Bug

Status Update

No update yet.

Description

lb...@gmail.com

created issue #1

Dec 24, 2020 01:47PM

These are 2 different crashes that came when using EncryptedSharedPreferences, both reported on Crashlytics.

- Steps to reproduce the problem (including sample code if appropriate).
Use this function in code, as on the attached file, and publish to many users:

private fun getSecuredSharedPreferences(context: Context, fileName: String): SharedPreferences {
val masterKey = MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()
return EncryptedSharedPreferences.create(context, fileName, masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
}

- What happened.
Seems to cause crashes of 2 types to users (IDs: aff44438b82719712f66c0bc7fd29e47 , af9be1a07fcd872e545782917305c94c) :

Fatal Exception: java.security.GeneralSecurityException: Keystore operation failed
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:146)
at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:97)
at androidx.security.crypto.MasterKey$Builder.buildOnM(MasterKey.java:357)
at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:314)
...
Caused by java.security.ProviderException: Keystore operation failed
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:372)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:142)
at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:97)
at androidx.security.crypto.MasterKey$Builder.buildOnM(MasterKey.java:357)
at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:314)

And:

Fatal Exception: java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:275)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:236)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:155)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:120)
...
Caused by java.security.UnrecoverableKeyException: Failed to obtain information about key
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreSecretKeyFromKeystore(AndroidKeyStoreProvider.java:282)
at android.security.keystore.AndroidKeyStoreSpi.engineGetKey(AndroidKeyStoreSpi.java:98)
at java.security.KeyStore.getKey(KeyStore.java:825)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.<init>(AndroidKeystoreAesGcm.java:58)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:164)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:267)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:236)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:155)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:120)

The statistics are that:
For GeneralSecurityException:
1295 crashes affecting 4 users, Android 9-10, devices: samsung Galaxy J3(2017), HTC U11 life.
For KeyStoreException:
656 crashes affecting 24 users, Android 7-9, devices:
Vodafone:Smart N8, Smart Ultra 6
HUAWEI: P8 Lite, P9, Y6II, Mate S
Blackview:BV9000-F
samsung: Galaxy J6+, Galaxy A7 (2018).

- What you think the correct behavior should be.
Should work fine for all devices.

After checking, I think that at least for the GeneralSecurityException, it could be some custom ROM issues, because according to GMSArena, those phones didn't get these versions of Android:
This device probably didn't get Android 10:

https://www.gsmarena.com/htc_u11_life-8885.php
Same goes for this device, which is very far from getting Android 9:

https://www.gsmarena.com/samsung_galaxy_j3_(2016)-7760.php

However, The other crash has other results, which doesn't seem conclusive about whether there are custom ROMs for all cases or only for some:
This indeed has Android 7:

https://www.gsmarena.com/vodafone_smart_n8-8723.php
This doesn't have Android 7:

https://www.gsmarena.com/vodafone_smart_ultra_6-7313.php
This has Android 6:

https://www.gsmarena.com/huawei_p8lite-7201.php
This has Android 7:

https://www.gsmarena.com/huawei_p9-7972.php
This has Android 6:

https://www.gsmarena.com/huawei_y6ii_compact-8663.php
This has Android 6:

https://www.gsmarena.com/huawei_mate_s-7533.php
This has Android 6:

https://www.gsmarena.com/huawei_p8-7006.php
This comes with Android 7.1 and seems to have an official update to 8:

https://www.gizmochina.com/product/blackview-bv9000-smartphone-full-specs-and-features/
This has Android 9:

https://www.gsmarena.com/samsung_galaxy_j6+-9334.php
This has Android 9:

https://www.gsmarena.com/samsung_galaxy_a7_(2018)-9340.php

So, sadly, except from one device here, all the rest seems to have official firmware, at least based only on Android version.
So while for the first crash it most probably because of a custom ROM, on this one it's probably not.

2020-12-24_15-05-05.mp4

433 KB

Download

2020-12-24_15-04-39.mp4

184 KB

Download

SecuredSharedPreferences.kt

1.8 KB

Download

Comments

lb...@gmail.com <lb...@gmail.com> #2Dec 24, 2020 02:03PM

Library version is this one BTW:
implementation 'androidx.security:security-crypto:1.1.0-alpha03'

lb...@gmail.com <lb...@gmail.com> #3Dec 27, 2020 08:35AM

Asked this here too:

https://stackoverflow.com/q/65463893/878126

ja...@google.com <ja...@google.com> Dec 28, 2020 06:06PM

Status: New

lb...@gmail.com <lb...@gmail.com> #4Dec 29, 2020 08:36AM

After checking it further, I've noticed more and more reports, and also more possible exceptions. Here is more information about the crashes:

Crash report c3b02ee677c4a101bc9499838c6f1617 - has InvalidProtocolBufferException and KeyStoreException (that I've written above).

Crash report 3ea749818cace03c650f8fb66a1123c5 , and aff44438b82719712f66c0bc7fd29e47 - have GeneralSecurityException as I've shown above.

Crash report af9be1a07fcd872e545782917305c94c - has NullPointerException , KeyStoreException (that I've shown above) , InvalidProtocolBufferException

Attached videos of the devices and Android version statistics for each of the reports.

Since there are already at least 4 types of crashes, attached logs of each, too.

aff44438b82719712f66c0bc7fd29e47.mp4

182 KB

Download

af9be1a07fcd872e545782917305c94c.mp4

337 KB

Download

3ea749818cace03c650f8fb66a1123c5.mp4

59 KB

Download

c3b02ee677c4a101bc9499838c6f1617.mp4

182 KB

Download

GeneralSecurityException.txt

1.6 KB

View

Download

InvalidProtocolBufferException.txt

1.2 KB

View

Download

KeyStoreException.txt

2.8 KB

View

Download

NullPointerException.txt

1.9 KB

View

Download

em...@gmail.com <em...@gmail.com> #5Dec 31, 2020 08:12PM

Are there any other possible values for the last 2 parameters used to instantiate Encrypted preferences?
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM

It seems strange to have to pass system constants into the function. It's also not consistent to use the Builder for the required MasterKey while that static create method is used for the EncryptedSharedPreferences. Can we be sure that all the varied Android manufacturers have these encryption schemes?

lb...@gmail.com <lb...@gmail.com> #6Dec 31, 2020 08:16PM

@5 I guess. I didn't try though. It's too late for those that do use the new code. I don't want to add migration upon migration...

lb...@gmail.com <lb...@gmail.com> #7Jan 7, 2021 09:32AM

Someone said that this issue might be related to having `android:allowBackup=false` , and that once it was removed, the issue was gone:

https://stackoverflow.com/a/65573699/878126

But this isn't mentioned on the docs, and there are no warnings or "throws" of exceptions for the API.

mi...@outlook.com.au <mi...@outlook.com.au> #8Feb 7, 2021 11:13PM

I'm having this issue as well with 1.0.0-rc03, and can confirm it still happens with allowBackup set to true or not specified (which should default to true).

lb...@gmail.com <lb...@gmail.com> #9Feb 7, 2021 11:19PM

@8 So setting it to true won't help, as opposed to what someone wrote (I have it set to false in the app that has this issue) ?

ch...@gmail.com <ch...@gmail.com> #10Feb 11, 2021 09:03AM

So we don't have any workaround for this?

lb...@gmail.com <lb...@gmail.com> #11Feb 11, 2021 09:15AM

@10 You can try the backup=true as someone wrote, but I don't know if it really helps.

pa...@gmail.com <pa...@gmail.com> #12Feb 19, 2021 12:45PM

I have experienced a similar issue when calling EncryptedSharedPreferences.create on a restarted emulator. Applying the fix from

https://issuetracker.google.com/issues/147480931#comment19 solved my issue. Maybe

https://issuetracker.google.com/issues/147480931 is related to this one?

pa...@ufst.dk <pa...@ufst.dk> #13Feb 19, 2021 12:59PM

My bad, it looks like the SecuredSharedPreferences.kt is already using synchronized.

lb...@gmail.com <lb...@gmail.com> #14Mar 31, 2021 07:07AM

I've got even more statistics of failed cases to get EncryptedSharedPreferences :

https://console.firebase.google.com/project/app-manager-cdf2c/crashlytics/app/android:com.lb.app_manager/issues/846d7eb2d971a19de74cc19750e0d9b9?time=last-seven-days&versions=5.47%20(447)&sessionEventKey=605FE4B802440001701E3782E6B31BFE_1522971230644774225

From Android 6 to Android 11.
56% samsung
36%Xiaomi
6%Realme
1% motorola
<1% Other (1) - OnePlus

All seem to get the InvalidProtocolBufferException exception.
See attached.

MKHYXMyz0d.mp4

8.2 MB

Download

lb...@gmail.com <lb...@gmail.com> #15Mar 31, 2021 07:09AM

Attached here the code for getting the EncryptedSharedPreferences. I thought that maybe it's related to multi-threads, but it's not.

SecuredSharedPreferences.kt

2.4 KB

Download

sa...@gmail.com <sa...@gmail.com> #16Apr 19, 2021 02:47PM

I'm facing the same issue. Is there a solution to it?

lb...@gmail.com <lb...@gmail.com> #17Apr 19, 2021 02:53PM

@16 Do you have a similar code for getting the instance of it?
I ask because maybe there is some configuration of it that won't cause it

sa...@gmail.com <sa...@gmail.com> #18Apr 19, 2021 04:44PM

@17 Below is how I'm getting the instance. For me, the error is mainly about the protobuf and KeyStore. I'm using rc-04

fun getSecuredSharedPreferences(context: Context, fileName: String): SharedPreferences {
val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
return EncryptedSharedPreferences.create(
fileName,
masterKeyAlias,
context,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
}

lb...@gmail.com <lb...@gmail.com> #19Apr 19, 2021 05:15PM

@18 So it's a bit different, and you get similar crashes?

lb...@gmail.com <lb...@gmail.com> #20Apr 25, 2021 10:20PM

Today I got a Crashlytics report that has to be of my own device (Pixel 4 Android 11):

https://console.firebase.google.com/project/app-manager-cdf2c/crashlytics/app/android:com.lb.app_manager/issues/5b752e6b8f2d7f20623cdae35435d62a?time=last-seven-days&sessionEventKey=6085DF0401DB000139448585180E8E5B_1533656062477263318

Caused by com.google.crypto.tink.shaded.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero).
at com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parsePartialFrom(GeneratedMessageLite.java:1566)
at com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parseFrom(GeneratedMessageLite.java:1664)
at com.google.crypto.tink.proto.Keyset.parseFrom(Keyset.java:957)
at com.google.crypto.tink.integration.android.SharedPrefKeysetReader.read(SharedPrefKeysetReader.java:84)
at com.google.crypto.tink.CleartextKeysetHandle.read(CleartextKeysetHandle.java:58)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.read(AndroidKeysetManager.java:328)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewKeyset(AndroidKeysetManager.java:287)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:238)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:155)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:120)
...

This means this issue can occur on any device, even on new Android versions and even on Google's own devices.

While on my spare time app (in this report) it's quite rare, on more popular apps it occurs more often.

khm35jGUJV.mp4

2.1 MB

Download

sa...@gmail.com <sa...@gmail.com> #21Apr 26, 2021 08:42AM

@19 yes, unfortunately.

lb...@gmail.com <lb...@gmail.com> #22Apr 26, 2021 08:46AM

@21 I see. On which devices and Android versions? Even on Pixel devices, right?
Also, BTW, you can use a bit newer version, but you will most probably still get this issue, sadly:

https://developer.android.com/jetpack/androidx/releases/security

https://maven.google.com/web/index.html?q=androidx.security#androidx.security:security-crypto

vi...@gmail.com <vi...@gmail.com> #23Apr 27, 2021 12:00AM

Same crash happens on a Pixel 3 XL on app start up

| +--- androidx.security:security-crypto:1.0.0
| | \--- com.google.crypto.tink:tink-android:1.5.0

Caused by: com.google.crypto.tink.shaded.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero).
at com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parsePartialFrom(GeneratedMessageLite.java:1566)
at com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parseFrom(GeneratedMessageLite.java:1664)
at com.google.crypto.tink.proto.Keyset.parseFrom(Keyset.java:957)
at com.google.crypto.tink.integration.android.SharedPrefKeysetReader.read(SharedPrefKeysetReader.java:84)
at com.google.crypto.tink.CleartextKeysetHandle.read(CleartextKeysetHandle.java:58)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.read(AndroidKeysetManager.java:328)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewKeyset(AndroidKeysetManager.java:287)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:238)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:123)

lb...@gmail.com <lb...@gmail.com> #24Jun 27, 2021 03:11PM

Similar issue here:

https://issuetracker.google.com/issues/158234058

os...@gmail.com <os...@gmail.com> #25Jul 5, 2021 04:25PM

Could anyone resolve this issue? , the same thing happens to me with the version androidx.security:security-crypto:1.0.0

ji...@gmail.com <ji...@gmail.com> #26Jul 7, 2021 02:10AM

This issue happens to me when I have installed many apps signed with the same signature, also same sharedUserId.
If I clear the data of any one of apps, then it will affect the other apps using EncryptedSharedPreferences, it will report such crash.

lb...@gmail.com <lb...@gmail.com> #27Jul 7, 2021 06:23AM

@25 You should update it to get newer bugs and crashes
:)

os...@gmail.com <os...@gmail.com> #28Jul 16, 2021 10:57PM

@27 -> but ... 1.0.0 is the latest stable version.

so...@carerev.com <so...@carerev.com> #29Aug 2, 2021 02:50PM

Tried updating to 1.0.0. It's still happens. Is there any work around?

lb...@gmail.com <lb...@gmail.com> #30Aug 2, 2021 02:57PM

@28 @29 The bug exists whether you use the stable version or not.

os...@gmail.com <os...@gmail.com> #31Aug 4, 2021 03:26AM

@30 And is there already a solution for this problem?

"java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable"

I have not been able to replicate it, I only see the log in firebase crashlitycs :(

ar...@gmail.com <ar...@gmail.com> #32Aug 4, 2021 07:50AM

still happens on latest version

bo...@google.com <bo...@google.com> Aug 6, 2021 12:08PM

Assigned to th...@google.com.

lb...@gmail.com <lb...@gmail.com> #33Aug 6, 2021 03:10PM

I've raised this issue on "Tink" (the main library that is used here behind the scenes, according to here:

https://issuetracker.google.com/issues/185219606#comment4 ) :

https://github.com/google/tink/issues/535

Please consider starring there too.
Maybe it's also the main reason for these crashes.

an...@gmail.com <an...@gmail.com> #34Aug 15, 2021 10:00AM

Happened with me on Android 6.0

[Deleted User] <[Deleted User]> #35Aug 23, 2021 10:22AM

Is there any progress on this?

ie...@gmail.com <ie...@gmail.com> #36Sep 1, 2021 10:04AM

Any update on this? We've been getting crash reports mainly for Android 6 and 7

lb...@gmail.com <lb...@gmail.com> #37Sep 1, 2021 10:14AM

@36 I see the various crashes it causes (there is more than one type of exception) on many more than this.
On my spare time app, Android 11 has this issue the most : 65%.

See attached.

2021-09-01_13-13-14.mp4

2.7 MB

Download

[Deleted User] <[Deleted User]> #38Sep 2, 2021 01:50PM

Hey Google, any updates on this?

ng...@bitso.com <ng...@bitso.com> #39Sep 2, 2021 06:29PM

We are experiencing this crash as well in production. Please provide an update on the investigation and ETA for a fix. Apps that are in production are experiencing this issue so I guess priority and severity should be bumped

Thanks

th...@gmail.com <th...@gmail.com> #40Sep 2, 2021 11:48PM

Someone reported [1] that when they switched to 1.1.0-alpha01 the crashes went away. Please do that and report if it works for you.

[1]

https://github.com/google/tink/issues/535#issuecomment-912127671

th...@gmail.com <th...@gmail.com> #41Sep 3, 2021 12:10AM

Re #40: I doubt that it would work, but please try and let us know what you saw.

I'll explain the root cause of the crashes on the GitHub bug.

th...@gmail.com <th...@gmail.com> #42Sep 3, 2021 01:01AM

See

https://github.com/google/tink/issues/535#issuecomment-912170221 for potential workarounds.

ng...@bitso.com <ng...@bitso.com> #43Sep 3, 2021 08:53AM

Thanks, we'll try and see if we can apply those potential workarounds and keep you posted

lb...@gmail.com <lb...@gmail.com> #44Dec 24, 2021 10:21AM

@42 Why do they talk about KeyStore ? I don't use KeyStore. I use MasterKey.Builder and EncryptedSharedPreferences.create...

Given the code I wrote on the very beginning of this post, what should I do?

mh...@gmail.com <mh...@gmail.com> #45Feb 13, 2022 02:10AM

when are you going to fix this ? it's hitting our crash-free sessions hard, and we couldn't implement a workaround

eu...@paysera.net <eu...@paysera.net> #46Feb 18, 2022 04:47AM

Comment has been deleted.

Message last modified on Feb 18, 2022 04:47AM

as...@tradingview.com <as...@tradingview.com> #47Mar 15, 2022 04:15PM

There are more and more crashes (

an...@gmail.com <an...@gmail.com> #48Mar 22, 2022 09:31AM

Comment has been deleted.

Message last modified on Mar 22, 2022 09:32AM

an...@gmail.com <an...@gmail.com> #49Mar 22, 2022 09:33AM

+1, This crash is hitting really hard on our users, do we have any plan to tackle this @google ?! 👀

yu...@gmail.com <yu...@gmail.com> #50Mar 22, 2022 09:36AM

Try backup/uninstall/restore app to reproduce this crash. I can reproduce this crash by using MIUI's internal backup/restore function.

pa...@gmail.com <pa...@gmail.com> #51Apr 7, 2022 05:49AM

+1 ...

According to

https://developer.android.com/jetpack/androidx/releases/security
androidx.security:security-crypto:1.1.0-alpha03 has been released on December 2, 2020
No update since then.

Question:
Can I kindly ask to Google employees in this thread to give us some information about the roadmap of androidx.security:security-crypto ?
When can we expect a new version (which will hopefully solve this issue)?

Thanks.

ar...@gmail.com <ar...@gmail.com> #52Apr 7, 2022 05:25PM

it...@gmail.com <it...@gmail.com> #53Apr 7, 2022 07:20PM

lb...@gmail.com <lb...@gmail.com> #54Apr 10, 2022 08:26AM

Someone wrote that a workaround for this would be to clear the file, delete the file, and lastly delete the key, using something like this when it occurs:

context.getSharedPreferences(secureSharedPreferencesFileName, Context.MODE_PRIVATE).edit().clear()
.apply()
val sharedPrefsFile =
File("${context.filesDir.parent}/shared_prefs/${secureSharedPreferencesFileName}.xml")
sharedPrefsFile.delete()
val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)
keyStore.deleteEntry(MasterKey.DEFAULT_MASTER_KEY_ALIAS)

Link:

https://stackoverflow.com/a/71569624/878126

I'm going to try this and see if indeed it "works" .
This would be interesting.
Sadly not a solution, but still better than nothing ( or using the normal SharedPreferences when this occurs).

lb...@gmail.com <lb...@gmail.com> #55Apr 16, 2022 03:05PM

After investigating the workaround on @54, I've concluded that:
1. On most cases it does work.
2. At least on Android 11 on a device called "rockchip H96_Max_RK3566" , it failed. My link to share it:

https://console.firebase.google.com/u/0/project/app-manager-cdf2c/crashlytics/app/android:com.lb.app_manager/issues/c3e6511ab15bff41c69272898b7d71bd?time=last-seven-days&versions=5.8%20(480)&sessionEventKey=6259593703E4000123823ED2920B1C6A_1665239190703863368
3. The exception I got when it crashed while using this workaround:

Caused by java.security.GeneralSecurityException: Keystore operation failed
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:146)
at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:97)
at androidx.security.crypto.MasterKey$Builder.buildOnM(MasterKey.java:357)
at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:314)

It seems to crash on this line:

val masterKey = MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()

Still, of course, it's best that Google will fix these bugs.

th...@gmail.com <th...@gmail.com> #56May 4, 2022 12:48PM

This also happened on our app:

Caused by java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:275)
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:236)
       at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:123)

Device info:

Device
Brand:OnePlus
Model:OnePlus 8 Pro
Orientation: Portrait
RAM free: 5.1 GB
Disk free: 178.99 GB
Operating system
Version:Android 11
Orientation: Portrait
Rooted:No

[Deleted User] <[Deleted User]> #57May 4, 2022 11:38PM

any update?

ma...@oyorooms.com <ma...@oyorooms.com> #58May 6, 2022 03:32PM

+1 Any update Google team?

da...@gmail.com <da...@gmail.com> #59May 16, 2022 07:35PM

We also run into similar issue where _androidx_security_master_key_ exists but is unusable. Any update on this bug yet?

[Deleted User] <[Deleted User]> #60Jun 16, 2022 07:05PM

Below code solved my problem. plz try & confirm

val spec = KeyGenParameterSpec.Builder(
MasterKey.DEFAULT_MASTER_KEY_ALIAS,
KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
).setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.setKeySize(DEFAULT_AES_GCM_MASTER_KEY_SIZE)
.build()
masterKey = MasterKey.Builder(appContext)
.setKeyGenParameterSpec(spec)
.build()

je...@gmail.com <je...@gmail.com> #61Jun 17, 2022 12:31PM

AndroidDeveloperLB thank you for the whole thread, i was thinking of using this, i better stay away from this library.

ni...@gmail.com <ni...@gmail.com> #62Jun 20, 2022 06:48AM

I get the same error:

Caused by java.security.KeyStoreException
the master key android-keystore://_androidx_security_master_key_ exists but is unusable

an...@gmail.com <an...@gmail.com> #63Jun 21, 2022 11:33AM

i got same error with crypto lib 1.0.0
it seems to be fixed with 1.1.0-alpha03, tested on few devices and the error was not seen

lb...@gmail.com <lb...@gmail.com> #64Jun 21, 2022 11:47AM

@63 You need to test on plenty of devices, and check on Crashlytics.
When developing, it works fine...

Also what is the library you talk about? Something Google uses behind the scenes in the above library?

an...@gmail.com <an...@gmail.com> #65Jun 22, 2022 02:07AM

@64
i am referring to
api "androidx.security:security-crypto:1.1.0-alpha03"

lb...@gmail.com <lb...@gmail.com> #66Jun 22, 2022 06:48AM

@65 Oh ok. This is what I use too, and this version was out for a long time:

implementation 'androidx.security:security-crypto:1.1.0-alpha03'

I thought you are talking about something else.

In any case, if you publish it to users, eventually you will most probably see this crash via Crashlytics.
I used the workaround here on my spare time app, and it "helped" for most cases :

https://issuetracker.google.com/issues/176215143#comment55

an...@gmail.com <an...@gmail.com> #67Jun 22, 2022 11:31AM

@66
what is the work around you used ?

lb...@gmail.com <lb...@gmail.com> #68Jun 22, 2022 11:37AM

@67 I already wrote. Read on comments 54,55.

sw...@google.com <sw...@google.com> #69Aug 16, 2022 05:18PM

Question: Is the readOrGenerateNewMasterKey being called concurrently? Android Keystore is not threadsafe (Java Keystores are not threadsafe), and there's a common error in usage where developers have two threads that are both trying to use a key if it exists, or create and use it if not, and this can easily result in a thread using a key which is immediately replaced by another thread.

lb...@gmail.com <lb...@gmail.com> #70Aug 16, 2022 05:32PM

@69 On my original code it is all in "synchronized" block on the singleton that manages it all (including the function "getSecuredSharedPreferences" that I've created), so it's protected against such an issue.

Still, I see on Crashlytics those errors.

mo...@tothenew.com <mo...@tothenew.com> #71Aug 25, 2022 09:39AM

@1 we also facing the same issue for many devices.

version that we are using
androidx.security:security-crypto:1.1.0-alpha03

Caused by java.security.KeyStoreException the master key android-keystore://androidx_security_master_key exists but is unusable

mo...@tothenew.com <mo...@tothenew.com> #72Sep 6, 2022 12:24PM

Hello ALL,

Any workaround?
any update?

Fatal Exception: java.lang.ExceptionInInitializerError

Caused by java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:104)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.a(AndroidKeysetManager.java:5)
at androidx.security.crypto.EncryptedSharedPreferences.a(EncryptedSharedPreferences.java:50)
at androidx.security.crypto.EncryptedSharedPreferences.a(EncryptedSharedPreferences.java:4)
at com.ryzmedia.tatasky.encryptedsharedPref.EncryptSharedPreferences$SharePreferencesFactory.getInstance(EncryptSharedPreferences.java:30)

lb...@gmail.com <lb...@gmail.com> #73Sep 6, 2022 12:46PM

@72 Only thing I have is the semi-workaround here:

https://issuetracker.google.com/issues/176215143#comment55

Not really good, because :
1. It resets it when an issue occurs
2. It handles most of the times it occurs, but not all.

di...@gmail.com <di...@gmail.com> #74Sep 14, 2022 06:24AM

Hello Google Folks,

Any update on the fix for the crashes that we are facing? I have used the workarounds mentioned above but a lot of our users are still facing the crash.
We need a proper fix for these issues. Are there any plans on the same?

ca...@gmail.com <ca...@gmail.com> #75Sep 14, 2022 09:29AM

Soon it will be 2 years of this bug!!!! I mean really how is this possible? I know you guys are busy but, hey 2 years is enough time to fix whatever!

mo...@tothenew.com <mo...@tothenew.com> #76Sep 15, 2022 07:52AM

What we have to do?

As our app having million of user, how can we go back from this library , how will migrate these data to normal preference.

There is no go back, we are stuck.

It was a bad day when we took decision to implement trusted (google) library.

Fatal Exception: java.lang.ExceptionInInitializerError
at com.ryzmedia.tatasky.utility.SharedPreference.keyExist(SharedPreference.java)
at com.ryzmedia.tatasky.TataSkyApp.moEngageAppUpdateStatus(TataSkyApp.java:2)
at com.ryzmedia.tatasky.TataSkyApp.lambda$startThreadForTasks$1(TataSkyApp.java)
at com.ryzmedia.tatasky.-$$Lambda$TataSkyApp$RT1F4oS5iuRCP1a30azchtbQ7t4.run(-.java:2)
at java.lang.Thread.run(Thread.java:764)

Caused by java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:

Caused by java.security.UnrecoverableKeyException: Failed to obtain information about key
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreSecretKeyFromKeystore(AndroidKeyStoreProvider.java:286)

The problem is it never occurs on our testing devices but we got logs from Crashlytics.

we are using this version
androidx.security:security-crypto:1.1.0-alpha03

and the code
companion object SharePreferencesFactory {
private fun getInstance(file: String, context: Context, mode: Int): SharedPreferences {
val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
return EncryptedSharedPreferences.create(
context,
"$ENCRYPT_FILE_PREFIX$file",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
}
}

lb...@gmail.com <lb...@gmail.com> #77Sep 15, 2022 07:55AM

@76 Sometimes, jumping on a new tech is risky. If you want to leave it, you will have to either copy all that you wanted to save there into somewhere else.
Or delete the file completely and reset the app somehow, requesting users to re-login, for example. It depends on what you use it for, of course.
It's all your choice.

mo...@tothenew.com <mo...@tothenew.com> #78Sep 15, 2022 08:04AM

@77 but how we can if it is already encrypted and to migrate it we need to decrypt right? that's the problem.

And deleting the file and forcing the users to re-login that will also impact user badly, as we have many many value which are decision taken for our app in pref.

We are hoping the solution from google as soon as possible.

da...@gmail.com <da...@gmail.com> #79Sep 15, 2022 08:09AM

I've a feeling all these issues occur after the app is restored from a backup in a phone migration or following a factory reset. And this is expected to happen - has to be handled: it will not be possible to decrypt the file anymore because the master key changed.

mo...@tothenew.com <mo...@tothenew.com> #80Sep 15, 2022 08:12AM

@79 we already having android:allowBackup="false" but still this happening.
If you are sure this happened due to backup , kindly let us know what is workaround.

lb...@gmail.com <lb...@gmail.com> #81Sep 15, 2022 08:13AM

@78 Migrate away only for users that it works fine, of course.
You can't do anything for those that have issues with it.
Try to decrypt. If failed, continue resetting or whatever you want in this case. If succeeded, copy the data to wherever you need.
For both cases, after done, stop using the library for those users and delete its files
After a few months that you think you are ready to stop using the library completely, remove the dependency and delete the file for upgrading users and decide what to do in case the files exist.

mo...@tothenew.com <mo...@tothenew.com> #82Sep 15, 2022 08:20AM

@81, but still, do google is planning to fixes the issue? any expected timeline?

lb...@gmail.com <lb...@gmail.com> #83Sep 15, 2022 08:24AM

@82 I don't work in Google. I'm the original person who posted this bug, as well as on StackOverflow and Reddit:

https://stackoverflow.com/q/65463893/878126

https://www.reddit.com/r/android_devs/comments/kjgl3b/help_getting_a_weird_crash_when_using/

0l...@gmail.com <0l...@gmail.com> #84Nov 22, 2022 12:38PM

+1

Samsung Galaxy Note 10+, Android 12

implementation "androidx.security:security-crypto:1.1.0-alpha04"

@Provides
fun providesSharedPreferences(@ApplicationContext context: Context): SharedPreferences =
EncryptedSharedPreferences.create(
context,
context.getString(R.string.shared_preferences_name),
MasterKey.Builder(context).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build(),
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

Caused by com.google.crypto.tink.shaded.protobuf.InvalidProtocolBufferException: Protocol message contained an invalid tag (zero).
at com.google.crypto.tink.shaded.protobuf.ArrayDecoders.decodeUnknownField(ArrayDecoders.java:1036)
at com.google.crypto.tink.shaded.protobuf.MessageSchema.parseProto3Message(MessageSchema.java:5426)
at com.google.crypto.tink.shaded.protobuf.MessageSchema.mergeFrom(MessageSchema.java:5442)
at com.google.crypto.tink.shaded.protobuf.ArrayDecoders.decodeMessageField(ArrayDecoders.java:246)
at com.google.crypto.tink.shaded.protobuf.ArrayDecoders.decodeMessageList(ArrayDecoders.java:704)
at com.google.crypto.tink.shaded.protobuf.MessageSchema.parseProto3Message(MessageSchema.java:5373)
at com.google.crypto.tink.shaded.protobuf.MessageSchema.mergeFrom(MessageSchema.java:5442)
at com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parsePartialFrom(GeneratedMessageLite.java:1567)
at com.google.crypto.tink.shaded.protobuf.GeneratedMessageLite.parseFrom(GeneratedMessageLite.java:1680)
at com.google.crypto.tink.proto.Keyset.parseFrom(Keyset.java:958)
at com.google.crypto.tink.integration.android.SharedPrefKeysetReader.read(SharedPrefKeysetReader.java:84)
at com.google.crypto.tink.CleartextKeysetHandle.read(CleartextKeysetHandle.java:61)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.read(AndroidKeysetManager.java:332)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewKeyset(AndroidKeysetManager.java:288)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:239)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:165)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:130)
...

vi...@gmail.com <vi...@gmail.com> #85Dec 13, 2022 02:52AM

Does anyone have the same issue with the 1.1.0-alpha04? It came out on November 9 2022

an...@lji.io <an...@lji.io> #86Dec 24, 2022 06:50PM

Any update about the fix, one of my app's user encountered the same crash:

Stack trace:
Fatal Exception: java.lang.RuntimeException: Unable to create application io.lji.viva.VivaApplication: java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5421)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1548)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6138)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:893)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:783)

Caused by java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:276)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:237)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:165)
at io.lji.viva.utils.AppState.<init>(AppState.kt:542)
at io.lji.viva.utils.AppState.<init>(AppState.kt:29)
at io.lji.viva.utils.AppState$Companion.getInstance(AppState.java:515)
at io.lji.viva.viewmodels.BaseViewModel.<init>(BaseViewModel.kt:10)
at io.lji.viva.utils.RetryInterceptor.<init>(RetryInterseptor.kt:22)
at io.lji.viva.VivaApplication.onCreate(VivaApplication.kt:35)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1053)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5418)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1548)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6138)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:893)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:783)

Caused by java.security.UnrecoverableKeyException: Failed to obtain information about key
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreSecretKeyFromKeystore(AndroidKeyStoreProvider.java:282)
at android.security.keystore.AndroidKeyStoreSpi.engineGetKey(AndroidKeyStoreSpi.java:98)
at java.security.KeyStore.getKey(KeyStore.java:825)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.<init>(AndroidKeystoreAesGcm.java:58)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:174)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:268)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:237)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:165)
at io.lji.viva.utils.AppState.<init>(AppState.kt:542)
at io.lji.viva.utils.AppState.<init>(AppState.kt:29)
at io.lji.viva.utils.AppState$Companion.getInstance(AppState.java:515)
at io.lji.viva.viewmodels.BaseViewModel.<init>(BaseViewModel.kt:10)
at io.lji.viva.utils.RetryInterceptor.<init>(RetryInterseptor.kt:22)
at io.lji.viva.VivaApplication.onCreate(VivaApplication.kt:35)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1053)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5418)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1548)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6138)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:893)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:783)

Caused by android.security.KeyStoreException: Invalid key blob
at android.security.KeyStore.getKeyStoreException(KeyStore.java:676)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreSecretKeyFromKeystore(AndroidKeyStoreProvider.java:283)
at android.security.keystore.AndroidKeyStoreSpi.engineGetKey(AndroidKeyStoreSpi.java:98)
at java.security.KeyStore.getKey(KeyStore.java:825)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.<init>(AndroidKeystoreAesGcm.java:58)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:174)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:268)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:237)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:165)
at io.lji.viva.utils.AppState.<init>(AppState.kt:542)
at io.lji.viva.utils.AppState.<init>(AppState.kt:29)
at io.lji.viva.utils.AppState$Companion.getInstance(AppState.java:515)
at io.lji.viva.viewmodels.BaseViewModel.<init>(BaseViewModel.kt:10)
at io.lji.viva.utils.RetryInterceptor.<init>(RetryInterseptor.kt:22)
at io.lji.viva.VivaApplication.onCreate(VivaApplication.kt:35)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1053)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5418)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1548)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6138)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:893)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:783)

awaitEvenIfOnMainThread task continuation executor1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:161)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2035)
at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:413)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1058)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at com.google.firebase.crashlytics.internal.common.ExecutorUtils$1$1.onRun(ExecutorUtils.java:64)
at com.google.firebase.crashlytics.internal.common.BackgroundPriorityRunnable.run(BackgroundPriorityRunnable.java:27)
at java.lang.Thread.run(Thread.java:761)

Firebase-Messaging-Init:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:161)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2035)
at java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1091)
at java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1084)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1058)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at com.google.android.gms.common.util.concurrent.zza.run(zza.java:2)
at com.google.android.gms.common.api.internal.zabm.run$bridge(com.google.android.gms:play-services-base@@18.0.1:10)
at java.lang.Thread.run(Thread.java:761)

pool-6-thread-1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:161)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2035)
at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:413)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1058)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

ScionFrontendApi:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2077)
at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:438)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

com.google.firebase.crashlytics.startup1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:161)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2035)
at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:413)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1058)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at com.google.firebase.crashlytics.internal.common.ExecutorUtils$1$1.onRun(ExecutorUtils.java:64)
at com.google.firebase.crashlytics.internal.common.BackgroundPriorityRunnable.run(BackgroundPriorityRunnable.java:27)
at java.lang.Thread.run(Thread.java:761)

FinalizerDaemon:
at java.lang.Object.wait(Object.java)
at java.lang.Object.wait(Object.java:407)
at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:188)
at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:209)
at java.lang.Daemons$FinalizerDaemon.run(Daemons.java:204)
at java.lang.Thread.run(Thread.java:761)

pool-4-thread-1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.SynchronousQueue$TransferStack.awaitFulfill(SynchronousQueue.java:432)
at java.util.concurrent.SynchronousQueue$TransferStack.transfer(SynchronousQueue.java:333)
at java.util.concurrent.SynchronousQueue.poll(SynchronousQueue.java:908)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

Crashlytics Exception Handler1:
at dalvik.system.VMStack.getThreadStackTrace(VMStack.java)
at java.lang.Thread.getStackTrace(Thread.java:1566)
at java.lang.Thread.getAllStackTraces(Thread.java:1616)
at com.google.firebase.crashlytics.internal.common.CrashlyticsReportDataCapture.populateThreadsList(CrashlyticsReportDataCapture.java:295)
at com.google.firebase.crashlytics.internal.common.CrashlyticsReportDataCapture.populateExecutionData(CrashlyticsReportDataCapture.java:266)
at com.google.firebase.crashlytics.internal.common.CrashlyticsReportDataCapture.populateEventApplicationData(CrashlyticsReportDataCapture.java:216)
at com.google.firebase.crashlytics.internal.common.CrashlyticsReportDataCapture.captureEventData(CrashlyticsReportDataCapture.java:102)
at com.google.firebase.crashlytics.internal.common.SessionReportingCoordinator.persistEvent(SessionReportingCoordinator.java:274)
at com.google.firebase.crashlytics.internal.common.SessionReportingCoordinator.persistFatalEvent(SessionReportingCoordinator.java:127)
at com.google.firebase.crashlytics.internal.common.CrashlyticsController$2.call(CrashlyticsController.java:203)
at com.google.firebase.crashlytics.internal.common.CrashlyticsController$2.call(CrashlyticsController.java:188)
at com.google.firebase.crashlytics.internal.common.CrashlyticsBackgroundWorker$3.then(CrashlyticsBackgroundWorker.java:105)
at com.google.android.gms.tasks.zze.run(zze.java:1)
at com.google.android.gms.cloudmessaging.zzj.run$bridge(com.google.android.gms:play-services-cloud-messaging@@17.0.0:9)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at com.google.firebase.crashlytics.internal.common.ExecutorUtils$1$1.onRun(ExecutorUtils.java:64)
at com.google.firebase.crashlytics.internal.common.BackgroundPriorityRunnable.run(BackgroundPriorityRunnable.java:27)
at java.lang.Thread.run(Thread.java:761)

ReferenceQueueDaemon:
at java.lang.Object.wait(Object.java)
at java.lang.Daemons$ReferenceQueueDaemon.run(Daemons.java:150)
at java.lang.Thread.run(Thread.java:761)

FinalizerWatchdogDaemon:
at java.lang.Thread.sleep(Thread.java)
at java.lang.Thread.sleep(Thread.java:371)
at java.lang.Thread.sleep(Thread.java:313)
at java.lang.Daemons$FinalizerWatchdogDaemon.sleepFor(Daemons.java:314)
at java.lang.Daemons$FinalizerWatchdogDaemon.waitForFinalization(Daemons.java:336)
at java.lang.Daemons$FinalizerWatchdogDaemon.run(Daemons.java:253)
at java.lang.Thread.run(Thread.java:761)

GmsDynamite:
at java.lang.Object.wait(Object.java)
at com.google.android.gms.dynamite.zza.run(com.google.android.gms:play-services-basement@@18.1.0:2)

heartbeat-information-executor:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2077)
at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:438)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

pool-2-thread-1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.SynchronousQueue$TransferStack.awaitFulfill(SynchronousQueue.java:432)
at java.util.concurrent.SynchronousQueue$TransferStack.transfer(SynchronousQueue.java:333)
at java.util.concurrent.SynchronousQueue.poll(SynchronousQueue.java:908)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

firebase-installations-executor-2:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2077)
at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:438)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

firebase-installations-executor-1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2077)
at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:438)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

pool-3-thread-1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.SynchronousQueue$TransferStack.awaitFulfill(SynchronousQueue.java:432)
at java.util.concurrent.SynchronousQueue$TransferStack.transfer(SynchronousQueue.java:333)
at java.util.concurrent.SynchronousQueue.poll(SynchronousQueue.java:908)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

pool-1-thread-1:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:201)
at java.util.concurrent.SynchronousQueue$TransferStack.awaitFulfill(SynchronousQueue.java:432)
at java.util.concurrent.SynchronousQueue$TransferStack.transfer(SynchronousQueue.java:333)
at java.util.concurrent.SynchronousQueue.poll(SynchronousQueue.java:908)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1057)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)

Firebase-Messaging-Topics-Io:
at java.lang.Object.wait(Object.java)
at java.lang.Thread.parkFor$(Thread.java:2127)
at sun.misc.Unsafe.park(Unsafe.java:325)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:161)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2035)
at java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1091)
at java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1084)
at java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1058)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1118)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at com.google.android.gms.common.util.concurrent.zza.run(zza.java:2)
at com.google.android.gms.common.api.internal.zabm.run$bridge(com.google.android.gms:play-services-base@@18.0.1:10)
at java.lang.Thread.run(Thread.java:761)

HeapTaskDaemon:
at dalvik.system.VMRuntime.runHeapTasks(VMRuntime.java)
at java.lang.Daemons$HeapTaskDaemon.run(Daemons.java:433)
at java.lang.Thread.run(Thread.java:761)

Measurement Worker:
at android.os.BinderProxy.transactNative(BinderProxy.java)
at android.os.BinderProxy.transact(BinderProxy.java:617)
at android.app.ActivityManagerProxy.refContentProvider(ActivityManagerProxy.java:4264)
at android.app.ActivityThread.incProviderRefLocked(ActivityThread.java:5541)
at android.app.ActivityThread.acquireExistingProvider(ActivityThread.java:5604)
at android.app.ActivityThread.acquireProvider(ActivityThread.java:5482)
at android.app.ContextImpl$ApplicationContentResolver.acquireProvider(ContextImpl.java:2233)
at android.content.ContentResolver.acquireProvider(ContentResolver.java:1470)
at android.content.ContentResolver.query(ContentResolver.java:557)
at android.content.ContentResolver.query(ContentResolver.java:474)
at com.google.android.gms.internal.measurement.zzhf.zzd(zzhf.java:1)
at com.google.android.gms.internal.measurement.zzhd.zza(zzhd.java:1)
at com.google.android.gms.internal.measurement.zzhi.zza(zzhi.java:1)
at com.google.android.gms.internal.measurement.zzhf.zzc(com.google.android.gms:play-services-measurement-impl@@21.2.0:3)
at com.google.android.gms.internal.measurement.zzhf.zzb(com.google.android.gms:play-services-measurement-impl@@21.2.0:1)
at com.google.android.gms.internal.measurement.zzib.zzb(com.google.android.gms:play-services-measurement-impl@@21.2.0:11)
at com.google.android.gms.internal.measurement.zznp.zza(com.google.android.gms:play-services-measurement-impl@@21.2.0:1)
at com.google.android.gms.internal.measurement.zznn.zzb(zznn.java:1)
at com.google.android.gms.measurement.internal.zzbj.zza(zzbj.java:1)
at com.google.android.gms.measurement.internal.zzdt.zza(com.google.android.gms:play-services-measurement-impl@@21.2.0:7)
at com.google.android.gms.measurement.internal.zzew.zzaA(com.google.android.gms:play-services-measurement-impl@@21.2.0:8)
at com.google.android.gms.measurement.internal.zzgl.zzw(com.google.android.gms:play-services-measurement-impl@@21.2.0:1)
at com.google.android.gms.measurement.internal.zzfr.zzA(zzfr.java:12)
at com.google.android.gms.measurement.internal.zzfq.run(zzfq.java:1)
at com.google.android.gms.measurement.internal.zzao.run$bridge(com.google.android.gms:play-services-measurement-impl@@21.2.0:78)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:428)
at java.util.concurrent.FutureTask.run(FutureTask.java:237)
at com.google.android.gms.measurement.internal.zzfn.run(com.google.android.gms:play-services-measurement-impl@@21.2.0:6)

fi...@bnpparibas.pl <fi...@bnpparibas.pl> #87Jan 30, 2023 01:41PM

what's going on with fixing this problem? I have the same

c....@m1finance.com <c....@m1finance.com> #88Feb 1, 2023 11:42PM

Are there any updates for this? I've seen @google respond once and it's not even the person this assigned to.

Is Jetpack Security actually a 1.0 and stable product that is well supported or is this library considered deprecated?

hu...@t4connex.com <hu...@t4connex.com> #89Feb 9, 2023 11:16AM

Pretty shocking how long this issue has been around without resolution considering the severity and number of people encountering it. Can we get an update?

dm...@gmail.com <dm...@gmail.com> #90Feb 16, 2023 11:19AM

Getting crashes in production on following devices:

Samsung Galaxy A13 (Android 13)
Samsung Galaxy A51 (Android 12)
Samsung Galaxy A33 5G (Android 12)
Samsung Galaxy A31 (Android 12)
HUAWEI Honor 8X (Android 10)
HUAWEI honor 10 Lite (Android 9)

using "androidx.security:security-crypto:1.0.0"

crash stack trace:

Exception: java.security.ProviderException: Keystore operation failed
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:332)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:4)
at com.example.base.storage.SharedPreferencesProvider.<init>(SharedPreferencesProvider.java:4)
Caused by android.security.KeyStoreException: System error
at android.security.KeyStore.getKeyStoreException(KeyStore.java:1569)
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:332)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:4)
at com.example.base.storage.SharedPreferencesProvider.<init>(SharedPreferencesProvider.java:4)

me...@booking.com <me...@booking.com> #91Feb 16, 2023 01:04PM

Since I implemented DataExtractionRules and disabled both D2D and cloud backup for the EncryptedSharedPreferences and wiped the KeyStore for the already crashing users I didn't receive any crash for the last month.

using security-crypto:1.0.0
Disable all backup options:

	<application
		android:allowBackup="false"
		android:dataExtractionRules="@xml/data_extraction_rules"
		android:fullBackupContent="false"

Set data extraction rules

<data-extraction-rules>
    <cloud-backup>
        <exclude domain="root" />
        <exclude domain="file" />
        <exclude domain="database" />
        <exclude domain="sharedpref" />
        <exclude domain="external" />
    </cloud-backup>
    <device-transfer>
        <exclude domain="root" />
        <exclude domain="file" />
        <exclude domain="database" />
        <exclude domain="sharedpref" />
        <exclude domain="external" />
    </device-transfer>
</data-extraction-rules>

try/catch opening EncryptedSharedPreferences and wipe KeyStore and EncryptedSharedPreferences if initial opening fails:

fun getEncryptedSharedPreferences(context: Context, fileName: String): SharedPreferences {
    repeat(3) {
        runCatching { openEncryptedSharedPreferences(context, fileName) }
            .onSuccess { return it }
    }
    KeyStore.getInstance(ANDROID_KEYSTORE).apply {
        load(null)
        deleteEntry(spec.keystoreAlias)
    }
    context.deleteSharedPreferences(fileName)

    return openEncryptedSharedPreferences(context, fileName)
}

lb...@gmail.com <lb...@gmail.com> #92Feb 16, 2023 02:31PM

@91 Doesn't it mean you've excluded backup entirely, including of all shared-preferences

me...@booking.com <me...@booking.com> #93Feb 16, 2023 03:33PM

@92. Yes it does. Our app requires users to login. We sync everything when user logs in and didn't support backups for very long time. It's just that when new data extraction rules are introduced we didn't update our setup. I think as long as you exclude EncryptedSharedPreferences from backups it will work properly.

lb...@gmail.com <lb...@gmail.com> #94Feb 16, 2023 03:39PM

@93 Any way to exclude only the EncryptedSharedPreferences , alone?

me...@booking.com <me...@booking.com> #95Feb 16, 2023 03:41PM

see https://developer.android.com/guide/topics/data/autobackup#IncludingFiles

mo...@tothenew.com <mo...@tothenew.com> #96Feb 23, 2023 11:04AM

Comment has been deleted.

Message last modified on Feb 28, 2023 07:33AM

nm...@pingidentity.com <nm...@pingidentity.com> #97Feb 28, 2023 07:29AM

Comment has been deleted.

Message last modified on Feb 28, 2023 07:31AM

no...@gmail.com <no...@gmail.com> #98Feb 28, 2023 07:31AM

We also experience this issue for a long time:
38% samsung
28% Xiaomi
21% OnePlus
5% OPPO
8% Other (6)

26% Android 8
25% Android 13
22% Android 12
14% Android 9
13% Other (2)

Any news regarding this one?

mo...@tothenew.com <mo...@tothenew.com> #99Feb 28, 2023 07:35AM

@me...@booking.com<me...@booking.com> #91.
..........
Why you are using repeat(3)?
And if upgrade the APK what will be the behaviour in case of backup false

me...@booking.com <me...@booking.com> #100Feb 28, 2023 09:59AM

#99 just to make sure that EncryptedSharedPreferences are broken for good and we can't open it. In the logs I see that sometimes second or third retry can successfully open the preferences.

mo...@tothenew.com <mo...@tothenew.com> #101Feb 28, 2023 10:19AM

So, If it is open in first attempt then it will still repeat two more attempt? or not

me...@booking.com <me...@booking.com> #102Feb 28, 2023 10:30AM

it'll return if prefs is successfully opened.

mo...@tothenew.com <mo...@tothenew.com> #103Feb 28, 2023 10:34AM

okay one more query.
And if the APK is upgrade what will be the behaviors in case of backup excluded/false for preference.
will it remove all the saved preference?

da...@gmail.com <da...@gmail.com> #104Mar 15, 2023 02:49PM

I have the same issue. Root cause is not initiated KeyStore. So before init EncryptedSharedPreferences, need call a load function, like this:

    try {
        val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
        keyStore.load(null)
    } catch (e: KeyStoreException) {
        Timber.e(e, "Error occurred while trying to prepare the master key");
    }
    mainKey = MasterKey.Builder(context.applicationContext)
        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
        .build()

    prefs = EncryptedSharedPreferences.create(
        context.applicationContext,
        PrefsRepositoryImpl.NAME,
        mainKey,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )

lb...@gmail.com <lb...@gmail.com> #105Mar 15, 2023 02:51PM

@104 Shouldn't you delete/reset anything in case of this exception?

mo...@tothenew.com <mo...@tothenew.com> #106Mar 15, 2023 02:53PM

@da...@gmail.com<da...@gmail.com> #104

is it resolved this issue?

[Deleted User] <[Deleted User]> #107Mar 27, 2023 11:15AM

is it resolved this issue?

is...@google.com <is...@google.com> Apr 8, 2023 08:25PM

Status: New

pt...@gmail.com <pt...@gmail.com> #108Apr 20, 2023 07:16AM

Version 1.1.0-alpha06 was just released yesterday (April 19, 2023)

Detail:

https://developer.android.com/jetpack/androidx/releases/security#1.1.0-alpha06
Release note here:

https://android.googlesource.com/platform/frameworks/support/+log/d5d49509dce56dc77715207ebb30b068e3e70eb5..617e5f259a688901040e1f508ecd2d6deb84e6b8/security

I don't know this issue is fixed or not. If someone had tried, please post the result here. Thank you so much

se...@gmail.com <se...@gmail.com> #109Apr 29, 2023 11:49AM

using 1.1.0-alpha06 the issue is still present. any alternative for this problem ? works fine on some devices, crashes on other...

pa...@gmail.com <pa...@gmail.com> #110May 2, 2023 06:47AM

Comment has been deleted.

Message last modified on May 2, 2023 07:07AM

al...@gmail.com <al...@gmail.com> #111May 3, 2023 09:48PM

I'm having the same issue on 1.1.0-alpha06. Just tested. Two of my internal testers are having crashes related to this library still.

xe...@google.com <xe...@google.com> Jul 12, 2023 06:46PM

Assigned to an...@google.com.

as...@google.com <as...@google.com> Jul 12, 2023 07:43PM

Reassigned to er...@google.com.

er...@google.com <er...@google.com> #112Jul 12, 2023 07:48PM

Reassigned to da...@google.com.

Daniel, do you have the bandwidth to look at this?

ra...@gmail.com <ra...@gmail.com> #113Jul 19, 2023 02:20PM

1.1.0-alpha06 still happening the same issue and it reported on 24rth Dec 2020. I is causing stablity issue of our application, please sort this asp

ch...@gmail.com <ch...@gmail.com> #114Jul 27, 2023 07:41AM

I have same issue with Brand:TCT Mobile Limited (Alcatel)/Model:TE101N1 Andoid 10. Crash 63 time on it

Caused by java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:276)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:237)

Caused by java.security.InvalidKeyException: Keystore operation failed
at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1373)
at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1413)
at android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit(KeyStoreCryptoOperationUtils.java:54)
at android.security.keystore.KeyStoreCryptoOperationUtils.getExceptionForCipherInit(KeyStoreCryptoOperationUtils.java:89)
at android.security.keystore.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:265)
at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineInit(AndroidKeyStoreCipherSpiBase.java:109)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:2984)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2891)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2796)
at javax.crypto.Cipher.chooseProvider(Cipher.java:773)
at javax.crypto.Cipher.init(Cipher.java:1143)
at javax.crypto.Cipher.init(Cipher.java:1084)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal(AndroidKeystoreAesGcm.java:84)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt(AndroidKeystoreAesGcm.java:72)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead(AndroidKeystoreKmsClient.java:259)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:175)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:268)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:237)
Can anyone help me?

ha...@gmail.com <ha...@gmail.com> #115Aug 8, 2023 07:20AM

Comment has been deleted.

Message last modified on Aug 8, 2023 07:27AM

ha...@gmail.com <ha...@gmail.com> #116Aug 8, 2023 07:29AM

I am also getting a similar crash on production, which is reported by Firebase.

Occurrences: Huawei Y9 Prime 2019 (Android 10) - 10 crashes

Dependency Version: "androidx.security:security-crypto:1.1.0-alpha06"

Stack trace:

Caused by java.security.GeneralSecurityException: Keystore operation failed
       at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:149)
       at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100)
       at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380)
       at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java)
Caused by java.security.ProviderException: Keystore operation failed
       at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:332)
       at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
       at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:145)
       at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100)
       at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380)
       at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java)
Caused by android.security.KeyStoreException: System error
       at android.security.KeyStore.getKeyStoreException(KeyStore.java:1569)
       at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:332)
       at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
       at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:145)
       at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100)
       at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380)
       at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java)

is...@google.com <is...@google.com> Aug 10, 2023 07:34AM

Status: New

sa...@mercadolibre.com <sa...@mercadolibre.com> #117Aug 14, 2023 07:15PM

Comment has been deleted.

Message last modified on Aug 14, 2023 07:18PM

sa...@gmail.com <sa...@gmail.com> #118Aug 14, 2023 07:19PM

Comment has been deleted.

Message last modified on Aug 14, 2023 07:20PM

[Deleted User] <[Deleted User]> #119Sep 1, 2023 07:21AM

Was this issue resolved or still in progress?

m....@nearpay.io <m....@nearpay.io> #120Sep 6, 2023 01:44PM

Comment has been deleted.

Message last modified on Sep 13, 2023 01:18PM

ma...@gmail.com <ma...@gmail.com> #121Sep 13, 2023 10:48AM

Mind-blowing this was not addressed, even worse is they don't even care to acknowledge it for almost 3 years now

da...@gmail.com <da...@gmail.com> #122Sep 13, 2023 02:16PM

To people that have this issue regularly showing up in their crashlytics (or whatever you use to monitor issues), you can do something to help fix this even without waiting for Google:

Understand the issue a bit better

This is where this exception is raised: https://github.com/google/tink/blob/master/java_src/src/main/java/com/google/crypto/tink/integration/android/AndroidKeysetManager.java#L338

As you can see the comment states:

Throw the exception if the key exists but is unusable. We can't recover by generating a new key because there might be existing encrypted data under the unusable key. Users can provide a master key that is stored in StrongBox (see https://developer.android.com/about/versions/pie/android-9.0#hardware-security-module), which may throw a ProviderException if there's any problem with it.

I think the "User" in this case is the developer. Providing a strongbox masterkey means building a masterkey and use the setStrongboxBacked(true) flag.

There are more information about this here: https://github.com/google/tink/issues/535

The dependency chain is:

Users -> Jetpack Security -> Tink -> Android Keystore -> OEM firmware/hardware.

I work on Tink and contributed to Jetpack Security. I think the root cause of the crashes is neither in Tink nor Jetpack, but in Android Keystore and OEM firmware/hardware.

Shared prefs are encrypted with a Tink keyset (which is a protobuf). The keyset is encrypted with a master key stored in Android Keystore. The encrypted keyset itself is stored as a special value in the encrypted shared prefs file.

We've found that Android Keystore occasionally corrupts the master key on certain devices. We don't know why, we think it could be due to faulty OEM firmware/hardware.

When the master key is corrupted, Tink won't be able to decrypt, and return the error the master key android-keystore://androidx_security_master_key exists but is unusable.

Note the "We don't know why".

There's more in that issue, so go read it.

Other users reported (even in that issue) that disabling backups made the issue disappear, I don't know when it can happen: maybe a key can be unusable on a rooted OS, a faulty hardware, after an OS upgrade, some code on our side causing a race condition or a backup restore or whatever, I have no idea, sorry. But you could dig up the code I linked to understand all the possible reasons this can happen.

What Google could do:

This chain of dependency:

Users -> Jetpack Security -> Tink -> Android Keystore -> OEM firmware/hardware

Make this a really hard problem to solve because there are too many variables involved.

Until it is clearer what is causing this it is going to be really hard to fix it, imho. Simply because everyone can point fingers at others.

However, the code linked above eats up the real exception (what's wrong with the master key) which is generated inside of here somewhere: https://github.com/google/tink/blob/master/java_src/src/main/java/com/google/crypto/tink/integration/android/AndroidKeystoreKmsClient.java#L172

The Google Crypto Tink team could update this library adding the cause to the thrown exception and the Android team use this new version to at least have more meaningful stack-traces that point to the exact issue with the key.

And that's it, nothing else that Google can do at present time unless they reliably reproduce the issue to debug it.

What can YOU do

First of all there's a "Workaround" part in the issue I linked for the Tink library that goes into details of what you can do about it.

Google can't delete the key because they don't know if you need it, but you can. Yes you lose the preferences but you at least recover.

If you don't like that, well... you can open an issue to the Tink library requesting them to expose the original exception when the issue occur so that you can help in finding a real fix.

You can even go 1 step further and fork the library yourself to add that information, than use the fork and omit the original dependency when you bring in the Jetpack Security dependency.

Instead of coming here and complaining do something about it, share information and help fix the issue.

"me too" or "shame on Google" comments do not help anyone.

mo...@gmail.com <mo...@gmail.com> #123Sep 27, 2023 07:35PM

Comment has been deleted.

Message last modified on Sep 27, 2023 08:20PM

mo...@gmail.com <mo...@gmail.com> #124Sep 27, 2023 08:20PM

@da...@gmail.com @122 #122

We're facing the same issue in production with a kiosk device under the name of "rockchip rk3568_4", unfortunately the suggested workaround doesn't work.

As you noted in your post #55 in Apr 16, 2022, it crashes in this line:

val masterKey = MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()

The crash logs:
generateKeyInternal failed on response -1000
Shutting down VM
FATAL EXCEPTION: main
Process: com.example.myapplicationencsharedprefs, PID: 8626
java.lang.RuntimeException: Unable to start activity ComponentInfo{com.example.myapplicationencsharedprefs/com.example.myapplicationencsharedprefs.MainActivity}: java.security.GeneralSecurityException: Keystore operation failed
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3431)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3595)
at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7664)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
Caused by: java.security.GeneralSecurityException: Keystore operation failed
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:149)
at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100)
at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380)
at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:320)
at com.example.myapplicationencsharedprefs.MainActivity.generateEncryptedSharedPreferences(MainActivity.kt:37)
at com.example.myapplicationencsharedprefs.MainActivity.onCreate(MainActivity.kt:19)
at android.app.Activity.performCreate(Activity.java:8022)
at android.app.Activity.performCreate(Activity.java:8006)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1309)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3404)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3595)
at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7664)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
Caused by: java.security.ProviderException: Keystore operation failed
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:331)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:145)
at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100)
at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380)
at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:320)
at com.example.myapplicationencsharedprefs.MainActivity.generateEncryptedSharedPreferences(MainActivity.kt:37)
at com.example.myapplicationencsharedprefs.MainActivity.onCreate(MainActivity.kt:19)
at android.app.Activity.performCreate(Activity.java:8022)
at android.app.Activity.performCreate(Activity.java:8006)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1309)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3404)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3595)
at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7664)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
Caused by: android.security.KeyStoreException: Unknown error
at android.security.KeyStore.getKeyStoreException(KeyStore.java:1301)
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:331)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:145)
at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100)
at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380)
at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:320)
at com.example.myapplicationencsharedprefs.MainActivity.generateEncryptedSharedPreferences(MainActivity.kt:37)
at com.example.myapplicationencsharedprefs.MainActivity.onCreate(MainActivity.kt:19)
at android.app.Activity.performCreate(Activity.java:8022)
at android.app.Activity.performCreate(Activity.java:8006)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1309)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3404)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3595)
at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7664)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)

For what it's worth, this particular device is rooted (and *could* be custom ROM, unsure)

Did you ever find a way to resolve this with rockchip affected devices?

ha...@bottlerocketstudios.com <ha...@bottlerocketstudios.com> #125Oct 12, 2023 09:38PM

For us, we use 1.1.0-alpha06 androidx-security library. For debug builds, it crashes on Smasung S23 (Android 13). It DOES NOT crash on Pixel 7 Android 14. Release builds WERE FINE on both devices.

As I saw above, I set android:allowBackup="false" in AndroidManifest.xml and then it WORKS. NO CRASHES.

https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences
This link mentions a WARNING in first couple of lines. I think I will experiment with the Backup Rules to exclude encrypted shared prefs.

ja...@agileinfoways.com <ja...@agileinfoways.com> #126Oct 27, 2023 01:13PM

Is there any update on this issue we are still facing this issue. When google will release the new SDK version?

Component used: androidx.security:security-crypto:1.1.0-alpha06
Version used:1.1.0-alpha06
Devices/Android versions reproduced on: android 9 and above

Fatal Exception: java.lang.ExceptionInInitializerError:
at x.x.x.x.encryptPassword(x.java:313)
at x.x.x.x.onCreate(x.java:200)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1158)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6281)
at android.app.ActivityThread.access$1200(ActivityThread.java:233)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1862)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:224)
at android.app.ActivityThread.main(ActivityThread.java:7147)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:511)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:876)

Caused by java.security.UnrecoverableKeyException: Failed to obtain information about key
at android.security.keystore.AndroidKeyStoreProvider.getKeyCharacteristics(AndroidKeyStoreProvider.java:234)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore(AndroidKeyStoreProvider.java:356)
at android.security.keystore.AndroidKeyStoreSpi.engineGetKey(AndroidKeyStoreSpi.java:101)
at java.security.KeyStore.getKey(KeyStore.java:1062)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.<init>(AndroidKeystoreAesGcm.java:59)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:179)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset(AndroidKeysetManager.java:365)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:297)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:169)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:130)
at x.x.x.preferences.EncryptedPrefUtils.<clinit>(EncryptedPrefUtils.kt:22)
at x.x.x.x.encryptPassword(x.java:313)
at x.x.x.x.onCreate(x.java:200)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1158)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6281)
at android.app.ActivityThread.access$1200(ActivityThread.java:233)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1862)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:224)
at android.app.ActivityThread.main(ActivityThread.java:7147)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:511)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:876)

Caused by android.security.KeyStoreException: Invalid key blob
at android.security.KeyStore.getKeyStoreException(KeyStore.java:856)
at android.security.keystore.AndroidKeyStoreProvider.getKeyCharacteristics(AndroidKeyStoreProvider.java:236)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore(AndroidKeyStoreProvider.java:356)
at android.security.keystore.AndroidKeyStoreSpi.engineGetKey(AndroidKeyStoreSpi.java:101)
at java.security.KeyStore.getKey(KeyStore.java:1062)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.<init>(AndroidKeystoreAesGcm.java:59)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:179)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset(AndroidKeysetManager.java:365)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:297)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:169)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:130)
at x.x.x.preferences.EncryptedPrefUtils.<clinit>(EncryptedPrefUtils.kt:22)
at x.x.x.x.encryptPassword(x.java:313)
at x.x.x.x.onCreate(x.java:200)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1158)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6281)
at android.app.ActivityThread.access$1200(ActivityThread.java:233)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1862)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:224)
at android.app.ActivityThread.main(ActivityThread.java:7147)
at java.lang.reflect.Method.invoke(Method.java)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:511)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:876)

jm...@gmail.com <jm...@gmail.com> #127Dec 1, 2023 02:26PM

I'm using EncryptedFile instead of EncryptedSharedPreferences and after implementing the workaround in #104 I was still encountering errors.

Spelunking through the code, I learned that EncryptedSharedPreferences stores an secondary private key alongside the SharedPreferences set by the user/developer. EncryptedFile on the other hand uses a hard coded SharedPreference file for all EncryptedFiles unless otherwise specified.

So, in order to delete the encryption key for EncryptedFiles (which won't be usable after resetting the master key), you must also delete the following SharedPreference defined in androidx.security.crypto.EncryptedFile:

```
private static final String KEYSET_PREF_NAME =
"__androidx_security_crypto_encrypted_file_pref__";
```

For example:

```
fun resetMasterKey() {
KeyStore.getInstance(ANDROID_KEYSTORE).apply {
load(null)
deleteEntry(master)
}
context.deleteSharedPreferences(KEYSET_PREF_NAME)

master = MasterKeys.getOrCreate(spec)
}
```

al...@ifit.com <al...@ifit.com> #128Jan 12, 2024 10:33PM

Comment has been deleted.

Message last modified on Jan 12, 2024 11:35PM

al...@ifit.com <al...@ifit.com> #129Jan 12, 2024 11:35PM

Does this look like the same error?

"java.lang.RuntimeException: Unable to create application com.ifit.arda.MainApplication: java.security.GeneralSecurityException: Keystore key generation failed"

Android 13

Will migratating our app to Jetpack fix error??

dt...@gmail.com <dt...@gmail.com> #130Jan 23, 2024 05:51PM

I have seen this error as well. The only difference is when analyzing the crashlytics, all of these failures are in the background.

It is unclear as of yet whether the crash is user facing but it would seem that somewhere in the process death initiated by the Android OS, there is a key validation error when foregrounding.

ja...@robinhood.com <ja...@robinhood.com> #131Feb 7, 2024 05:23PM

How is this only a P3? It seems to be a very common, very severe bug.

za...@gmail.com <za...@gmail.com> #132Mar 6, 2024 11:46AM

We're storing critical data in encrypted share preferences and it is not possible to delete them. It's 2024 and there is no fixes!

ma...@gmail.com <ma...@gmail.com> #133May 23, 2024 08:09AM

Mindblowing to me that this is not considered worth prioritizing

vi...@spicemoney.com <vi...@spicemoney.com> #134May 30, 2024 06:14AM

I'm also facing same error with OS version: android8.1.0 Model:Galaxy J7 Max

Error Logs :

 Fatal Exception: java.lang.RuntimeException: Unable to create application myapp.application.MudraApplication: java.security.GeneralSecurityException: Keystore operation failed
   at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6114)
   at android.app.ActivityThread.-wrap1()
   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1801)
   at android.os.Handler.dispatchMessage(Handler.java:106)
   at android.os.Looper.loop(Looper.java:164)
   at android.app.ActivityThread.main(ActivityThread.java:7025)
   at java.lang.reflect.Method.invoke(Method.java)
   at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:441)
   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1408)

Caused by java.security.GeneralSecurityException: Keystore operation failed at androidx.security.crypto.MasterKeys.generateKey(MasterKeys.java:149) at androidx.security.crypto.MasterKeys.getOrCreate(MasterKeys.java:100) at androidx.security.crypto.MasterKey$Builder$Api23Impl.build(MasterKey.java:380) at androidx.security.crypto.MasterKey$Builder.build(MasterKey.java:320)

pa...@gmail.com <pa...@gmail.com> #135May 30, 2024 06:26AM

seems to be deprecated the EncryptedSharedPreferences

https://proandroiddev.com/securing-the-future-navigating-the-deprecation-of-encrypted-shared-preferences-91ce3c20ae8d

lb...@gmail.com <lb...@gmail.com> #136Jun 1, 2024 01:43PM

@135 Deprecated before any stable release?

Google, at least offer some nice tiny sample with official explanation of how to deal with crashes like here... And please provide an alternative...

go...@gmail.com <go...@gmail.com> #137Jun 2, 2024 11:58AM

In my case crashes are not from the library itself, but from hardware/system (mainly non-thread-safe implementations of cipher, errors from security chip that stores keys). Can we instead of getting this library deprecated, get api that will shows in more prominent way, if the reason of error can be mitigated? so we can know if we can somehow stall to make it work or need to show errors to the users.

I know Android 13 had make it a bit better introducing android.security.KeyStoreException - can we get something like it but with compatibility to older android versions?

re...@gmail.com <re...@gmail.com> #138Jul 11, 2024 10:09AM

At this point, using "androidx.security:security-crypto:1.0.0", we are experiencing crashes only on XIAOMI devices with Android 12. Our app mostly runs in the background since its a location tracking foreground service. Any crash or caught error in our encrypted preferences means reduced functionality and users are unable to communicate to the server. Long story short its a huge issue.

Can we have any official guidance on how to resolve this issue and how to proceed using this library? It seems that it is slowly deprecated and without any alternative since AndroidKeystore is marked as heavily unreliable by developers working for Tink Cryptography Library.

The situation is very frustrating and without any official guidance.

Fatal Exception: java.security.KeyStoreException: the master key android-keystore://_androidx_security_master_key_ exists but is unusable
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:103)
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:5)
       at androidx.security.crypto.EncryptedSharedPreferences.create(:46)

Caused by javax.crypto.IllegalBlockSizeException:
       at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:613)
       at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:629)
       at javax.crypto.Cipher.doFinal(Cipher.java:2268)
       at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal(AndroidKeystoreAesGcm.java:36)
       at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt(AndroidKeystoreAesGcm.java:18)
       at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead(AndroidKeystoreKmsClient.java:9)
       at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:48)
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:71)
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:5)
       at androidx.security.crypto.EncryptedSharedPreferences.create(:46)

Caused by android.security.KeyStoreException: Invalid operation handle
       at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:356)
       at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
       at android.security.KeyStoreOperation.update(KeyStoreOperation.java:114)
       at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.update(KeyStoreCryptoOperationChunkedStreamer.java:222)
       at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.update(KeyStoreCryptoOperationChunkedStreamer.java:156)
       at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:179)
       at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:603)
       at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:629)
       at javax.crypto.Cipher.doFinal(Cipher.java:2268)
       at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal(AndroidKeystoreAesGcm.java:36)
       at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt(AndroidKeystoreAesGcm.java:18)
       at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead(AndroidKeystoreKmsClient.java:9)
       at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:48)
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:71)
       at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:5)
       at androidx.security.crypto.EncryptedSharedPreferences.create(:46)

sa...@gmail.com <sa...@gmail.com> #139Oct 2, 2024 05:56AM

public static SharedPreferences getEncryptedSharedPreferences(String fileName) {
SharedPreferences sharedPreferences = null;
try {
Context context = App.getContext();
if (context != null) {
// Create or retrieve the MasterKey
MasterKey masterKey = new MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();

// Create EncryptedSharedPreferences
sharedPreferences = EncryptedSharedPreferences.create(
context, // File name of preferences
fileName, // MasterKey object
masterKey, // Context
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, // Key encryption scheme
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM // Value encryption scheme
);
}
}catch (GeneralSecurityException ex) {
Log.e("ex",ex.toString());
} catch (IOException ex) {
Log.e("ex",ex.toString());
}catch (Exception ex){
Log.e("ex",ex.toString());
}

}

giving following error

prio=5 tid=2 RUNNABLE sysTid=24594; at android.os.BinderProxy.transactNative(Native Method); at android.os.BinderProxy.transact(BinderProxy.java:685); at android.system.keystore2.IKeystoreSecurityLevel$Stub$Proxy.createOperation(IKeystoreSecurityLevel.java:281); at android.security.KeyStoreSecurityLevel.createOperation(KeyStoreSecurityLevel.java:81); at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:349); at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit(AndroidKeyStoreCipherSpiBase.java:248); at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:2999); at javax.crypto.Cipher.tryCombinations(Cipher.java:2910); at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2815); at javax.crypto.Cipher.chooseProvider(Cipher.java:792); at javax.crypto.Cipher.init(Cipher.java:1307); at javax.crypto.Cipher.init(Cipher.java:1242); at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.decryptInternal(AndroidKeystoreAesGcm.java:116); at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.decrypt(AndroidKeystoreAesGcm.java:101); at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead(AndroidKeystoreKmsClient.java:299); at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:180); at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset(AndroidKeysetManager.java:365); at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:297); at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:169); at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:130);

how to fix this ?

Issue 176215143

Description

Issue summary

Comments

lb...@gmail.com <lb...@gmail.com> #2Dec 24, 2020 02:03PM

lb...@gmail.com <lb...@gmail.com> #3Dec 27, 2020 08:35AM

ja...@google.com <ja...@google.com> Dec 28, 2020 06:06PM

lb...@gmail.com <lb...@gmail.com> #4Dec 29, 2020 08:36AM

em...@gmail.com <em...@gmail.com> #5Dec 31, 2020 08:12PM

lb...@gmail.com <lb...@gmail.com> #6Dec 31, 2020 08:16PM

lb...@gmail.com <lb...@gmail.com> #7Jan 7, 2021 09:32AM

mi...@outlook.com.au <mi...@outlook.com.au> #8Feb 7, 2021 11:13PM

lb...@gmail.com <lb...@gmail.com> #9Feb 7, 2021 11:19PM

ch...@gmail.com <ch...@gmail.com> #10Feb 11, 2021 09:03AM

lb...@gmail.com <lb...@gmail.com> #11Feb 11, 2021 09:15AM

pa...@gmail.com <pa...@gmail.com> #12Feb 19, 2021 12:45PM

pa...@ufst.dk <pa...@ufst.dk> #13Feb 19, 2021 12:59PM

lb...@gmail.com <lb...@gmail.com> #14Mar 31, 2021 07:07AM

lb...@gmail.com <lb...@gmail.com> #15Mar 31, 2021 07:09AM

sa...@gmail.com <sa...@gmail.com> #16Apr 19, 2021 02:47PM

lb...@gmail.com <lb...@gmail.com> #17Apr 19, 2021 02:53PM

sa...@gmail.com <sa...@gmail.com> #18Apr 19, 2021 04:44PM

lb...@gmail.com <lb...@gmail.com> #19Apr 19, 2021 05:15PM

lb...@gmail.com <lb...@gmail.com> #20Apr 25, 2021 10:20PM

sa...@gmail.com <sa...@gmail.com> #21Apr 26, 2021 08:42AM

lb...@gmail.com <lb...@gmail.com> #22Apr 26, 2021 08:46AM

vi...@gmail.com <vi...@gmail.com> #23Apr 27, 2021 12:00AM

lb...@gmail.com <lb...@gmail.com> #24Jun 27, 2021 03:11PM

os...@gmail.com <os...@gmail.com> #25Jul 5, 2021 04:25PM

ji...@gmail.com <ji...@gmail.com> #26Jul 7, 2021 02:10AM

lb...@gmail.com <lb...@gmail.com> #27Jul 7, 2021 06:23AM

os...@gmail.com <os...@gmail.com> #28Jul 16, 2021 10:57PM

so...@carerev.com <so...@carerev.com> #29Aug 2, 2021 02:50PM

lb...@gmail.com <lb...@gmail.com> #30Aug 2, 2021 02:57PM

os...@gmail.com <os...@gmail.com> #31Aug 4, 2021 03:26AM

ar...@gmail.com <ar...@gmail.com> #32Aug 4, 2021 07:50AM

bo...@google.com <bo...@google.com> Aug 6, 2021 12:08PM

lb...@gmail.com <lb...@gmail.com> #33Aug 6, 2021 03:10PM

an...@gmail.com <an...@gmail.com> #34Aug 15, 2021 10:00AM

[Deleted User] <[Deleted User]> #35Aug 23, 2021 10:22AM

ie...@gmail.com <ie...@gmail.com> #36Sep 1, 2021 10:04AM

lb...@gmail.com <lb...@gmail.com> #37Sep 1, 2021 10:14AM

[Deleted User] <[Deleted User]> #38Sep 2, 2021 01:50PM

ng...@bitso.com <ng...@bitso.com> #39Sep 2, 2021 06:29PM

th...@gmail.com <th...@gmail.com> #40Sep 2, 2021 11:48PM

th...@gmail.com <th...@gmail.com> #41Sep 3, 2021 12:10AM

th...@gmail.com <th...@gmail.com> #42Sep 3, 2021 01:01AM

ng...@bitso.com <ng...@bitso.com> #43Sep 3, 2021 08:53AM

lb...@gmail.com <lb...@gmail.com> #44Dec 24, 2021 10:21AM

mh...@gmail.com <mh...@gmail.com> #45Feb 13, 2022 02:10AM

eu...@paysera.net <eu...@paysera.net> #46Feb 18, 2022 04:47AM

as...@tradingview.com <as...@tradingview.com> #47Mar 15, 2022 04:15PM

an...@gmail.com <an...@gmail.com> #48Mar 22, 2022 09:31AM

an...@gmail.com <an...@gmail.com> #49Mar 22, 2022 09:33AM

yu...@gmail.com <yu...@gmail.com> #50Mar 22, 2022 09:36AM

pa...@gmail.com <pa...@gmail.com> #51Apr 7, 2022 05:49AM

ar...@gmail.com <ar...@gmail.com> #52Apr 7, 2022 05:25PM

it...@gmail.com <it...@gmail.com> #53Apr 7, 2022 07:20PM

lb...@gmail.com <lb...@gmail.com> #54Apr 10, 2022 08:26AM

lb...@gmail.com <lb...@gmail.com> #55Apr 16, 2022 03:05PM

th...@gmail.com <th...@gmail.com> #56May 4, 2022 12:48PM

[Deleted User] <[Deleted User]> #57May 4, 2022 11:38PM

ma...@oyorooms.com <ma...@oyorooms.com> #58May 6, 2022 03:32PM

da...@gmail.com <da...@gmail.com> #59May 16, 2022 07:35PM

[Deleted User] <[Deleted User]> #60Jun 16, 2022 07:05PM

je...@gmail.com <je...@gmail.com> #61Jun 17, 2022 12:31PM

ni...@gmail.com <ni...@gmail.com> #62Jun 20, 2022 06:48AM

an...@gmail.com <an...@gmail.com> #63Jun 21, 2022 11:33AM

lb...@gmail.com <lb...@gmail.com> #64Jun 21, 2022 11:47AM

an...@gmail.com <an...@gmail.com> #65Jun 22, 2022 02:07AM

lb...@gmail.com <lb...@gmail.com> #66Jun 22, 2022 06:48AM

an...@gmail.com <an...@gmail.com> #67Jun 22, 2022 11:31AM

lb...@gmail.com <lb...@gmail.com> #68Jun 22, 2022 11:37AM

sw...@google.com <sw...@google.com> #69Aug 16, 2022 05:18PM

lb...@gmail.com <lb...@gmail.com> #70Aug 16, 2022 05:32PM

mo...@tothenew.com <mo...@tothenew.com> #71Aug 25, 2022 09:39AM

mo...@tothenew.com <mo...@tothenew.com> #72Sep 6, 2022 12:24PM

lb...@gmail.com <lb...@gmail.com> #73Sep 6, 2022 12:46PM

di...@gmail.com <di...@gmail.com> #74Sep 14, 2022 06:24AM

ca...@gmail.com <ca...@gmail.com> #75Sep 14, 2022 09:29AM