Updated App Security (markdown)

dschuermann 2014-10-09 07:02:33 -07:00
parent 757932038e
commit fd85eaf70e
1 changed files with 2 additions and 2 deletions

@ -12,11 +12,11 @@ From ``./lint --show AllowBackup``:
* We explicitly do **not** implement a [Backup Agent](http://developer.android.com/guide/topics/data/backup.html), so no keys are transferred to Google's cloud.
* All keys (secret and public) are stored inside the app's sqlite database. It resides in ``/data/data/org.sufficientlysecure.keychain/databases/openkeychain.db``
* Like every app on Android OS, OpenKeychain is [sandboxed to prevent other apps from accessing OpenKeychain's data](https://source.android.com/devices/tech/security/#the-application-sandbox). To emphasize this again: This means that other apps **cannot** access the secret keys of OpenKeychain under Android's security model.
* There is only one way to get around this: If you install apps that you allow root access or apps that exploit bugs in the Android distribution on your device to do privilege escalation attacks. Even then, apps can only retrieve the secret keys containing the private values in an encrypted format. This would require reading the memory of OpenKeychain while a key is unlocked.
* There is only one way to get around this: If you install apps that you allow root access or apps that exploit bugs in the Android distribution on your device to do privilege escalation attacks. Even then, apps can only retrieve the secret keys containing the private values in an [encrypted format](http://tools.ietf.org/html/rfc4880#section-5.5.3). Thus, getting the private values requires reading the memory of OpenKeychain while a key is unlocked.
### Why is OpenKeychain's database not encrypted?
* Public keys are public, why encrypt them?
* The private parts of the secret keys are [already encrypted using a passphrase](http://tools.ietf.org/html/rfc4880#section-5.5.3). They are only decrypted/"unlocked" in-memory in OpenKeychain when used.
* Secret keys contains private values in encrypted format, see above
* We could use [SQLCipher](https://guardianproject.info/code/sqlcipher/), but I am unsure what attack scenarios this would prevent:
* Other apps already cannot access Openkeychain's data, this is enforced by Android's sandboxing
* If a malicious app executes an exploit and gains root access, it could also get the secret keys by reading OpenKeychain's memory or easier