With keys generated inside the Android's internal keystore.   Android ensures only Spring can access those keys, decryption is performed inside the keystore.