Require user authentication for SecureStore on Android?

With iOS, it’s possible to set the keychainAccess option to something like Expo.SecureStore.WHEN_PASSCODE_SET_THIS_DEVICE_ONLY, which improves security for sensitive items by guaranteeing that items in the store can only be accessed when the device has a passcode set. However, it doesn’t seem like there’s a similar option in SecureStore for Android. Native Android does have a mechanism for only allowing a key in the keystore to be accessed when the user has authenticated via passcode/pattern/etc. (docs) – is there a way that I’m missing to configure SecureStore to use this, or is this a feature you’d consider adding in a future release to provide parity with iOS?

From the docs:

Android: Values are stored in SharedPreferences, encrypted with Android’s Keystore system.

If you would like and android equivalent added to keychainaccessible then opening a canny will be the best approach.

AFAIK there is no timeline for adding this to Expo.

Right – and Android’s Keystore allows apps to specify authorized uses of their key (i.e. only when the user has unlocked the device) but I couldn’t find anything in the docs about how to use that restriction on Android (only for the iOS equivalent).

Makes sense, I just wanted to make sure I wasn’t missing anything in the docs, or that adding an equivalent security control on Android wasn’t already considered and rejected for some reason.

1 Like

Cool! I appreciate your consideration for duplicate posts :blue_heart::heart_eyes: please link the canny if you happen to make it so other devs can find it and upvote :grin:

Submitted to canny:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.