Being "rootable" is not, in and of itself, a bad thing. The owner of the device should have the right to assert control of the device, just like with a PC or a laptop. The fact that consumers have to rely on exploits to *gain* root instead of having a controlled legitimate process (like the "fast oem unlock" process on the Nexus One) *is* a problem because it provides a disincentive for the technical community (XDA, etc) to share knowledge of exploits with the upstream developers (ie, Google).
On Dec 15, 12:32 pm, Nick Kralevich <[email protected]> wrote: > It's really impossible to provide security on a rooted device. Even if you > figured out a place to store the key, a rooted device could just intercept > the key while it was in transit to the application, compromising your > security. > > I really wish people would understand that "being rootable" is a bad thing > in most cases. There's ways to legitimately get access "root" access to > your device, such as Google's "fastboot oem unlock" command, which are safe > from attackers. > > However, in pretty much all the cases I've seen, rooting the device involves > exploiting a known security hole, which could also be used by a malicious > attacker. It really shouldn't be called "rootable", but rather, "an > unpatched security hole with exploits in the wild". > > -- Nick > > On Wed, Dec 15, 2010 at 5:18 AM, azahara > <[email protected]>wrote: > > > > > > > > > Hi everybody, > > > I am working on a project that requires to store sensitive data on an > > android mobile phone. Up to now, it seems that the suitable place to > > store that data is the private folder that is owned by the > > application. However, in a rooted phone this folder can be accessed > > easily. > > > Other alternative is related to encryption. Again, the point is where > > to store the corresponding key. The security API of android provides a > > keystore class that can contain cryptographic keys. Does anybody knows > > where this file is stored?, is it necessary to create a keystore for > > each application that required it? and how secure is the access to > > the information in this file by unauthorized applications?. > > > Any idea or suggestions will be welcome! > > > thanks > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<android-security-disc > > uss%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
