Block.one is committed to supporting a wider range of security solutions for applications built on EOSIO. Sensitive data requires secure methods for storage and retrieval, and for a thriving blockchain application ecosystem, safeguarding private keys is essential. Our latest software release is geared towards seeking to address security for private keys on Android devices.
We previously released software development kits (SDKs) for Swift and Java that support the rapid development of EOSIO blockchain applications on mobile platforms. This alpha release of our Android Keystore Signature Provider builds upon our EOSIO SDK for Java, allowing developers to engineer a hardware-backed keystore into mobile applications on Android operating systems. If a hardware option is unavailable, the keys will default down to a secure software container environment.
Tools that Improve Private Key Management
In the past, we introduced the concept of signature providers as a guide for the development community at large to adopt better security practices for private keys. These plugins demonstrate how it is possible to limit vulnerabilities by signing transactions without exposing private keys. Ultimately, with the right implementation and tooling, developers can improve the experience of users by avoiding unnecessary handling of private keys.
The Android Keystore plugin allows developers to store cryptographic keys in a secure container on the device making them more difficult to extract. Once keys are in the Keystore, they can be used to sign transactions without exposing them to external applications.
The intention is that no-one can see the private key except the secured hardware, not even the user, once the keys are stored inside an Android device that supports the hardware-backed keystore. This hardware solution should offer superior security as opposed to alternatives like computer backups, password managers, or even a piece of paper.
This plugin for Android Keystore is similar to the support we released in the past for Apple’s Secure Enclave, in that it allows developers to store private keys on the device and the plugin manages keys and transaction signing. This measure, coupled with in-device biometric authentication, provides a simple, more secure option for private key management.
Providing a more streamlined method for users to sign transactions without exposing their private keys will improve user experience and security, helping to accelerate the adoption of blockchain applications. Follow the instructions in the Android Keystore Signature Provider plugin repository to learn how to extract and convert public keys from Android Keystore using the EOSIO SDK for Java library.
In order to better serve a growing community of EOSIO blockchain developers, Block.one is committed to creating an open forum for community feedback. If you would like to offer input and work more closely with our team to improve EOSIO for developers, you can send our developer relations team an email at firstname.lastname@example.org.
Join our EOSIO mailing list to stay up to date on the latest news, events, and releases for EOSIO.
. . .
Important Note: All material is provided subject to this important notice and you must familiarize yourself with its terms. The notice contains important information, limitations and restrictions relating to our software, publications, trademarks, third-party resources and forward-looking statements. By accessing any of our material, you accept and agree to the terms of the notice.