diff --git a/App-Security.md b/App-Security.md index d52e9eb..ec1291a 100644 --- a/App-Security.md +++ b/App-Security.md @@ -27,13 +27,13 @@ From ``./lint --show AllowBackup``: * In OpenKeychain, go to the main key list -> Overflow menu -> "Export all keys" -> check "Also export secret keys". ### Passphrase Cache -* Using [Passphrase class](https://github.com/open-keychain/open-keychain/blob/development/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/Passphrase.java) to cache passphrases and clear them after timeout from memory +Uses [Passphrase class](https://github.com/open-keychain/open-keychain/blob/development/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/Passphrase.java) to cache passphrases and clear them after timeout from memory #### Attack scenarios Assumption: Attacker somehow can access the device physically. * Cold boot attacks allow attackers to read the entire memory, including the contents of a String that has been deallocated, as long as that memory as not been allocated again. -* Read deallocated memory using a heartbleed attack as well. +* Read deallocated memory using a heartbleed attack #### Why Passphrase class instead of String? * By removing the ``char[]`` explicitly after usage the time window the passphrase is available in memory is shortened. Strings are available in memory even after deallocation. This is not true for the Passphrase class when used properly (``char[]`` is zeroed out with ``removeFromMemory()``).