Chris Stratton wrote:
You wouldn't, you would just impersonate their authorised user, unless
there's a user password check required with user-annoying frequency.
If we put rooted systems aside for a moment... It would be quite easy
for a functional OS to discriminate applications from using password and
other keys. If you created a password with the browser, it shouldn't
be available for any other app, even if the password is stored in a
common "vault".
In fact, I'm working on a key provisioning system for mobile phones
where the issuer is supposed to be able to grant certain applications
only in spite of the fact that the keystore is system-wide.
The "only" difficulty is finding a universal way of describing apps.
Any ideas here would be much appreciated!
Anders
On Sep 2, 8:52 pm, Jeff Enderwick <[email protected]> wrote:
How would you extract the private keys from the TPM?
On Thu, Sep 2, 2010 at 5:09 PM, Chris Palmer <[email protected]> wrote:
TPM would allow you to securely store the private keys associated with
a client cert. And IMO that is a pretty useful thing. Especially when
there are official loads like this:
http://grack.com/blog/2010/07/07/how-we-found-a-backdoor-in-sprints-e...
No, a TPM will not help you if an attack has rooted your system.
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group
athttp://groups.google.com/group/android-security-discuss?hl=en.
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
