Updated App Security (markdown)

Dominik Schürmann 2015-03-17 02:10:55 +01:00
parent 35a7ae6495
commit 661a12a3f7
1 changed files with 2 additions and 1 deletions

@ -58,11 +58,12 @@ Does not protect against: memory dumps
#### Why not char[] instead of String?
* Passphrase is already a ``CharSequence`` when retrieved from ``EditText``, thus it is already in memory as something different than ``char[]`` (String extends ``CharSequence``)
* Passphrase is already a ``CharSequence`` when retrieved from ``EditText``, thus it is already in memory as something different than ``char[]`` (``String extends CharSequence``)
* Complicates the implementation (pass ``byte[]`` in ``Parcelables`` instead of ``Strings``?)
* No convincing attack scenario (see argument below)
> Some people believe that you have to overwrite the memory used to store the password once you no longer > need it. This reduces the time window an attacker has to read the password from your system and > completely ignores the fact that the attacker already needs enough access to hijack the JVM memory to do > this. An attacker with that much access can catch your key events making this completely useless (AFAIK, so please correct me if I am wrong).
(from http://stackoverflow.com/a/8881461)
### Links