Local Data Security with Android Keystore

Android mascot beside a secure vault with lock and key icons.

Protecting locally stored data is a crucial aspect of any secure messaging app, particularly when server-side storage is intentionally avoided, as is the case with Threema. On Android, the Keystore offers a system-level solution for securely managing cryptographic keys.

Threema has always taken a clear approach: message content and other sensitive data are stored exclusively on users’ devices. None of this content is stored centrally on Threema’s servers. While this approach reduces the attack surface, it shifts the responsibility for protecting the data to the respective end device. There, the data must be stored in such a way that no other app can access it. Various protection mechanisms exist on Android for this purpose.

First, all data is stored in an app-specific directory. This is located in the system’s internal storage and is “sandboxed” by default, meaning it is isolated so that other apps cannot access it.

To further protect sensitive content, all data is stored in encrypted form. Even if someone were to gain access to this data at the file level, it would be unreadable without the correct key.

Where to store the key?

Encryption stands or falls with the protection of the key. If the key is compromised, even the strongest encryption loses its effectiveness. This is precisely where a central security feature of the Android operating system comes into play: the Android Keystore.

The Keystore is a system component specifically designed for the secure generation and storage of cryptographic keys. An app can have keys generated there without ever gaining direct access to their raw data. Instead, the Keystore provides cryptographic operations that are performed internally using the key.

In concrete terms, this means: Even the Threema app cannot export or read the key once it has been generated. For the encryption and decryption of data, the corresponding operations are delegated to the Keystore.

Hardware-Backed Security – If Available

A major advantage of the Android Keystore lies in its flexibility regarding the underlying hardware. Modern devices often feature a dedicated security chip (Secure Element or comparable technologies) in which keys are stored in isolation from the rest of the system.

In such a “hardware-backed Keystore,” keys never leave the secure area and remain protected even if other parts of the system are compromised. Reading a key from memory is practically impossible in this scenario.

On older or lower-cost devices, a “software-backed Keystore” is used instead. Here, keys are managed in the regular system memory. A software-backed Keystore is more vulnerable to attacks, as it can be compromised more easily. Threema always prefers the hardware-backed Keystore, if available.

Passphrase: An Additional Layer of Protection

In addition, Threema for Android offers the option to set a passphrase. This acts as an additional layer of security: before data is transferred to the Keystore, it is encrypted using a key derived from the passphrase.

Access to the data thus requires two factors:

  • The key managed in the Keystore

  • The correct passphrase

This principle significantly increases security, particularly on devices without a hardware-based Keystore. On such devices, a strong passphrase can provide additional protection against attacks.

On devices with a dedicated security chip, however, the security benefit of a passphrase is lower, as the Keystore itself offers a level of protection that is higher than that of the passphrase.

In summary, the combination of isolated app storage, consistent encryption, secure key management, and an optional passphrase creates a multi-layered protection concept that flexibly adapts to the security capabilities of the respective device.

Follow us

Threema

Made in Switzerland © 2026 Threema GmbH.

swiss made software swiss digital services Association for Corporate Data Protection