On 08/15/2013 06:24 AM, Fabio Pietrosanti (naif) wrote: > All Mobile Security Applications should not rely on standard RNG of the > OS but fetch precious and better source of randomness available on those > devices: > - Microphone Audio Sample > > On a commercial product i worked on in past the RNG has been always feed > with Noise from Microphone.
Ha, it is easy enough for you to say this, since your app was a VoIP app, and asking for permission to use the microphone did not raise any suspicion. If every privacy-oriented app that needed random data asked for permission to listen to the microphone, we may quickly find ourselves at the wrong end of the user's paranoia. Regardless, we trusted Google's BOLD recommended best practices to not manually seeding RNG, and were mildly burned because of it. From now on, we will trust no one, in that particularly department. +n -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
