diff --git a/App-Security.md b/App-Security.md index c0b5f7e..861a5f3 100644 --- a/App-Security.md +++ b/App-Security.md @@ -11,15 +11,15 @@ From ``./lint --show AllowBackup``: * Due to ``android:allowBackup="false"``, apps such as [Helium](https://play.google.com/store/apps/details?id=com.koushikdutta.backup) will **not** work * We explicitly do **not** implement a [Backup Agent](http://developer.android.com/guide/topics/data/backup.html), so no keys are transferred to Google's cloud. * All keys (secret and public) are stored inside the app's sqlite database. It resides in ``/data/data/org.sufficientlysecure.keychain/databases/openkeychain.db`` -* Like every app on Android OS, OpenKeychain is [sandboxed to prevent other apps from accessing OpenKeychain's data](https://source.android.com/devices/tech/security/#the-application-sandbox). To emphasize this again: This means that other apps **cannot** access the private keys of OpenKeychain under Android's security model. -* There is only one way to get around this: If you install apps that you allow root access or apps that exploit bugs in the Android distribution on your device to do privilege escalation attacks. +* Like every app on Android OS, OpenKeychain is [sandboxed to prevent other apps from accessing OpenKeychain's data](https://source.android.com/devices/tech/security/#the-application-sandbox). To emphasize this again: This means that other apps **cannot** access the secret keys of OpenKeychain under Android's security model. +* There is only one way to get around this: If you install apps that you allow root access or apps that exploit bugs in the Android distribution on your device to do privilege escalation attacks. Even then, apps can only retrieve the secret keys containing the private values in an encrypted format. This would require reading the memory of OpenKeychain while a key is unlocked. ### Why is OpenKeychain's database not encrypted? * Public keys are public, why encrypt them? * The private parts of the secret keys are [already encrypted using a passphrase](http://tools.ietf.org/html/rfc4880#section-5.5.3). They are only decrypted/"unlocked" in-memory in OpenKeychain when used. * We could use [SQLCipher](https://guardianproject.info/code/sqlcipher/), but I am unsure what attack scenarios this would prevent: * Other apps already cannot access Openkeychain's data, this is enforced by Android's sandboxing - * If a malicious app executes an exploit and gains root access, it could also get the secret keys by reading OpenKeychain's memory + * If a malicious app executes an exploit and gains root access, it could also get the secret keys by reading OpenKeychain's memory or easier * We would require another password for unlocking the SQLCipher database, so more inconvenience