Fixes #3855-Update MASTG-KNOW-0048.md#3856
Conversation
Clarified KeyChain usage and access permissions, emphasizing secure handling of private keys and certificates. Fixes OWASP#3855
|
Thank you for your contribution! However, you are not assigned to any of the linked issues:
To contribute to this project, please:
This helps us coordinate contributions and avoid duplicate work. |
|
Thanks for raising this. I agree with the core issue. The original text mixed AndroidKeyStore, KeyChain, and file based Java KeyStore concepts.
That said, I do not think the current PR fully resolves the conceptual split yet. The revised text still risks presenting KeyChain as the general solution for protecting app sensitive data. I think we should separate the guidance more clearly. Use AndroidKeyStore for app owned cryptographic keys used to protect local data, and use KeyChain only for user selected, system wide private key and certificate credentials. This can be clarified in a note here and adding a link with @MASTG-KNOW to the corresponding article. One more thing. Since the revised text makes several specific Android API and security claims, it would be good to add links to the relevant official Android documentation while we are touching this section. Even if the previous version was under referenced, this is a good chance to cite the relevant official docs. Thank you! |
Add explanation of KeyChain vs AndroidKeyStore differences and references
Add explanation of KeyChain vs AndroidKeyStore differences and reference
|
Converting to draft until it follows the content guidelines. |
|
@cpholguera, |
|
Hi @simge-yigit , please check them out here: https://mas.owasp.org/contributing/writing-content/mastg-knowledge.instructions/ You should be able to quickly identify the issue. Otherwise let me know. Thank you! |
|
We'd appreciate if you indicate what's not according to the guidelines and fix one thing at a time (one commit per fix). This will help us better review your PR and for you to familiarize yourself with the project. Thank you! |
|
Thank you for your recommendation. When I reviewed the documentation again, I noticed that I had included some content with a test-guide nature on the knowledge page. Therefore, I first removed those sections and then carried out a general revision of the document in order to explain the KeyChain concept in a more comprehensive way. The reason I did not make such an extensive revision at the beginning was that the first version of the text had already been accepted as a PR. At that stage, I treated it as a template and continued following the same structure. However, according to the knowledge documentation standards, I later reviewed the content again and adjusted it to make it more appropriate. I did not go into detail about the difference between Android Keystore and KeyChain because I believe the current text explains KeyChain sufficiently. I would appreciate your feedback on this point. |
|
Hi @simge-yigit , I've assigned @TheDauntless to review this and the other PR you opened. He'll soon give you feedback, thank you! |
|
Hi @TheDauntless, I hope you're doing well. I just wanted to kindly follow up regarding the review of this PR whenever you have time. Looking forward to your feedback. Thank you |
Clarified KeyChain usage and access permissions, emphasizing secure handling of private keys and certificates. Fixes #3855
This PR closes #3855
Description
This fixes the three issues flagged in #3855:
-Dropped the store() section — it doesn't apply to AndroidKeyStore, so it was just creating confusion.
-The old claim that "every application can access KeyChain" was misleading. Clarified that apps actually need user consent through choosePrivateKeyAlias(), and that private keys are never handed over as raw material.
-Narrowed the whole document to KeyChain specifically — swapped out AndroidKeyStore checks for KeyChain-native verification steps, and added getSecurityLevel() (API 31+) next to the now-deprecated isInsideSecureHardware().
AI Tool Disclosure
Check exactly one option.
If AI tools were used to generate or substantially modify code or text, complete the following.
For first-time contributors using AI tools.
Undisclosed use of AI tools will result in the PR being closed. Large rewrites or bulk changes generated by AI require explicit prior approval from the maintainers. Learn more in "Use of AI tools in contributions".
Contributor Checklist
Relevant documentation.
Contributors are expected to understand basic git and GitHub workflows, including forks, branches, commits, and pull requests. The project does not provide training. Pull requests that do not meet these minimum requirements may be closed without review.