Hi there,
we are brainstorming at the signal forum how we can implement password encryption for the db. Signal at the moment stores data in sqlcipher and the key is stored in the keystore or in plaintext depending on the Android version. We want to encrypt this key with a user password. To ever get a chance to upstream such a change we need to prove that it is possible to zero out the password with JVM. Since it gets copied a lot in ram, moxie is concerned it want get collected in time. Feel free to help us with a concept how to accomplish this. At stack I found some info that instead of string you can use char[].
https:// community.signalusers.org/t/signal-with-password-encryption-poc/6159
Related
RemoteData (code name, alpha)
Description:
Program to encrypt and locally store data retrieved over http. You define url source, get data, input password and text data is stored locally.
Algorithms used: Rijndael(256bit key), SHA256. No password is stored (only strong hash), no recovery option available. Encrypted file is only valid on device that saved it. Data is completely secured.
Purpose:
Store your personal data on server (in.e. yours), update it on demand, store safely.
Installation:
Just run cab file. Program doesn't use registry and temp. It just creates two files in it's own directory. One with password hash (just for initial verification) and one with encrypted data. If the first is accidently deleted, it can be restored (if you know your password), but the second one is still safe.
Usage:
Run application; set your password; add source (url and name); refresh source. On exit, program will crypt and save data. On next run, just type password and your data is there (no need of net connection).
Notes:
I need opinions and proposals, in.e. useful enchancements. Tested on WM6/Schaps 3.6/Hermes and emulator.
Technically, data is stored in xml file in base64 format, but only item names are not encrypted (so if you loose you password/something breaks, you know what you've had).
Rijndael has the largest key space of the portable symetric algorithms. To put the size of the key space into perspective, if there was a machine fast enough that could brute force a DES key in one second, it would take 149 trillion years to brute force a 128 bit key for the Rijndael algorithm.
Please note: the longer and more complicated password you provide, the better.
Requirements: CF2
Needs: I need a nice icon and testing. This is one of my first apps for mobile platform
I'm trying to scan the entire memory of the device for a given byte value. I use Marshall.ReadByte to read a byte at a given address and compare it with another byte variable to perform the search. The problem is that when I try scanning the app usually just crashes without even showing an error and Visual Studio says the connection to the device has been lost. It works ok only for a small number of memory addresses, but if I want for example to read a byte at address, say, FF, it will crash... It crashes on the emulator as well. I can't figure out how to do it. Maybe it's a security problem? I've lowered my device security from 1-Tier to no security with no success. Any help will be very appreciated
PS. In case you are wondering why I need that - I'm trying to get the Cell ID on a KS20. I tried all methods possible with no success (RIL_CellTowerInfo, RIL_DevSpecific, even connecting with the modem through the COM port). I know there's an app called GSMCelluloz which can perform such a memory search, but it requires a valid CellID and LAC and I have only the LAC code, so I have to write my own app.
Hi,
does anyone knows what is the most secure way to store sensitive information in application? Because using internal storage and shared preferences is vulnerable if person who want that information have a rooted phone.
Case is that I have some kind of activation code which needs to be stored somewhere inside the phone (not on server) for further communication and authentication with server side, that code needs to be secured and not available to other apps and users, even on a rooted phone. Also, user can not be bothered with additional verification (he enters the PIN code when he enters the application and send that code to the server side for authentication) .
Bottom line, is there a secure way to store something and to be secure that it will remain hidden, even on a rooted phone?
To be honest, i'm not sure it is completely possible to hide it from rooted users. The only thing I could think was to use a hardware ID and base64 encrypt your activation code while salting it with a hardware ID. Then have your app decrypt and send the activation code to the server when it needs it. It will still be able to be found but the code will be encrypted and someone would need to know what the salt is to be able to decrypt it which would take decompiling your app.
I am a little upset with the built in Note 4 encryption. I encrypted my phone with a password because I would like it to be secure, however, when I change my phone password it changed the encryption password to the same thing. This is troubling to me because this tells me that my phone is not necessarily encrypted using the original password I gave it as the unique encryption and decryption key. Could somebody explain to me how the Note 4's encryption works? I just can't believe it is very secure if the so the call encryption key is the exact same as the phone password which can just be scraped from the RAM.
Sorry to bring this old thread back up.
Regarding scraping from RAM, AFAIK there is currently no known way to use disk encryption on android or elsewhere without having the key stored in ram. I recently read about some proofs of concept and other ideas regarding possible different storage locations such as dedicated hardware, but I do not believe any commercial applications use this.
Regarding the key being linked to the password - this is a somewhat different issue from the one above. Usually the drive is encrypted with a master key that is randomly generated and consists of a certain fixed length. That key is then encrypted using your "user password". Therefore, when you change password, you (among other things) decrypt the master key and reencrypt it but with a new password. That was the key is not directly ties to the password.
On axon 7 someone asked me and I don't know the answer, is vpn necessary or is encryption enough when you are in the internet. Thanks in advance
VPN allows you to have a public IP address and appear anywhere in the world, good for streaming other countries region specific material or ordering things by appearing to be elsewhere. VPN is a good idea as it doesn't give out your IP address however I'm extremely confident that if someone really wants your data this won't be that much of a deterrent. Still, better to have and not need it than to need it and not have it...
Encrypting the device is, on the Axon 7 , a default thing. You can't de-crypt it as it is done in the default set up. This is why you need to wipe everything when you root your device, we don't have the passcode. It is probably randomly generated...