[guardian-dev] Storing application secrets in Android's credential storage

Dominik Schürmann dominik at dominikschuermann.de
Fri Aug 17 03:19:26 EDT 2012 

The blog post says:
"Each key is bound to the UID of the process that created it, so that
apps cannot access each other's keys or the system ones. Additionally,
even system apps cannot see app keys, and root is explicitly prohibited
from creating or listing keys."

The UID is checked when connecting to the keystore over LocalSockets.

Regards
Dominik



On 17.08.2012 08:27, Miron wrote:
> 
> On 12-08-16 07:15 PM, Abel Luck wrote:
>> What prevents an app from reading another apps' secrets?
> 
> I believe that all accesses cause the keystore to present a confirmation
> dialog with the secret name and the app name.  This specific path would
> have to be tested to make sure.
> 
>> Dominik Schürmann:
>>> No, I don't know of any app that uses this, but there is open source
>>> sample code available on https://github.com/nelenkov/android-keystore
>>>
>>> Regards
>>> Dominik
>>>
>>> On 14.08.2012 22:00, Hans-Christoph Steiner wrote:
>>>>
>>>> Hmm, that's interesting, but it sucks that its not a public API. Do you
>>>> know of any apps that are using this?
>>>>
>>>> .hc
>>>>
>>>> On 08/13/2012 11:11 AM, Dominik Schürmann wrote:
>>>>> Hi,
>>>>>
>>>>> I don't know if it was already discussed, but there seems to be a
> way to
>>>>> store any data in Android's credential storage.
>>>>>
>>>>> I stumbled upon this interesting blog and the following post:
>>>>>
> http://nelenkov.blogspot.com.es/2012/05/storing-application-secrets-in-androids.html
>>>>>
>>>>> It is not public API but seems to be relatively stable as it is
>>>>> supported from 1.6 to 4.0. Thus it could be an option to store for
>>>>> example sqlcipher passwords.
>>>>>
>>>>> Regards
>>>>> Dominik Schürmann
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Guardian-dev mailing list
>>>>>
>>>>> Post: Guardian-dev at lists.mayfirst.org
>>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>> To Unsubscribe
>>>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>
>>>>> You are subscribed as: hans at guardianproject.info
>>>>>
>>>> _______________________________________________
>>>> Guardian-dev mailing list
>>>>
>>>> Post: Guardian-dev at lists.mayfirst.org
>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>
>>>> To Unsubscribe
>>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>>> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/dominik%40dominikschuermann.de
>>>>
>>>> You are subscribed as: dominik at dominikschuermann.de
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
>>>
>>> You are subscribed as: abel at guardianproject.info
> 
> 
> 
>> _______________________________________________
>> Guardian-dev mailing list
> 
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
>> To Unsubscribe
>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
> 
>> You are subscribed as: c1.android at niftybox.net
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/dominik%40dominikschuermann.de
> 
> You are subscribed as: dominik at dominikschuermann.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20120817/f51c4bc3/attachment.pgp>

More information about the Guardian-dev mailing list