Remove onlyAllowStrongBox

Author: westracer

flutter_secure_storage/CHANGELOG.md

@@ -1,7 +1,6 @@
 ## Fork
 
 * Enabled StrongBox by default, use fallback if it's not available.
-* [Android] Allow to force StrongBox with a flag (onlyAllowStrongBox)
 * [Android] Method to check if an Android device supports Strongbox
 
 ## 10.0.0

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorage.java

@@ -1145,7 +1145,8 @@ private SharedPreferences initializeEncryptedSharedPreferencesManager(Context co
                                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                                 .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                                 .setKeySize(256).build())
-                .build(config.getOnlyAllowStrongBox());
+                .setRequestStrongBoxBacked(true)
+                .build();
         return EncryptedSharedPreferences.create(
                 context,
                 config.getSharedPreferencesName(),

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorageConfig.java

@@ -12,7 +12,6 @@ public class FlutterSecureStorageConfig {
     private static final Boolean DEFAULT_MIGRATE_ON_ALGORITHM_CHANGE = true;
     private static final Boolean DEFAULT_ENCRYPTED_SHARED_PREFERENCES = false;
     private static final Boolean DEFAULT_ENFORCE_BIOMETRICS = false;
-    private static final Boolean DEFAULT_ONLY_ALLOW_STRONGBOX = false;
     private static final String DEFAULT_BIOMETRIC_PROMPT_TITLE = "Authenticate to access";
     private static final String DEFAULT_BIOMETRIC_PROMPT_SUBTITLE = "Use biometrics or device credentials";
     private static final String DEFAULT_STORAGE_CIPHER_ALGORITHM = "AES_GCM_NoPadding";
@@ -24,7 +23,6 @@ public class FlutterSecureStorageConfig {
     public static final String PREF_OPTION_MIGRATE_ON_ALGORITHM_CHANGE = "migrateOnAlgorithmChange";
     public static final String PREF_OPTION_ENCRYPTED_SHARED_PREFERENCES = "encryptedSharedPreferences";
     public static final String PREF_OPTION_ENFORCE_BIOMETRICS = "enforceBiometrics";
-    public static final String PREF_OPTION_ONLY_ALLOW_STRONGBOX = "onlyAllowStrongBox";
     public static final String PREF_OPTION_BIOMETRIC_PROMPT_TITLE = "prefOptionBiometricPromptTitle";
     public static final String PREF_OPTION_BIOMETRIC_PROMPT_SUBTITLE = "prefOptionBiometricPromptSubtitle";
     public static final String PREF_OPTION_STORAGE_CIPHER_ALGORITHM = "storageCipherAlgorithm";
@@ -36,7 +34,6 @@ public class FlutterSecureStorageConfig {
     private final boolean migrateOnAlgorithmChange;
     private final boolean useEncryptedSharedPreferences;
     private final boolean enforceBiometrics;
-    private final boolean onlyAllowStrongBox;
     private final String biometricPromptTitle;
     private final String biometricPromptSubtitle;
     private final String keyCipherAlgorithm;
@@ -49,7 +46,6 @@ public FlutterSecureStorageConfig(Map<String, Object> options) {
         this.migrateOnAlgorithmChange = getBooleanOption(options, PREF_OPTION_MIGRATE_ON_ALGORITHM_CHANGE, DEFAULT_MIGRATE_ON_ALGORITHM_CHANGE);
         this.useEncryptedSharedPreferences = getBooleanOption(options, PREF_OPTION_ENCRYPTED_SHARED_PREFERENCES, DEFAULT_ENCRYPTED_SHARED_PREFERENCES);
         this.enforceBiometrics = getBooleanOption(options, PREF_OPTION_ENFORCE_BIOMETRICS, DEFAULT_ENFORCE_BIOMETRICS);
-        this.onlyAllowStrongBox = getBooleanOption(options, PREF_OPTION_ONLY_ALLOW_STRONGBOX, DEFAULT_ONLY_ALLOW_STRONGBOX);
         this.biometricPromptTitle = getStringOption(options, PREF_OPTION_BIOMETRIC_PROMPT_TITLE, DEFAULT_BIOMETRIC_PROMPT_TITLE);
         this.biometricPromptSubtitle = getStringOption(options, PREF_OPTION_BIOMETRIC_PROMPT_SUBTITLE, DEFAULT_BIOMETRIC_PROMPT_SUBTITLE);
         this.storageCipherAlgorithm = getStringOption(options, PREF_OPTION_STORAGE_CIPHER_ALGORITHM, DEFAULT_STORAGE_CIPHER_ALGORITHM);
@@ -84,7 +80,6 @@ private boolean getBooleanOption(Map<String, Object> options, String key, boolea
 
     public boolean isUseEncryptedSharedPreferences() { return useEncryptedSharedPreferences; }
     public boolean getEnforceBiometrics() { return enforceBiometrics; }
-    public boolean getOnlyAllowStrongBox() { return onlyAllowStrongBox; }
 
     public String getBiometricPromptTitle() { return biometricPromptTitle; }
     public String getPrefOptionBiometricPromptSubtitle() { return biometricPromptSubtitle; }
@@ -100,7 +95,6 @@ public String toString() {
                 ", deleteOnFailure=" + deleteOnFailure +
                 ", migrateOnAlgorithmChange=" + migrateOnAlgorithmChange +
                 ", enforceBiometrics=" + enforceBiometrics +
-                ", onlyAllowStrongBox=" + onlyAllowStrongBox +
                 '}';
     }
 }

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/ciphers/KeyCipherImplementationAES23.java

@@ -138,7 +138,6 @@ public void generateSymmetricKey() throws Exception {
         // Check if device has security (PIN/biometric) configured
         boolean deviceHasSecurity = isDeviceSecure();
         boolean enforceBiometrics = config.getEnforceBiometrics();
-        boolean isStrongBoxBacked = config.getOnlyAllowStrongBox();
 
         // ENFORCEMENT MODE: Fail if enforcement enabled but no device security
         if (enforceBiometrics && !deviceHasSecurity) {
@@ -178,7 +177,7 @@ public void generateSymmetricKey() throws Exception {
             builder.setUnlockedDeviceRequired(true);
 
             // Only enable StrongBox if it's available
-            if (isStrongBoxBacked && isStrongBoxAvailable()) {
+            if (isStrongBoxAvailable()) {
                 builder.setIsStrongBoxBacked(true);
                 Log.d(TAG, "StrongBox is available and enabled for biometric key");
             } else {

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/crypto/MasterKey.java

@@ -264,8 +264,8 @@ public Builder setKeyGenParameterSpec(@NonNull KeyGenParameterSpec keyGenParamet
          * @return The master key.
          */
         @NonNull
-        public MasterKey build(boolean isStrongBoxBacked) throws GeneralSecurityException, IOException {
-            return Api23Impl.build(this, isStrongBoxBacked);
+        public MasterKey build() throws GeneralSecurityException, IOException {
+            return Api23Impl.build(this);
         }
 
         static class Api23Impl {
@@ -277,7 +277,7 @@ static String getKeystoreAlias(KeyGenParameterSpec keyGenParameterSpec) {
                 return keyGenParameterSpec.getKeystoreAlias();
             }
             @SuppressWarnings("deprecation")
-            static MasterKey build(Builder builder, boolean isStrongBoxBacked) throws GeneralSecurityException, IOException {
+            static MasterKey build(Builder builder) throws GeneralSecurityException, IOException {
                 if (builder.mKeyScheme == null && builder.mKeyGenParameterSpec == null) {
                     throw new IllegalArgumentException("build() called before "
                             + "setKeyGenParameterSpec or setKeyScheme.");
@@ -289,9 +289,6 @@ static MasterKey build(Builder builder, boolean isStrongBoxBacked) throws Genera
                             .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                             .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                             .setKeySize(DEFAULT_AES_GCM_MASTER_KEY_SIZE);
-                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && isStrongBoxBacked) {
-                        keyGenBuilder.setIsStrongBoxBacked(true);
-                    }
                     if (builder.mAuthenticationRequired) {
                         keyGenBuilder.setUserAuthenticationRequired(true);
                         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {

flutter_secure_storage/lib/options/android_options.dart

@@ -51,7 +51,6 @@ class AndroidOptions extends Options {
     bool resetOnError = true,
     bool migrateOnAlgorithmChange = true,
     bool enforceBiometrics = false,
-    bool onlyAllowStrongBox = false,
     KeyCipherAlgorithm keyCipherAlgorithm =
         KeyCipherAlgorithm.RSA_ECB_OAEPwithSHA_256andMGF1Padding,
     StorageCipherAlgorithm storageCipherAlgorithm =
@@ -64,7 +63,6 @@ class AndroidOptions extends Options {
         _resetOnError = resetOnError,
         _migrateOnAlgorithmChange = migrateOnAlgorithmChange,
         _enforceBiometrics = enforceBiometrics,
-        _onlyAllowStrongBox = onlyAllowStrongBox,
         _keyCipherAlgorithm = keyCipherAlgorithm,
         _storageCipherAlgorithm = storageCipherAlgorithm;
 
@@ -85,7 +83,6 @@ class AndroidOptions extends Options {
     bool resetOnError = true,
     bool migrateOnAlgorithmChange = true,
     bool enforceBiometrics = false,
-    bool onlyAllowStrongBox = false,
     this.sharedPreferencesName,
     this.preferencesKeyPrefix,
     this.biometricPromptTitle,
@@ -94,7 +91,6 @@ class AndroidOptions extends Options {
         _resetOnError = resetOnError,
         _migrateOnAlgorithmChange = migrateOnAlgorithmChange,
         _enforceBiometrics = enforceBiometrics,
-        _onlyAllowStrongBox = onlyAllowStrongBox,
         _keyCipherAlgorithm = KeyCipherAlgorithm.AES_GCM_NoPadding,
         _storageCipherAlgorithm = StorageCipherAlgorithm.AES_GCM_NoPadding;
 
@@ -132,13 +128,6 @@ class AndroidOptions extends Options {
   /// Defaults to false.
   final bool _enforceBiometrics;
 
-  /// If true, only allow keys to be stored in StrongBox backed keymaster.
-  /// This option is only available on API 28 and greater.
-  /// If set to true some phones might not work.
-  /// Defaults to false.
-  /// https://developer.android.com/training/articles/keystore#HardwareSecurityModule
-  final bool _onlyAllowStrongBox;
-
   /// Algorithm used to encrypt the secret key.
   /// By default RSA/ECB/OAEPWithSHA-256AndMGF1Padding is used (API 23+).
   /// Legacy RSA/ECB/PKCS1Padding is available for backwards compatibility.
@@ -182,7 +171,6 @@ class AndroidOptions extends Options {
         'resetOnError': '$_resetOnError',
         'migrateOnAlgorithmChange': '$_migrateOnAlgorithmChange',
         'enforceBiometrics': '$_enforceBiometrics',
-        'onlyAllowStrongBox': '$_onlyAllowStrongBox',
         'keyCipherAlgorithm': _keyCipherAlgorithm.name,
         'storageCipherAlgorithm': _storageCipherAlgorithm.name,
         'sharedPreferencesName': sharedPreferencesName ?? '',
@@ -199,7 +187,6 @@ class AndroidOptions extends Options {
     bool? resetOnError,
     bool? migrateOnAlgorithmChange,
     bool? enforceBiometrics,
-    bool? onlyAllowStrongBox,
     KeyCipherAlgorithm? keyCipherAlgorithm,
     StorageCipherAlgorithm? storageCipherAlgorithm,
     String? preferencesKeyPrefix,
@@ -216,7 +203,6 @@ class AndroidOptions extends Options {
         migrateOnAlgorithmChange:
             migrateOnAlgorithmChange ?? _migrateOnAlgorithmChange,
         enforceBiometrics: enforceBiometrics ?? _enforceBiometrics,
-        onlyAllowStrongBox: onlyAllowStrongBox ?? _onlyAllowStrongBox,
         keyCipherAlgorithm: keyCipherAlgorithm ?? _keyCipherAlgorithm,
         storageCipherAlgorithm:
             storageCipherAlgorithm ?? _storageCipherAlgorithm,