Project Phase 6: Security Reccomendations #10
Description
Group 4
Project Phase 6: Security Recommendations
a. The security recommendation we chose was, The Keystore is used to store sensitive data, such as user credentials or cryptographic keys. Our security recommendations is to implement an Android KeyStore for secured storage on sensitive data. We chose this recommendation because the hardware-backed KeyStore provides a very strong security for storing keys in a Trusted Execution Environment (TEE). This makes the TEE unavailable even on rooted devices.
b. This recommendation benefits end-users and developers both. End-users’ sensitive data like user information are protected even from compromised devices. Developers have to deal with less liability issues and comply with security standards which would improve users’ faith in the app and its developers.
c. This recommendation can be found at the Android developers security page: Android Keystore system | Security | Android Developers
d. This recommendation should be implemented immediately or as soon as possible due to how severe this vulnerability is. This recommendation should definitely be implemented before the full release of the application so that no user data can be leaked and to protect the application from any security breaches.
e. This app processes and stores user-sensitive data like the game statistics and saves user data like their name and age. Without this secured key management, encryption keys are compromised which leads to unauthorized access and data theft.
f. The way can implement this recommendation is to first integrate the KeyStore in our app by using a KeyStore API and have hardware-backed KeyStore available. We can also add a confirmation flow like fingerprint authentication for more sensitive cryptographic operations associated with the keys. Regularly validating the key by using Key Attestation to confirm the reliability and security of hardware-backed keys would also strengthen the recommendations. This implementation is highly feasible as the Android KeyStore is well-documented and supports multiple modern devices. The implementation involves integrating the KeyStore API and enabling the security flags.