I am developing and application that would need to certify data created by end users.
I know that I could use KeyChain API for that, but this API has what I believe would be a flaw for our application. Since KeyChain requires user access to certificates and therefore access to private keys, our application could be accused of stealing identity and forging data. I would need some way of certifying this data with user private key without being able to 'copy' the private key or sending somewhere else.
Is there anyway I could to this?
I am now looking forward smart cards and usb tokens, but would be glad if anyone else could share experience of implementations to solve similar issues or even suggesting something.
The KeyChain API will not allow to copy the private key if it is implemented with a hardware key store. Unfortionally only the Google Nexus devices with Android 4.1+ implement a hardware keystore. Other vendors might also do this or might use the standard insecure software implementation.
I think there are specialized SD Cards with smart card support on them but these are not cheap and I don't know if they work on all telephones.
Also in Android 4.1+ you don't get access to the private key. You only get an object which can be used as private key in signing/decrypting/encryption but you don't get the actual key. See more details on the implementation here: http://nelenkov.blogspot.de/2012/07/jelly-bean-hardware-backed-credential.html