Using Secure Storage Manager

Secure Storage Manager 1.0

Overview

Secure Storage Manager (SSM) securely stores data provided by an originating app and delivers data only to an authenticated instance of a specified target app. After acquiring data, the target app gains ownership of the data. SSM ensures that data is delivered to the target app only after the authenticity of the app accessing the data is verified with its package name and signature.

Data items are structured as name/value pairs, and each pair is uniquely identified by the originating app name and data-item name when made available to a target app. Ownership of the data, including the ability to change or delete, starts with the originating app and transitions to the target app once the data is delivered.

An originating app must instruct SSM to store data either in a persistent or non-persistent manner. Persistent data stored under SSM remains available after an Enterprise Reset is performed; a Factory Reset erases all device data.

Configure an app to use SSM

To configure an app to use Secure Storage Manager (SSM), insert the appropriate line(s) in the client app’s manifest file (based on Java/Kotlin):

Insert / update / delete data:

<uses-permission android:name="com.zebra.securestoragemanager.securecontentprovider.PERMISSION.WRITE"/>

Query data:

<uses-permission android:name="com.zebra.securestoragemanager.securecontentprovider.PERMISSION.READ"/>

Query provider for apps targeting API Level 30 and above:

<queries>
    <provider android:authorities="com.zebra.securestoragemanager.securecontentprovider"/>
</queries>

Retrieve data using SSM by declaring the content URI of the SSM Content Provider:

private String AUTHORITY = "content://com.zebra.securestoragemanager.securecontentprovider/data";

See Sample Code for complete context.


Receiving Encrypted Data to SSM

If SSM receives encrypted data from an originating app , it decrypts the incoming data and saves it in SSM-encrypted format in the SSM database. The procedure to encrypt data to be stored in SSM is provided below. When the data is retrieved, SSM removes the SSM encryption and delivers the data according to the data output form required by the target app.

To encrypt data, use AES Secret Key:

  1. Create an AES secret key:

    private SecretKey getRandomKey(String algorithmType) 
    {
    
    
    SecureRandom rand = new SecureRandom();
    KeyGenerator generator;
    try {
        generator = KeyGenerator.getInstance(algorithmType);
        generator.init(128, rand);
        mSecretKey = generator.generateKey();
        Log.d(TAG, "mSecretKey = "+ mSecretKey);
        return mSecretKey;
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    return null;
    
    }
  2. Encrypt data using the secret key created in Step 1.

  3. Encrypt the secret key using SSM public key (Base64 String):

    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwE1qxpfNZVGq3wfPp3AqSeSpCPi3NUC1cCBuh5nkPvC3TfYHiozsy3gBYyUoYWIoAYlgypehqLIQfdHTrLpsVbS1BW6mnv76WvYwmaGrGfHzi50ETA8bFDwkrboG3jcHnvDJPH904BdU5eMrsq1o+BDmTmF/OAm1rJPohb8mukWh+o6OW6iNhO28IDRb26pKuTu6sckHn8I1I51bl44qaxq55A4wVR4mHEZL0EK/q2hY0Iqcak2dA8w8N0nJrWzbIbp5FeT/WyGO2pure7UxKEZfE5pkewPfcHSGp+0sbdCMaw6KrDpC5jusry4PjFw92sS/Huywv6/pv7WVPmwIDAQAB
    
  4. Insert the encrypted secret key and data into the SSM database. Specify the data input and output form to detect the encrypted data:

    values.put("data_input_form”, "2"); // plaintext=1, encrypted=2 
    values.put("data_output_form", "1"); // plaintext=1, encrypted=2
    values.put("data_input_encrypted_key","Encrypted Secret Key");
    values.put("data_value", inputData);
    

See Also