Reusing the same key across multiple users on a device

According to documentation, the guideline is as follows -

"Don’t reuse a key among multiple users on a device because this weakens security protections. In particular, it becomes hard to detect an attack that uses a single compromised device to serve multiple remote users running a compromised version of your app."

This can be addressed if we keep a tally of how many users have used the same key pair? If we see a single key pair in use across say 500 users, it's clearly an instance of compromised device.

Are there other security reasons why binding a key to device + user is the recommended practice?

Up vote post of siddharthc Down vote post of siddharthc
1.1k views
Posted by
siddharthc
Reply
Add a Comment

Replies

You can probably generate a symmetric key remotely based on specific user data, store it in the keychain and if the key has been tampered with don't serve anymore data.

Posted by
MobileTen
Up vote reply of MobileTen Down vote reply of MobileTen

  • Sorry I don't follow your answer. Can you please elaborate? My question is related to security rationale behind the recommendation.

    siddharthc
Add a Comment