Trusted Execution Environment (TEE). It supports both biometric and device credential authentication.

Your app's sensitive data should be cryptographically bound to the in-app authentication to ensure that even if the attacker compromises the OS, the app data cannot be decrypted. To achieve this, you can use android keystore system to generate a new secret key which is kept inside TEE. This key is a primary (master) key that encrypts one or more keys that encrypt & decrypt app's sensitive data and auth token and are kept outside of TEE. TEE will not unlock the primary key until in-app user authentication is successful. See Require user authentication for key use.

Also, before providing data access, you must decrypt and verify auth token first provided by your web service to validate if the token is not expired and if the user is allowed offline access.

You can use Android Jetpack Library for implementation.

defalt
  • 6,231
  • 2
  • 22
  • 37
  • The use of the KeyStore (and therefore Jetpack's Security Library) does **not** necessarily protect the data from a compromised OS. As stated in the [Android KeyStore article](https://developer.android.com/training/articles/keystore.html#ExtractionPrevention): "If the Android OS is compromised or an attacker can read the device's internal storage, the attacker may be able to use any app's Android Keystore keys on the Android device, but not extract them from the device." –  Jul 07 '22 at 06:39
  • Yes, but the question asks for the best security practice. – defalt Jul 07 '22 at 09:47
  • There are *a lot* of posts and answers that either assume or claim that the KeyStore/EncryptedSharedPreferences/EncryptedFile protects data even when the device is rooted. I just want to explicitly state that it is not the case. Encrypting data *may* be beneficial so that data is protected even while the phone is running. However, that is not necessarily true if the phone's OS is compromised. To be clear, I am **not** against using the KeyStore to encrypt data. I just want to make it explicit *when* the KeyStore actually protects the data. –  Jul 07 '22 at 21:10