Open harlo opened 9 years ago
not 100% sure this solution is a fool-proof as I thought. Rooted devices can still access Android Keystore in the same way. But it's good that the PGP auth token is never stored in-the-clear.
also, this should be backwards-compatible; don't want to nuke anyone's old credentials.
While access to the internal data is protected on non-rooted devices, a rooted device could potentially access the contents of the iocipher storage and abuse the private key.
Proposed fixes: