Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated App Security (markdown)

dschuermann 2014-10-22 02:15:55 -07:00
parent 03bfc529f9
commit 8a060f7356
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
App-Security.md

@ -22,6 +22,7 @@ From ``./lint --show AllowBackup``:
* If a malicious app executes an exploit and gains root access, again: It can access the stored but encrypted secret keys, getting the private values requires reading the memory, this attack is not prevented by encrypting the database "again" on top of the encrypted private values.
* We would require another password for unlocking the SQLCipher database, so more inconvenience
* The only argument, I can think of is protecting against root apps dumping the database and then gaining access to all public keys and thus a nice social graph, but hey, there are easier ways to get that information, maybe simply dumping the address database ;)
* SQLCipher makes sense for apps such as TextSecure or Threema to protect the **decrypted** messages, but OpenKeychain does not store anything besides keys.
### So how to backup/synchronize keys?