Hi All, Does anyone have secure coding rules for Android to keep data out of the various clouds? Does AOSP even provide the measures (perhaps not, because of the tight relationship with Google)?
I understand it can be OK to allow cloud egress if other security controls are used. But things like hard-coded keys and null initialization vectors neutralize any encryption benefits, so I'd prefer to keep data out of the cloud when advising those not versed in the art. Below are similar rules I have for iOS to give you an idea of what I am looking for. Jeff * Ensure sensitive data is not stored in <program>/Documents. Data in Documents/ can be backed up to an external device or entity (MacBook, Desktop PC, iTunes, iCloud, etc). Private data should be stored in a directory such as <program>/Caches. Also see Technical Q&A QA1719. * Verify sensitive data stored on the file system has the com.apple.MobileBackup extended attribute to prohibit iCloud backup. The attribute is honored in iOS 5.0.1 and above. Also see Technical Q&A QA1719. * Verify sensitive data stored on the file system has the kCFURLIsExcludedFromBackupKey flag to prohibit iCloud backup. The flag is honored in iOS 5.1 and above. Also see Technical Q&A QA1719. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
