Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid keeping cleartext password char[] in memory #32

Closed
patrickfav opened this issue Oct 31, 2018 · 0 comments
Closed

Avoid keeping cleartext password char[] in memory #32

patrickfav opened this issue Oct 31, 2018 · 0 comments
Labels
enhancement security
Milestone
v0.7.0

Comments

@patrickfav
Copy link
Owner

Currently the sharedPreference implementation keeps the char[] array of the user password in memory until its closed. This makes it quite easy to read the cleartext password when instrumenting the device and reading the current memory (e.g. with Frida). There is a datastructure which obfuscates the content of a field, so it can be used until it is actually used.

It WOULD be way better to derive a byte array directly when passing the password (using a hash function or similar), then use this byte array when deriving the main key (so the clear pw is never in memory again), but that would entail making non-backwards compatible changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
v0.7.0
Development

No branches or pull requests
1 participant
@patrickfav