search

DJALILBrahim / openintents

Automatically exported from code.google.com/p/openintents
0 stars 0 forks source link

Improve security #268

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hello,

I'm using OI Safe, and I like it very well. I have take a look to the
source code, and I found some security problems. Only small ones, because I
guess, based on the android OS, it is not so easy to read the memory of
another application, But if someone has root access to the phone it should
be possible

1) Don't use the md5 Hashing algorithm. This algorithm is unsecure, because
of existing collision attacks. The SHA Algorithm is much more secure (SHA-2
or higher)
2) Don't store the Passwords in String objects. Everytime you copy the
password to another variable or give it to another method, a new string
object is opend and the old one is in the memory (until the garbage
collector runs). In case of reading the memory of OI Safe, the password can
be read. It is more secure to do the following:

char[] cryptedPassword = ...;

char[] uncrptedPassword = uncrypted....;
// use the password, after using, overwrite the char[] array
for ( int i = 0; i < uncryptedPassword.length; i++) {
   uncryptedPassword[i] = 'c';
}
uncryptedPassword = null; // give it free for garbage collection

In this case, the "clear" password is only readable in memory for a short
time. This is also not really secure, but in some case, you need the clear
password of course.

Original issue reported on code.google.com by zink.joc...@googlemail.com on 5 May 2010 at 7:42

GoogleCodeExporter commented 9 years ago 
Thanks for pointing out these issues.

The choice for MD5 over SHA was mainly motivated by speed vs security tradeoff -
especially on the original Android devices (MD5 is twice as fast, which is 
noticable
if the list contains many passwords). With the faster generation of Android 
devices,
we should probably offer an option for the slower but more secure SHA 
algorithms.

If you have the possibility to contribute a patch regarding your first or second
issue, we would highly appreciate that.

Original comment by peli0...@googlemail.com on 5 May 2010 at 8:21

GoogleCodeExporter commented 9 years ago 
Well its an old issue, but as it still is open, it think its still something we 
can comment on.

Maybe not just use MD5 and/or SHA but use something like jBCrypt, it is a Java 
Implementation of Blowfish and it is free to use 
(http://mindrot.org/files/jBCrypt/LICENSE)

While researching for "how to store user passwords in a secure way" for some 
web-services i'm working on, i found that this should be the safest way. :)

http://mindrot.org/projects/jBCrypt/

Original comment by kujans...@gmail.com on 20 Apr 2012 at 7:02