Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated App Security (markdown)

Dominik Schürmann 2015-03-17 02:08:24 +01:00
parent c9f11f261a
commit 600db8cb64
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
App-Security.md

@ -56,6 +56,14 @@ Protects against: Attacker taking a misplaced smartphone, were the passphrase is
Does not protect against: memory dumps Does not protect against: memory dumps
#### Why not char[] instead of String?
* Passphrase is already a CharSequence when retrieved from EditText, thus it is already in memory as something different than char[] (String extends CharSequence)
* No convincing attack scenario (see argument below)
> Some people believe that you have to overwrite the memory used to store the password once you no longer > need it. This reduces the time window an attacker has to read the password from your system and > completely ignores the fact that the attacker already needs enough access to hijack the JVM memory to do > this. An attacker with that much access can catch your key events making this completely useless (AFAIK, so please correct me if I am wrong).
(from http://stackoverflow.com/a/8881461)
### Links ### Links
* http://blog.sei.cmu.edu/post.cfm/secure-coding-for-the-android-platform * http://blog.sei.cmu.edu/post.cfm/secure-coding-for-the-android-platform
* https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535 * https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509535