With keys generated inside the Android's internal keystore.   Android ensures only Spring can access those keys, decryption is performed inside the keystore.  

 That sounds great. Thank you.