> > - Storing the key in a way that can't be exported from the device, even > if rooted. I've been looking at the KeyChain API for this. Has anyone > had experience storing app generated key data in this way?
FYI: https://doridori.github.io/android-security-the-forgetful-keystore/ In OpenKeychain we haven't done this due to usability concerns: https://github.com/open-keychain/open-keychain/issues/1642 > > - Notarizing the key on a special cloud service (or keybase.io perhaps) > to ensure it came from the actual ProofMode app and not a random PGP > command line... again, any thoughts on somehow tagging the origins of a > key to a specific instance or hardware? OpenKeychain supports Linked Identities to link keys to Twitter/GitHub etc. An alternative approach to keybase.io. We also wrote Linked Identities down as Internet Drafts: http://tools.ietf.org/html/draft-vb-openpgp-linked-ids-01 http://tools.ietf.org/html/draft-vb-openpgp-uri-attribute-01 > > - Not running proofmode when a USB device is connected, or when a device > is rooted (We can detect both), or simply logging facts in the proof CSV > file. There is also Google's SafetyNet API. I think its closed source and I don't like their approach, but you could look into it: https://koz.io/inside-safetynet/ Cheers Dominik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
