The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say. KeyStore allows Android apps to store and generate their own cryptographic keys. In a forgery attack, an attacker could exploit the weakness to reduce the length of symmetric keys protected by the system. The attack is based around tricking a victim into installing a malicious app on the device that can be granted read-write permission on the KeyStore directory. Researchers say it s the first cryptanalysis-based attack against KeyStore.
Source: https://threatpost.com/android-keystore-encryption-scheme-broken-researchers-say/119092/