Isaac,
Your project looks interesting. Quick question regarding the security of OI Safe's Keystore Service. In your example, how does the Instant Message Application know that it is the AndroidPasswordSafe application receiving the cleartext password stored in the ACTION_SET_PASSWORD Intent? Assuming (from the symmetric communication in the diagram) you are using startActivity() and not broadcasting an Intent, the API does not provide a mechanism to require a permission of the receiving application.
I believe a caution related to this was mentioned as a "developer tip" in the iSec whitepaper by Jesse Burns that was mentioned on this list a few months ago.
Thanks, -Will On Mar 12, 2009, at 7:32 PM, Isaac Potoczny-Jones wrote:
Greetings, as I just mentioned on the android developers group, you might find the OpenIntents keystore project of interest as well: http://code.google.com/p/openintents/wiki/CryptoIntents It would be great to build something compatible, since the goal of the openintents project is interoperability :) peace, isaac
-- William Enck PhD Candidate Department of Computer Science and Engineering The Pennsylvania State University [email protected]
