Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated App Security (markdown)

Dominik Schürmann 2015-03-17 02:09:12 +01:00
parent 600db8cb64
commit d5626f2bdb
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
App-Security.md

@ -59,6 +59,7 @@ Does not protect against: memory dumps
#### Why not char[] instead of String?
* Passphrase is already a CharSequence when retrieved from EditText, thus it is already in memory as something different than char[] (String extends CharSequence)
* Complicates the implementation (pass byte[] in Parcelables instead of Strings?)
* No convincing attack scenario (see argument below)
> Some people believe that you have to overwrite the memory used to store the password once you no longer > need it. This reduces the time window an attacker has to read the password from your system and > completely ignores the fact that the attacker already needs enough access to hijack the JVM memory to do > this. An attacker with that much access can catch your key events making this completely useless (AFAIK, so please correct me if I am wrong).