Skip to main content
Version: 5.0

Cryptography

Identity Vault uses operating system-provided cryptography and storage mechanisms within its implementation. No custom cryptography is contained within, ensuring that Identity Vault uses first-in-class security methods provided by iOS and Android.

Platform-specific information can be found below and may be useful for compliance documentation of your application.

iOS

iOS manages all key derivation details, such as IV and salt, for data saved in the Keychain. The Keychain uses AES-256-GCM keys and uses the Secure Enclave for secret keys.

Identity Vault uses SecAccessControlCreateWithFlags to set access control on the Keychain item for custom passcode and device security vaults.

Custom Passcode Vault

The custom passcode vault uses the kSecAttrAccessibleWhenUnlockedThisDeviceOnly global variable, which only allows access to the item when the application is in the foreground, and only on the current device (the item will not be migrated from backup or stored in iCloud). The applicationPassword flag is used to enable a custom application password used for data encryption key generation by the Keychain.

Device Security Vault

The device security vault uses the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly global variable, which only allows access to the item when the application is in the foreground, only on the current device (the item will not be migrated from backup or stored in iCloud), and only when the device has a passcode set. This ensures a system passcode or biometrics is enabled.

Depending on the DeviceSecurityType used, Identity Vault will use the biometryCurrentSet type property to tie the item to biometrics, the devicePasscode type property to tie the item to the device pin, both type properties, and the or type property to allow either one to be used.

Android

Identity Vault uses the Keystore to protect and store cryptographic keys. If the device has secure hardware, Identity Vault will always use it.

Custom Passcode Vault

The custom passcode vault uses AES-256 encryption with salt and IV generated by Android’s SecureRandom class and one thousand iterations.

Device Security Vault

The device security vault uses AES-256 encryption as well. Android’s KeyGenerator class manages salt, IV, and iterations. This class uses SecureRandom for key derivation inputs that require random bytes, such as salt and IV.