patrickfav / armadillo

A shared preference implementation for confidential data in Android. Per default uses AES-GCM, BCrypt and HKDF as cryptographic primitives. Uses the concept of device fingerprinting combined with optional user provided passwords and strong password hashes.
https://favr.dev/opensource/armadillo
Apache License 2.0
280 stars 52 forks source link

Add derived password cache to speed up consecutive .get() calls #33

Closed patrickfav closed 5 years ago

patrickfav commented 6 years ago

To make get calls faster, a cache, which caches the derived password should be implemented. This will not speed up put* operations since every time a new salt will be created making it impossible to cache.

The disadvantage is that the derived password stays in cache, therefor in memory for way longer, making it easier to read when the device is used with instrumentation tool like FRIDA (this is a more specific attack, since when the attacker has full access to the device, there is not much you can do).