Enable StrongBox by default on Android with a fallback

Author: westracer

flutter_secure_storage/CHANGELOG.md

@@ -1,3 +1,9 @@
+## Fork
+
+* Enabled StrongBox by default, use fallback if it's not available.
+* [Android] Allow to force StrongBox with a flag (onlyAllowStrongBox)
+* [Android] Method to check if an Android device supports Strongbox
+
 ## 10.0.0
 This major release brings significant security improvements, platform updates, and modernization across all supported platforms.
 

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorage.java

@@ -1145,7 +1145,7 @@ private SharedPreferences initializeEncryptedSharedPreferencesManager(Context co
                                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                                 .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                                 .setKeySize(256).build())
-                .build();
+                .build(config.getOnlyAllowStrongBox());
         return EncryptedSharedPreferences.create(
                 context,
                 config.getSharedPreferencesName(),

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorageConfig.java

@@ -12,6 +12,7 @@ public class FlutterSecureStorageConfig {
     private static final Boolean DEFAULT_MIGRATE_ON_ALGORITHM_CHANGE = true;
     private static final Boolean DEFAULT_ENCRYPTED_SHARED_PREFERENCES = false;
     private static final Boolean DEFAULT_ENFORCE_BIOMETRICS = false;
+    private static final Boolean DEFAULT_ONLY_ALLOW_STRONGBOX = false;
     private static final String DEFAULT_BIOMETRIC_PROMPT_TITLE = "Authenticate to access";
     private static final String DEFAULT_BIOMETRIC_PROMPT_SUBTITLE = "Use biometrics or device credentials";
     private static final String DEFAULT_STORAGE_CIPHER_ALGORITHM = "AES_GCM_NoPadding";
@@ -23,6 +24,7 @@ public class FlutterSecureStorageConfig {
     public static final String PREF_OPTION_MIGRATE_ON_ALGORITHM_CHANGE = "migrateOnAlgorithmChange";
     public static final String PREF_OPTION_ENCRYPTED_SHARED_PREFERENCES = "encryptedSharedPreferences";
     public static final String PREF_OPTION_ENFORCE_BIOMETRICS = "enforceBiometrics";
+    public static final String PREF_OPTION_ONLY_ALLOW_STRONGBOX = "onlyAllowStrongBox";
     public static final String PREF_OPTION_BIOMETRIC_PROMPT_TITLE = "prefOptionBiometricPromptTitle";
     public static final String PREF_OPTION_BIOMETRIC_PROMPT_SUBTITLE = "prefOptionBiometricPromptSubtitle";
     public static final String PREF_OPTION_STORAGE_CIPHER_ALGORITHM = "storageCipherAlgorithm";
@@ -34,6 +36,7 @@ public class FlutterSecureStorageConfig {
     private final boolean migrateOnAlgorithmChange;
     private final boolean useEncryptedSharedPreferences;
     private final boolean enforceBiometrics;
+    private final boolean onlyAllowStrongBox;
     private final String biometricPromptTitle;
     private final String biometricPromptSubtitle;
     private final String keyCipherAlgorithm;
@@ -46,6 +49,7 @@ public FlutterSecureStorageConfig(Map<String, Object> options) {
         this.migrateOnAlgorithmChange = getBooleanOption(options, PREF_OPTION_MIGRATE_ON_ALGORITHM_CHANGE, DEFAULT_MIGRATE_ON_ALGORITHM_CHANGE);
         this.useEncryptedSharedPreferences = getBooleanOption(options, PREF_OPTION_ENCRYPTED_SHARED_PREFERENCES, DEFAULT_ENCRYPTED_SHARED_PREFERENCES);
         this.enforceBiometrics = getBooleanOption(options, PREF_OPTION_ENFORCE_BIOMETRICS, DEFAULT_ENFORCE_BIOMETRICS);
+        this.onlyAllowStrongBox = getBooleanOption(options, PREF_OPTION_ONLY_ALLOW_STRONGBOX, DEFAULT_ONLY_ALLOW_STRONGBOX);
         this.biometricPromptTitle = getStringOption(options, PREF_OPTION_BIOMETRIC_PROMPT_TITLE, DEFAULT_BIOMETRIC_PROMPT_TITLE);
         this.biometricPromptSubtitle = getStringOption(options, PREF_OPTION_BIOMETRIC_PROMPT_SUBTITLE, DEFAULT_BIOMETRIC_PROMPT_SUBTITLE);
         this.storageCipherAlgorithm = getStringOption(options, PREF_OPTION_STORAGE_CIPHER_ALGORITHM, DEFAULT_STORAGE_CIPHER_ALGORITHM);
@@ -80,6 +84,7 @@ private boolean getBooleanOption(Map<String, Object> options, String key, boolea
 
     public boolean isUseEncryptedSharedPreferences() { return useEncryptedSharedPreferences; }
     public boolean getEnforceBiometrics() { return enforceBiometrics; }
+    public boolean getOnlyAllowStrongBox() { return onlyAllowStrongBox; }
 
     public String getBiometricPromptTitle() { return biometricPromptTitle; }
     public String getPrefOptionBiometricPromptSubtitle() { return biometricPromptSubtitle; }
@@ -95,6 +100,7 @@ public String toString() {
                 ", deleteOnFailure=" + deleteOnFailure +
                 ", migrateOnAlgorithmChange=" + migrateOnAlgorithmChange +
                 ", enforceBiometrics=" + enforceBiometrics +
+                ", onlyAllowStrongBox=" + onlyAllowStrongBox +
                 '}';
     }
 }

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStoragePlugin.java

@@ -1,6 +1,7 @@
 package com.it_nomads.fluttersecurestorage;
 
 import android.content.Context;
+import android.content.pm.PackageManager;
 import android.os.Handler;
 import android.os.HandlerThread;
 import android.os.Looper;
@@ -26,10 +27,12 @@ public class FlutterSecureStoragePlugin implements MethodCallHandler, FlutterPlu
     private FlutterSecureStorage secureStorage;
     private HandlerThread workerThread;
     private Handler workerThreadHandler;
+    private boolean isStrongBoxAvailable;
 
     public void initInstance(BinaryMessenger messenger, Context context) {
         try {
             secureStorage = new FlutterSecureStorage(context);
+            isStrongBoxAvailable = context.getApplicationContext().getPackageManager().hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE);
 
             workerThread = new HandlerThread("com.it_nomads.fluttersecurestorage.worker");
             workerThread.start();
@@ -180,6 +183,10 @@ public void onSuccess(Void unused) {
                                 result.success(available);
                                 break;
                             }
+                            case "isStrongBoxSupported": {
+                                result.success(isStrongBoxAvailable);
+                                break;
+                            }
                             case "isDeviceSecure": {
                                 boolean secure = secureStorage.isDeviceSecure();
                                 result.success(secure);

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/ciphers/KeyCipherImplementationAES23.java

@@ -138,6 +138,7 @@ public void generateSymmetricKey() throws Exception {
         // Check if device has security (PIN/biometric) configured
         boolean deviceHasSecurity = isDeviceSecure();
         boolean enforceBiometrics = config.getEnforceBiometrics();
+        boolean isStrongBoxBacked = config.getOnlyAllowStrongBox();
 
         // ENFORCEMENT MODE: Fail if enforcement enabled but no device security
         if (enforceBiometrics && !deviceHasSecurity) {
@@ -177,7 +178,7 @@ public void generateSymmetricKey() throws Exception {
             builder.setUnlockedDeviceRequired(true);
 
             // Only enable StrongBox if it's available
-            if (isStrongBoxAvailable()) {
+            if (isStrongBoxBacked && isStrongBoxAvailable()) {
                 builder.setIsStrongBoxBacked(true);
                 Log.d(TAG, "StrongBox is available and enabled for biometric key");
             } else {

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/ciphers/KeyCipherImplementationRSA18.java

@@ -5,6 +5,9 @@
 import android.os.Build;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyProperties;
+import android.security.keystore.StrongBoxUnavailableException;
+
+import androidx.annotation.RequiresApi;
 
 import com.it_nomads.fluttersecurestorage.FlutterSecureStorageConfig;
 
@@ -137,26 +140,38 @@ private void setLocale(Locale locale) {
         context.createConfigurationContext(config);
     }
 
+    private AlgorithmParameterSpec getSpec(boolean isStrongBoxBacked) {
+        Calendar start = Calendar.getInstance();
+        Calendar end = Calendar.getInstance();
+        end.add(Calendar.YEAR, 25);
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
+            return makeAlgorithmParameterSpecLegacy(context, start, end);
+        }
+
+        return makeAlgorithmParameterSpec(context, start, end, isStrongBoxBacked);
+    }
+
+    @RequiresApi(api = Build.VERSION_CODES.P)
     private void createKeys(Context context) throws Exception {
         final Locale localeBeforeFakingEnglishLocale = Locale.getDefault();
         try {
             setLocale(Locale.ENGLISH);
-            Calendar start = Calendar.getInstance();
-            Calendar end = Calendar.getInstance();
-            end.add(Calendar.YEAR, 25);
 
             KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance(TYPE_RSA, KEYSTORE_PROVIDER_ANDROID);
 
             AlgorithmParameterSpec spec;
 
-            if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
-                spec = makeAlgorithmParameterSpecLegacy(context, start, end);
-            } else {
-                spec = makeAlgorithmParameterSpec(context, start, end);
-            }
+            try {
+                spec = getSpec(true);
+
+                kpGenerator.initialize(spec);
+                kpGenerator.generateKeyPair();
+            } catch (StrongBoxUnavailableException e) {
+                spec = getSpec(false);
 
-            kpGenerator.initialize(spec);
-            kpGenerator.generateKeyPair();
+                kpGenerator.initialize(spec);
+                kpGenerator.generateKeyPair();
+            }
         } finally {
             setLocale(localeBeforeFakingEnglishLocale);
         }
@@ -174,7 +189,8 @@ private AlgorithmParameterSpec makeAlgorithmParameterSpecLegacy(Context context,
                 .build();
     }
 
-    protected AlgorithmParameterSpec makeAlgorithmParameterSpec(Context context, Calendar start, Calendar end) {
+    @RequiresApi(api = Build.VERSION_CODES.M)
+    protected AlgorithmParameterSpec makeAlgorithmParameterSpec(Context context, Calendar start, Calendar end, boolean isStrongBoxBacked) {
         final KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
                 .setCertificateSubject(new X500Principal("CN=" + keyAlias))
                 .setDigests(KeyProperties.DIGEST_SHA256)
@@ -183,6 +199,9 @@ protected AlgorithmParameterSpec makeAlgorithmParameterSpec(Context context, Cal
                 .setCertificateSerialNumber(BigInteger.valueOf(1))
                 .setCertificateNotBefore(start.getTime())
                 .setCertificateNotAfter(end.getTime());
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && isStrongBoxBacked) {
+            builder.setIsStrongBoxBacked(true);
+        }
         return builder.build();
     }
 }

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/ciphers/KeyCipherImplementationRSAOAEP.java

@@ -32,7 +32,7 @@ protected String createKeyAlias() {
 
     @RequiresApi(api = Build.VERSION_CODES.M)
     @Override
-    protected AlgorithmParameterSpec makeAlgorithmParameterSpec(Context context, Calendar start, Calendar end) {
+    protected AlgorithmParameterSpec makeAlgorithmParameterSpec(Context context, Calendar start, Calendar end, boolean isStrongBoxBacked) {
         final KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
                 .setCertificateSubject(new X500Principal("CN=" + keyAlias))
                 .setDigests(KeyProperties.DIGEST_SHA256)
@@ -41,6 +41,9 @@ protected AlgorithmParameterSpec makeAlgorithmParameterSpec(Context context, Cal
                 .setCertificateSerialNumber(BigInteger.valueOf(1))
                 .setCertificateNotBefore(start.getTime())
                 .setCertificateNotAfter(end.getTime());
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && isStrongBoxBacked) {
+            builder.setIsStrongBoxBacked(true);
+        }
         return builder.build();
     }
 

flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/crypto/MasterKey.java

@@ -264,8 +264,8 @@ public Builder setKeyGenParameterSpec(@NonNull KeyGenParameterSpec keyGenParamet
          * @return The master key.
          */
         @NonNull
-        public MasterKey build() throws GeneralSecurityException, IOException {
-            return Api23Impl.build(this);
+        public MasterKey build(boolean isStrongBoxBacked) throws GeneralSecurityException, IOException {
+            return Api23Impl.build(this, isStrongBoxBacked);
         }
 
         static class Api23Impl {
@@ -277,7 +277,7 @@ static String getKeystoreAlias(KeyGenParameterSpec keyGenParameterSpec) {
                 return keyGenParameterSpec.getKeystoreAlias();
             }
             @SuppressWarnings("deprecation")
-            static MasterKey build(Builder builder) throws GeneralSecurityException, IOException {
+            static MasterKey build(Builder builder, boolean isStrongBoxBacked) throws GeneralSecurityException, IOException {
                 if (builder.mKeyScheme == null && builder.mKeyGenParameterSpec == null) {
                     throw new IllegalArgumentException("build() called before "
                             + "setKeyGenParameterSpec or setKeyScheme.");
@@ -289,6 +289,9 @@ static MasterKey build(Builder builder) throws GeneralSecurityException, IOExcep
                             .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                             .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                             .setKeySize(DEFAULT_AES_GCM_MASTER_KEY_SIZE);
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && isStrongBoxBacked) {
+                        keyGenBuilder.setIsStrongBoxBacked(true);
+                    }
                     if (builder.mAuthenticationRequired) {
                         keyGenBuilder.setUserAuthenticationRequired(true);
                         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {

flutter_secure_storage/lib/flutter_secure_storage.dart

@@ -344,6 +344,19 @@ class FlutterSecureStorage {
     });
   }
 
+  /// [aOptions] optional Android options
+  Future<bool> isStrongBoxSupported({
+    AndroidOptions? aOptions,
+  }) async {
+    if (defaultTargetPlatform == TargetPlatform.android) {
+      return _platform.isStrongBoxSupported(
+        options: aOptions?.params ?? this.aOptions.params,
+      );
+    } else {
+      throw UnsupportedError(_unsupportedPlatform);
+    }
+  }
+
   /// Select correct options based on current platform
   Map<String, String> _selectOptions(
     AppleOptions? iOptions,

flutter_secure_storage/lib/options/android_options.dart

@@ -51,6 +51,7 @@ class AndroidOptions extends Options {
     bool resetOnError = true,
     bool migrateOnAlgorithmChange = true,
     bool enforceBiometrics = false,
+    bool onlyAllowStrongBox = false,
     KeyCipherAlgorithm keyCipherAlgorithm =
         KeyCipherAlgorithm.RSA_ECB_OAEPwithSHA_256andMGF1Padding,
     StorageCipherAlgorithm storageCipherAlgorithm =
@@ -63,6 +64,7 @@ class AndroidOptions extends Options {
         _resetOnError = resetOnError,
         _migrateOnAlgorithmChange = migrateOnAlgorithmChange,
         _enforceBiometrics = enforceBiometrics,
+        _onlyAllowStrongBox = onlyAllowStrongBox,
         _keyCipherAlgorithm = keyCipherAlgorithm,
         _storageCipherAlgorithm = storageCipherAlgorithm;
 
@@ -83,6 +85,7 @@ class AndroidOptions extends Options {
     bool resetOnError = true,
     bool migrateOnAlgorithmChange = true,
     bool enforceBiometrics = false,
+    bool onlyAllowStrongBox = false,
     this.sharedPreferencesName,
     this.preferencesKeyPrefix,
     this.biometricPromptTitle,
@@ -91,6 +94,7 @@ class AndroidOptions extends Options {
         _resetOnError = resetOnError,
         _migrateOnAlgorithmChange = migrateOnAlgorithmChange,
         _enforceBiometrics = enforceBiometrics,
+        _onlyAllowStrongBox = onlyAllowStrongBox,
         _keyCipherAlgorithm = KeyCipherAlgorithm.AES_GCM_NoPadding,
         _storageCipherAlgorithm = StorageCipherAlgorithm.AES_GCM_NoPadding;
 
@@ -128,6 +132,13 @@ class AndroidOptions extends Options {
   /// Defaults to false.
   final bool _enforceBiometrics;
 
+  /// If true, only allow keys to be stored in StrongBox backed keymaster.
+  /// This option is only available on API 28 and greater.
+  /// If set to true some phones might not work.
+  /// Defaults to false.
+  /// https://developer.android.com/training/articles/keystore#HardwareSecurityModule
+  final bool _onlyAllowStrongBox;
+
   /// Algorithm used to encrypt the secret key.
   /// By default RSA/ECB/OAEPWithSHA-256AndMGF1Padding is used (API 23+).
   /// Legacy RSA/ECB/PKCS1Padding is available for backwards compatibility.
@@ -171,6 +182,7 @@ class AndroidOptions extends Options {
         'resetOnError': '$_resetOnError',
         'migrateOnAlgorithmChange': '$_migrateOnAlgorithmChange',
         'enforceBiometrics': '$_enforceBiometrics',
+        'onlyAllowStrongBox': '$_onlyAllowStrongBox',
         'keyCipherAlgorithm': _keyCipherAlgorithm.name,
         'storageCipherAlgorithm': _storageCipherAlgorithm.name,
         'sharedPreferencesName': sharedPreferencesName ?? '',
@@ -187,6 +199,7 @@ class AndroidOptions extends Options {
     bool? resetOnError,
     bool? migrateOnAlgorithmChange,
     bool? enforceBiometrics,
+    bool? onlyAllowStrongBox,
     KeyCipherAlgorithm? keyCipherAlgorithm,
     StorageCipherAlgorithm? storageCipherAlgorithm,
     String? preferencesKeyPrefix,
@@ -203,6 +216,7 @@ class AndroidOptions extends Options {
         migrateOnAlgorithmChange:
             migrateOnAlgorithmChange ?? _migrateOnAlgorithmChange,
         enforceBiometrics: enforceBiometrics ?? _enforceBiometrics,
+        onlyAllowStrongBox: onlyAllowStrongBox ?? _onlyAllowStrongBox,
         keyCipherAlgorithm: keyCipherAlgorithm ?? _keyCipherAlgorithm,
         storageCipherAlgorithm:
             storageCipherAlgorithm ?? _storageCipherAlgorithm,