On Saturday, August 27, 2011 1:53:12 PM UTC-4, KK wrote: > > I have an android EditText which holds a password. I have to > retrieve this in one of my modules and pass it to another. I am > calling EditText.getEditableText and encrypting its content. But I > want to know if android creates any immutable objects internally for > the EdiText Content(like String), in which case there might still be a > way for a hacker to get the password out? >
At first glance this seems like an interesting question - the whole idea of abstraction is that you aren't supposed to care about implementation details, but here you do have appear to have a good reason for caring. However, if you take a step back, it would seem that someone in a position to exploit a detail like this is someone who has breached the primary android security mechanism - the separation of distinct applications into distinct unprivileged users, tricked your program into running pieces of their code, or else has tricked someone into installing a modified version of your program. If either of those situations has occurred, there are so many means of obtaining confidential data that it may not be worth worrying about them individually. So for the question to be useful, I think you would either need to postulate a situation where the answer matters on a device where the security model is intact, or suggest a reason why attacking the internal implementation of EditText on a compromised system would be easier than attacking the interface between your code and EditText, or between EditText and the rest of the android system. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/48SsKhCqDo0J. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.