fix(android): broaden StrongBox fallback and delete corrupted Keystore key on reset

grafele · claude · grafele · commit b72b98128e04 · 2026-02-27T13:56:16.000+01:00
- Catch any GeneralSecurityException when StrongBox is enabled, not just
  StrongBoxUnavailableException. Devices like Xiaomi Redmi Note 15 Pro+
  throw a plain GeneralSecurityException wrapping a RESET_FAILED error,
  which was not caught by the previous narrower check.
- When resetOnError triggers a storage reset, also delete the corrupted
  master key entry from the Android Keystore before retrying. This fixes
  Keystore2 migration corruption on devices like Galaxy S10e (Android 12).

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorage.java b/flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStorage.java
@@ -5,7 +5,6 @@
 import android.os.Build;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyProperties;
-import android.security.keystore.StrongBoxUnavailableException;
 import android.util.Base64;
 import android.util.Log;
 
@@ -123,15 +122,9 @@ private SharedPreferences getEncryptedSharedPreferences(boolean deleteOnFailure,
             }
             return encryptedPreferences;
         } catch (GeneralSecurityException | IOException e) {
-            if (e instanceof GeneralSecurityException) {
-                Throwable cause = e.getCause();
-
-                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
-                    if (cause instanceof StrongBoxUnavailableException && !isOnlyStrongBoxAllowed) {
-                        // Fallback to not using Strongbox
-                        return getEncryptedSharedPreferences(deleteOnFailure, options, context, sharedPreferencesName, false, isOnlyStrongBoxAllowed);
-                    }
-                }
+            if (e instanceof GeneralSecurityException && isStrongBoxBacked && !isOnlyStrongBoxAllowed) {
+                Log.w(TAG, "StrongBox-backed key generation failed, retrying without StrongBox", e);
+                return getEncryptedSharedPreferences(deleteOnFailure, options, context, sharedPreferencesName, false, isOnlyStrongBoxAllowed);
             }
 
             if (!deleteOnFailure) {
@@ -141,6 +134,14 @@ private SharedPreferences getEncryptedSharedPreferences(boolean deleteOnFailure,
             Log.w(TAG, "initialization failed, resetting storage", e);
 
             context.getSharedPreferences(sharedPreferencesName, Context.MODE_PRIVATE).edit().clear().apply();
+            // Also remove corrupted master key from Android Keystore
+            try {
+                java.security.KeyStore keyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
+                keyStore.load(null);
+                keyStore.deleteEntry(MasterKey.DEFAULT_MASTER_KEY_ALIAS);
+            } catch (Exception ignored) {
+                Log.w(TAG, "Failed to delete master key from KeyStore", ignored);
+            }
 
             try {
                 return initializeEncryptedSharedPreferencesManager(context, sharedPreferencesName, isStrongBoxBacked);
