Yes I guess you might be right Also I wanted to ask : is the OS encrypted ?
What I mean is , if the mobile device running android is connected to PC (or other device) as secondary device (analogous to secondary hard drive), is it possible to browse all files inside device or are they kept encrypted ? It uses linux kernel so I kinda assumed it is , wanted to make sure is it ? Sincerely Ray On Jun 11, 6:15 pm, "Justin (Google Employee)" <[EMAIL PROTECTED]> wrote: > > Then is it safe to assume that if our application creates file then > > this file will be not accessable by anyone ? > > "Safe" is vague. Based on hackbod's information it would be nearly > impossible to gain access to an application's private files. However, > there are always extraordinary possibilities such as a privilege > escalation exploit allowing a user or process to gain root or the user > physically modifying the devices and removing internal storage media. > Both of these possibilities are extremely remote. > > Cheers, > Justin > Android Team @ Google > > On Jun 11, 4:14 am, rayback_2 <[EMAIL PROTECTED]> wrote: > > > Hi, and thanks for prompt responses to all, really appreciate that. > > > The keystore itself is password protected, so the the password is > > needed to start using keystore (and maybe even another password for > > accessing individual entries inside the keystore itself, like > > secretkeys and private keys). > > > My first problem lies in the possibility of brute-force attacking the > > keystore file after it is exported to some external device (like PC). > > > >>Out of curiosity, are you interested in protecting your data from > > >> access by the user, or malicious access from others? > > > We kinda want both. > > > We got a scenario where a keystore contains ECDSA keypairs which > > should be used by user for signing (who knows passwords). And this > > keystore should be protected from malicious users. But even user > > himself should not be able to export it to another device (its a > > requirement since those keys are used for authentication and other > > operations) > > > In other scenario we need our application to encrypt some data , thus > > we need to keep the keys secret and protect the keys from user too. > > > from hackbod's post I understand that the access to internal flash > > will be limited to low level services only. And the root access to adb > > shell is not what is expected to have. > > > Then is it safe to assume that if our application creates file then > > this file will be not accessable by anyone ? > > > >> For example, we could store an encrypted datafile with a key based on > > >> the application signature itself seeded with the device ID. Since the > > >> key can be calculated with code, it wouldn't be stored anywhere, so any > > >> attacker would have to extract the key from a running program (which is > > >> quite hard!); and even if someone did manage this and was able to > > >> decrypt the datafile, they'd need to repeat the process on every other > > >> phone. > > > I guess this is not a good option since device ID can be obtained by > > attacker, the same way original application did it. > > And since the key is calculated decompiling the code will reveal > > internals, so attacker, instead of extracting keys from running > > program, would > > generate the same key. Just thoughts. > > > Thanks --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
