Mirrors
/
open-keychain
mirror of https://github.com/open-keychain/open-keychain.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated App Security (markdown)

dschuermann 2014-10-22 02:10:02 -07:00
parent 8aea50b39c
commit d6ff4e3b46
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
App-Security.md

@ -21,6 +21,7 @@ From ``./lint --show AllowBackup``:
* Other apps already cannot access Openkeychain's stored data, this is enforced by Android's sandboxing * Other apps already cannot access Openkeychain's stored data, this is enforced by Android's sandboxing
* If a malicious app executes an exploit and gains root access, again: It can access the stored but encrypted secret keys, getting the private values requires reading the memory, this attack is not prevented by encrypting the database "again" on top of the encrypted private values. * If a malicious app executes an exploit and gains root access, again: It can access the stored but encrypted secret keys, getting the private values requires reading the memory, this attack is not prevented by encrypting the database "again" on top of the encrypted private values.
* We would require another password for unlocking the SQLCipher database, so more inconvenience * We would require another password for unlocking the SQLCipher database, so more inconvenience
* The only argument, I can think of is protecting against root apps dumping the database and then gaining access to all public keys and thus a nice social graph, but hey, there are easier ways to get that information, maybe simply dumping the address database ;)
### So how to backup/synchronize keys? ### So how to backup/synchronize keys?