Open oscarb opened 8 years ago
As was mentioned in #4, I'm not sure that deleting (I assume that's the meaning of clearing) codes would not violate security.
For clarification, clearing codes would in this scenario be equal to deleting or removing codes.
Offering the possibility to delete codes would lower the difficulty of compromising the integrity of the data. However, if #5 is implemented together with #22 and #4 in a way that only all archived codes can be deleted, then the amount of codes in the archive and the dates added could expose any compromise on the integrity.
Suffice to say, if the attacker has access to the device, then deleting all data is as easy as uninstalling the app or deleting content from the device's memory.
Even though #5 threatens the security aspects of having data deleted (although this would still be possible to an attacker with access to the device), it should not violate security aspects of revealing the right codes to an attacker which is a separate security concern.
Deleting codes should not be a problem per se. The problem I have in mind is this:
In this scenario the attacker can be quite certain (but not entirely) that there is only a typo (an edit) separating the codes. This problem is still present with the archiving feature, so actually isn't an argument against removal of codes. Edits are though, because then the adversary is certain of the relation between before and after (an edit in difference).
As for the integrity, you can cryptographically link the entries. This way you need to know the master code to be able change the order. You cannot prevent any deletion (without write-once media) but this way you can detect it easily. For an example, see Figure 1 of Schneier and Kelsey's paper.
As a user who prefers tidiness, I want to be able to clear codes that I no longer use.