search

rogerta / secrets-for-android

Securely store and manage passwords and secrets on your Android phone.
70 stars 36 forks source link

Self-destruct trigger password. #134

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Self-destruct trigger password features:

 1. Erases the secret store by overwriting it with random, zero and one in random manner.

 2. Have to be activated when lock screen is on.

 3. Erases the program files instead of uninstalling. 

 4. User must manually enable this option as some users may want to leave the programs intact.

 5. User have to define a password as the trigger. 

 6. The trigger should not be accessible as some plaintext data but instead the chosen self-destruct password should wrap a self-destruct flag that once decrypted would trigger the self-destruction process.

 7. Data should not be recoverable after self-destruction.

 8. Self-destruct ciphertext should be unrecognizable from normal encrypted data

Original issue reported on code.google.com by twzgerald@gmail.com on 16 Jul 2014 at 1:05

bcwhite-code commented 3 years ago

Note that there real limits to this.

The encrypted data was written to flash memory and a typical OS won't actually erase the data when overwritten -- it'll simply write the data elsewhere and, maybe, at some point in the future, overwrite the original data.

On top of this, an attacker that knows such a feature exists will simply make a copy of the encrypted data before trying to force the password from someone.

A more general solution would be to provide different lists for different passwords. Thus, if pressured, you could just reveal a "honeypot" password giving an empty list or fake data. Add a chunk of random data to the file contents and it becomes impossible to tell, upon opening one secrets list, to know if there are parallel secrets lists protected by other passwords.

This needs to be done with nested lists, where you have to enter multiple passwords to unlock each new layer. That's likely to be too difficult to be useful to all but a few truly hardcore security experts and they would have more advanced systems to start with.

Still, you don't have to be fully secure to stop a nosy airport security guard in an authoritarian country.