Use StrongBox on API 28+ if available.

briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java

@@ -6,21 +6,37 @@ import org.briarproject.bramble.api.crypto.KeyStoreConfig;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.List;
 
 import androidx.annotation.RequiresApi;
 
+import static android.os.Build.VERSION.SDK_INT;
 import static android.security.keystore.KeyProperties.PURPOSE_SIGN;
+import static java.util.Arrays.asList;
+import static java.util.Collections.singletonList;
 
 @RequiresApi(23)
 @NotNullByDefault
 class AndroidKeyStoreConfig implements KeyStoreConfig {
 
-	private final KeyGenParameterSpec spec;
+	private final List<AlgorithmParameterSpec> specs;
 
 	AndroidKeyStoreConfig() {
-		spec = new KeyGenParameterSpec.Builder("db", PURPOSE_SIGN)
-				.setKeySize(256)
-				.build();
+		KeyGenParameterSpec noStrongBox =
+				new KeyGenParameterSpec.Builder("db", PURPOSE_SIGN)
+						.setKeySize(256)
+						.build();
+		if (SDK_INT >= 28) {
+			// Prefer StrongBox if available
+			KeyGenParameterSpec strongBox =
+					new KeyGenParameterSpec.Builder("db", PURPOSE_SIGN)
+							.setIsStrongBoxBacked(true)
+							.setKeySize(256)
+							.build();
+			specs = asList(strongBox, noStrongBox);
+		} else {
+			specs = singletonList(noStrongBox);
+		}
 	}
 
 	@Override
@@ -44,7 +60,7 @@ class AndroidKeyStoreConfig implements KeyStoreConfig {
 	}
 
 	@Override
-	public AlgorithmParameterSpec getParameterSpec() {
-		return spec;
+	public List<AlgorithmParameterSpec> getParameterSpecs() {
+		return specs;
 	}
 }