implement android keystore to prevent unwarranted access to private key

harlo / CameraV

CameraV: InformaCam Default Android App

https://dev.guardianproject.info/projects/informacam/wiki/Overview

GNU General Public License v3.0

2 stars 0 forks source link

implement android keystore to prevent unwarranted access to private key #3

Open harlo opened 9 years ago

harlo commented 9 years ago

While access to the internal data is protected on non-rooted devices, a rooted device could potentially access the contents of the iocipher storage and abuse the private key.

Proposed fixes:

use android keystore to further protect access to private key's credentials, that way it can only be accessed in-app.

harlo commented 9 years ago

not 100% sure this solution is a fool-proof as I thought. Rooted devices can still access Android Keystore in the same way. But it's good that the PGP auth token is never stored in-the-clear.

harlo commented 9 years ago

also, this should be backwards-compatible; don't want to nuke anyone's old credentials.