Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated App Security (markdown)

dschuermann 2014-12-05 04:43:36 -08:00
parent d8c5abc8a4
commit 17c577bc60
1 changed files with 11 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
App-Security.md

@ -35,45 +35,18 @@ TODO, also: https://github.com/open-keychain/open-keychain/issues/894
### Attacking passphrase cache with root access
Based on https://fluidnexus.net/blog/post/6
A testkey has been created with the passphrase `zeitgeist`
1. Start OpenKeychain
2. Sign something, caching the passphrase
3. Open a shell and execute these commands:
```bash
someuser@somehost platform-tools> ./adb shell
$ su
$ chmod 777 /data/misc
$ ps
USER PID PPID VSIZE RSS WCHAN PC NAME
[...snip...]
app_110 17973 2381 217088 24612 ffffffff afd0ee48 S org.sufficientlysecure.keychain
shell 18061 2390 648 336 c031b39c afd0eafc S /system/bin/sh
root 18062 18061 648 336 c031b39c afd0eafc S sh
app_107 18064 2381 209388 15956 ffffffff afd0ee48 S com.noshufou.android.su
root 18071 18062 796 336 00000000 afd0dbbc R ps
$ kill -10 17973
$ ls /data/misc
bluetoothd
bluetooth
keystore
vpn
systemkeys
radio
wifi
dhcp
heap-dump-tm1313820900-pid16096.hprof
heap-dump-tm1313854763-pid17973.hprof
$ cp /data/misc/heap-dump-tm1313854763-pid17973.hprof /sdcard/
someuser@somehost platform-tools> ./adb pull /sdcard/heap-dump-tm1313854763-pid17973.hprof .
2666 KB/s (4361160 bytes in 1.597s)
someuser@somehost platform-tools> ../tools/hprof-conv heap-dump-tm1313854763-pid17973.hprof apg.hprof
someuser@somehost platform-tools> jhat apg.hprof
```
4. Open a browser with ``http://localhost:7000`` and find ``CachedPassphrase`` class, see [PassphraseCacheService.java#L517](https://github.com/open-keychain/open-keychain/blob/development/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/PassphraseCacheService.java#L517)
1. start Android Device Monitor
2. 'Dump HPROF file' of `org.sufficientlysecure.keychain:passphrase_cache`
3. execute:
```
hprof-conv org.sufficientlysecure.keychain:passphrase_cache.hprof passphrase_cache.hprof
jhat passphrase_cache.hprof
```
1. open `http://localhost:7000`
2. search for **org.sufficientlysecure.keychain.service.PassphraseCacheService$CachedPassphrase**, see [PassphraseCacheService.java#L517](https://github.com/open-keychain/open-keychain/blob/development/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/PassphraseCacheService.java#L517)
3. any of the references under `References to this object:` will have the passphrase as instance data member
### API Security
See [[API wiki page|API-Design]]