Encryption / KeyStore Failure Fallbacks [Community Feedback Requested]

[tylerjroach]

Describe the feature request

Amplify Android has received reports of crashes during EncryptedSharedPreferences initialization.

• AndroidKeystoreAesGcm.encryptInternal #2939
• The master key android-keystore://amplify_master_key exists but is unusable #2845
• javax.crypto.AEADBadTagException and android.security.KeyStoreException #2723
• Crash when AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey #2681
• AndroidKeystoreAesGcm.encryptInternal error #2548

Recently, we attempted a fix:

• fix(all): Add fallback logic for corrupt keys to EncryptedKeyValueRepository #2686

As shown in some of these crash reports, the default Android master key was reported as unusable. When we detect this, we now attempt to create a new master key for Amplify. While this fix may work in some scenarios, it has not resolved all of the issues.

Unfortunately many of these crashes appear to be due to bugs within the Android KeyStore implementation. Some of these appear to be manufacturer specific bugs.

For these devices, it does not appear possible to use KeyStore based encryption. In order to prevent such crashes, we will now fallback to an In-Memory Key/Value repository.

• fix(auth): Fallback to in-memory key value storage if encryption fails #2969

This behavior is consistent with Amplify v1 and the AWS Android SDK. This approach will allow Amplify to function normally within an app session, however, data will not persist across device restarts (ex: Auth will need to sign in each time a new app instance is opened). This may be sufficient for this small edge case of devices that does not seem to have functioning KeyStore based encryption.

Ultimately, in order for these limited number of devices to operate normally, we would need to soften our encryption stance and allow these devices to store data (ex: Cognito auth tokens and refresh token) in plain text. This may be acceptable to some develpers, as Android's application sandbox already provides its own security mechanisms: https://source.android.com/docs/security/app-sandbox.

This ticket is to request community feedback for an option to fallback to plain text key/value storage in the event that the KeyStore is unusable. This could look something like Amplify.configure(context, allowInsecureDeviceCaching = true) and the value would be false by default.

[github-actions]

This issue was opened by a maintainer of this repository; updates will be posted here. If you are also experiencing this issue, please comment here with any relevant information so that we're aware and can prioritize accordingly.