Secure data storage

The Secure data storage feature enables data to be encrypted with a local password to securely store it on the device and protect it from unauthorized access. When using a local password, the data is associated with information known only by the user. For more information, see Password protection.

In addition to password protection, data is also tied to the device itself. For this purpose, a key is computed based on device-specific information in the app's data storage. This key is used to encrypt sensitive data before actually storing it. If password protection is used, the password encryption will be added to the device-specific key encryption.

This feature prevents sensitive data from being stored to another device and cannot be disabled.

Storing sensitive data

The information from which the device-specific key is generated is called device fingerprint and is unique for every device. It is computed from device-unique data according to the following mechanism:

Fingerprint = Left(SHA-256(device unique data),16)
Device-specific key = PBKDF2(SHA-256, fingerprint, salt, iteration number, 32).

The salt and the iteration used to derive the device-specific key from the device fingerprint are hardcoded inside the app.

For more information about device-unique data, see  Appendix A: Device-unique data.

In Android 6.0 and later, the storage can be protected by secure hardware (e.g. Trusted Execution Environment (TEE) or Secure Element (SE)) to set up a very strong binding between the storage and the mobile device.