Great question! It’s totally reasonable to wonder why you should bother with MasterKeys.getOrCreate() when a hardcoded string like "test_key" seems to work just fine and still encrypts your SharedPreferences. Let’s break down the key advantages of using the Jetpack Security-provided method:

• Guarantees Secure, Spec-Compliant Key Generation
  When you call MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC), you’re explicitly telling the system to generate a key that follows a well-defined, industry-standard secure specification—in this case, AES-256 GCM, a strong encryption algorithm. If you just use a hardcoded alias, the Keystore will auto-create a key, but you have no control over its parameters: it might use a weaker algorithm, shorter key length, or insecure settings that don’t align with modern security best practices.

• Seamless Integration with Android Keystore’s Management Features
  The MasterKeys class is built to work hand-in-hand with Android’s Keystore system. It handles key lifecycle details like secure storage, access controls (e.g., requiring biometric auth if you configure it), and compatibility with system-level key backup/migration. When you use a hardcoded alias, you miss out on these built-in safeguards—you’re leaving key management to the system’s default behavior, which might not fit your app’s security needs.

• Reduces Misconfiguration Risks
  Using MasterKeys.getOrCreate() makes your code self-documenting: any developer reading your code can immediately see the exact encryption spec you’re using for the master key. With a hardcoded alias, the auto-created key’s configuration is opaque—you won’t know its algorithm, block mode, or padding unless you explicitly inspect the Keystore. This makes debugging, updating your encryption setup, or auditing security much harder down the line.

• Ensures Consistency Across Android Versions & Devices
  Android’s Keystore behavior has evolved over versions, and default key creation settings can vary between device manufacturers. MasterKeys.getOrCreate() abstracts these differences, ensuring your master key is generated consistently according to Jetpack Security’s recommended standards, no matter which Android version or device your app runs on. A hardcoded alias relies on system defaults, which could lead to unexpected encryption/decryption failures on some devices.

To clarify why the hardcoded alias works at all: Android Keystore automatically creates a key with default settings when you reference an alias that doesn’t exist. While this seems convenient, it’s a "black box" approach that sacrifices control and security for simplicity.

内容的提问来源于stack exchange，提问作者serek8