diff --git a/App-Security.md b/App-Security.md index ad2f52f..75ab193 100644 --- a/App-Security.md +++ b/App-Security.md @@ -35,45 +35,18 @@ TODO, also: https://github.com/open-keychain/open-keychain/issues/894 ### Attacking passphrase cache with root access -Based on https://fluidnexus.net/blog/post/6 +A testkey has been created with the passphrase `zeitgeist` -1. Start OpenKeychain - -2. Sign something, caching the passphrase - -3. Open a shell and execute these commands: - ```bash -someuser@somehost platform-tools> ./adb shell -$ su -$ chmod 777 /data/misc -$ ps -USER PID PPID VSIZE RSS WCHAN PC NAME -[...snip...] -app_110 17973 2381 217088 24612 ffffffff afd0ee48 S org.sufficientlysecure.keychain -shell 18061 2390 648 336 c031b39c afd0eafc S /system/bin/sh -root 18062 18061 648 336 c031b39c afd0eafc S sh -app_107 18064 2381 209388 15956 ffffffff afd0ee48 S com.noshufou.android.su -root 18071 18062 796 336 00000000 afd0dbbc R ps -$ kill -10 17973 -$ ls /data/misc -bluetoothd -bluetooth -keystore -vpn -systemkeys -radio -wifi -dhcp -heap-dump-tm1313820900-pid16096.hprof -heap-dump-tm1313854763-pid17973.hprof -$ cp /data/misc/heap-dump-tm1313854763-pid17973.hprof /sdcard/ -someuser@somehost platform-tools> ./adb pull /sdcard/heap-dump-tm1313854763-pid17973.hprof . -2666 KB/s (4361160 bytes in 1.597s) -someuser@somehost platform-tools> ../tools/hprof-conv heap-dump-tm1313854763-pid17973.hprof apg.hprof -someuser@somehost platform-tools> jhat apg.hprof - ``` - -4. Open a browser with ``http://localhost:7000`` and find ``CachedPassphrase`` class, see [PassphraseCacheService.java#L517](https://github.com/open-keychain/open-keychain/blob/development/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/PassphraseCacheService.java#L517) +1. start Android Device Monitor +2. 'Dump HPROF file' of `org.sufficientlysecure.keychain:passphrase_cache` +3. execute: +``` +hprof-conv org.sufficientlysecure.keychain:passphrase_cache.hprof passphrase_cache.hprof +jhat passphrase_cache.hprof +``` +1. open `http://localhost:7000` +2. search for **org.sufficientlysecure.keychain.service.PassphraseCacheService$CachedPassphrase**, see [PassphraseCacheService.java#L517](https://github.com/open-keychain/open-keychain/blob/development/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/PassphraseCacheService.java#L517) +3. any of the references under `References to this object:` will have the passphrase as instance data member ### API Security See [[API wiki page|API-Design]]