On Mon, Sep 26, 2011 at 1:53 PM, James Burns <jfbu...@gmail.com> wrote:
> This is not the same as data at rest encryption but rather relies on > the Android (Linux) OS access control restrictions. "accessed / > available only by the main user login information" implies that the > user credentials are somehow being used to protect that data, which is > why I asked. Your statement confirms that that is not true. Correct. For encrypting data at rest, you have a few options: 1. Wait until Android has built-in full-disk encryption 2. Encrypt data in userland and write ciphertext to the filesystem/into SQLite DB rows A big trouble with (2) is, where do you get your key material from? (Actually, that is also a problem for (1), but at least once solved it helps every app on the system.) Another problem with (2) is, now you can't search the ciphertext; you'll have to load all the data, decrypt it in volatile memory, and search that. If the data is small enough, that might actually be just fine. But if not... >From a pragmatic security point of view, I think it's better to wait for FDE, and in the mean-time just be honest with your users about the risk. -- "These days, though, you have to be pretty technical before you can even aspire to crudeness." — William Gibson -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.