[android-developers] Re: Secure area inside android
Thanks alot Justin, it was helpful Sincerely Ray On Jun 11, 7:13 pm, Justin (Google Employee) [EMAIL PROTECTED] wrote: Because while a privilege escalation is, as you say, not particularly likely, it wouldn't be necessary if the user could just plug their phone into a PC and do 'adb shell'! As hackbod noted in the current SDK the shell exposed through 'adb shell' is running as root. This won't be the case in the 1.0 release. 'adb shell' will run as its own user, and therefore not have access to an application's files. What I mean is , if the mobile device running android is connected to PC (or other device) as secondary device (analogous to secondary hard drive) In this instance, access to the internal storage would still be mediated by Android. The internal storage would not be exposed as a dumb disk. Any means of accessing the filesystem would require a process on Android and therefore be under the restrictions discussed. Cheers, Justin Android Team @ Google On Jun 11, 8:55 am, David Given [EMAIL PROTECTED] wrote: Justin (Google Employee) wrote: [...] Safe is vague. Based on hackbod's information it would be nearly impossible to gain access to an application's private files. However, there are always extraordinary possibilities such as a privilege escalation exploit allowing a user or process to gain root or the user physically modifying the devices and removing internal storage media. Both of these possibilities are extremely remote. Is it likely that production phones will have the debug interface? Because while a privilege escalation is, as you say, not particularly likely, it wouldn't be necessary if the user could just plug their phone into a PC and do 'adb shell'! -- David Given [EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
Some things that might help put things in better perspective: There are two storage areas, internal flash and external flash. External flash is an SD card you can manually insert and remove from the phone, and as such there is no security applied to the files there (all files are world readable and writable) because (a) it uses a FAT filesystem and (b) the user can always remove the card and do whatever they want with its contents. The internal flash can not be removed, and is strongly protected with permissions in the file system as described in http://code.google.com/android/devel/security.html In the current SDK you have the permission enforcement is a little more lax than it will be on a shipping device, because there are a few pieces that are incomplete and the emulator is configured for development and not normal usage. Most importantly, there are two things running as root that will not be root on a shipping device: - The system process in the current SDK is running as root, but on actual devices will be running as a normal user. This means that the vast bulk of the system itself can not even access private application files: those applications are running as a different user, files in the internal flash are not created world accessible by default, so the system itself can't touch them. There are a very few low-level services (like init and a few others) running as root, and one of these provides the basic file system manipulation needed by the higher- level system: creating a data area for an application, removing the data files of an application, etc. These don't allow the system, let alone other applications, to actually read those files. - When you adb shell on to a device, the shell you get is currently running as root, but again on an actual device this will be running as its own dedicated user and thus not have access to private application files. So on a production device it is possible that the user will not be able to directly read an application's files if the application doesn't let them, though of course the system could be configured to allow the user to get root, depending on how the manufacturer wants to set things up. I would assume that in most cases this won't be allowed, however, due to things like DRM. Out of curiosity, are you interested in protecting your data from access by the user, or malicious access from others? On Jun 10, 5:06 am, rayback_2 [EMAIL PROTECTED] wrote: Hi My puprose is to safely store a secretkeys ,used for encryption/ decryption process., in a keystore file in android. The keystore is password protected, but open to brute force attacks if it can be exported to regular PCs. I read in SDK that application can not access private memory of other applications, which is great, so inside a phone I am considering myself as safe. My concern is when the phone (device) is connected to computer, then everything is exportable to computer (as in emulator), and so is the keystore file which is then open to attacks. One solution to this would be to use cryptographic mini/microSD cards, but its rather expensive (and beside could not find such a product too). So my question is : Is there any area inside an android, where we could keep a private data which will not be exportable in any way ? Sincerely Ray --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
hackbod wrote: (a) it uses a FAT filesystem and... I'd just like to emphasise that if people write code that uses the SD card, this needs to be born in mind --- FAT has a few rather different semantics to a real Unix file system. Apart from the 2s-granularity timestamp, it also doesn't support sparse files. I discovered this when I found that a simple call to RandomAccessFile.setLength() on FAT was taking 45 seconds to complete; rather than simply adjusting the length of the file as it does on yffs2, it was writing 15MB of zeroes to the card. [...] Out of curiosity, are you interested in protecting your data from access by the user, or malicious access from others? I don't know what his application is, but if it's anything like mine, we need to store secure hashes of data files to ensure that the user's not tampering with them. I know this is actually impossible to do, but we don't need perfect security, merely *good-enough* security; we want to make it sufficiently hard to produce fake hashes that most people won't bother, and in particular we'd need a scheme that ensured that if the security was broken on one device, it's not also broken on all other devices. For example, we could store an encrypted datafile with a key based on the application signature itself seeded with the device ID. Since the key can be calculated with code, it wouldn't be stored anywhere, so any attacker would have to extract the key from a running program (which is quite hard!); and even if someone did manage this and was able to decrypt the datafile, they'd need to repeat the process on every other phone. But as this is a lot of work, it'd be much more convenient if there was a proper secure datastore on the device. Unfortunately the concept of 'secure (from the user)' and 'open device' are probably antithetical... -- David Given [EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
Hi, and thanks for prompt responses to all, really appreciate that. The keystore itself is password protected, so the the password is needed to start using keystore (and maybe even another password for accessing individual entries inside the keystore itself, like secretkeys and private keys). My first problem lies in the possibility of brute-force attacking the keystore file after it is exported to some external device (like PC). Out of curiosity, are you interested in protecting your data from access by the user, or malicious access from others? We kinda want both. We got a scenario where a keystore contains ECDSA keypairs which should be used by user for signing (who knows passwords). And this keystore should be protected from malicious users. But even user himself should not be able to export it to another device (its a requirement since those keys are used for authentication and other operations) In other scenario we need our application to encrypt some data , thus we need to keep the keys secret and protect the keys from user too. from hackbod's post I understand that the access to internal flash will be limited to low level services only. And the root access to adb shell is not what is expected to have. Then is it safe to assume that if our application creates file then this file will be not accessable by anyone ? For example, we could store an encrypted datafile with a key based on the application signature itself seeded with the device ID. Since the key can be calculated with code, it wouldn't be stored anywhere, so any attacker would have to extract the key from a running program (which is quite hard!); and even if someone did manage this and was able to decrypt the datafile, they'd need to repeat the process on every other phone. I guess this is not a good option since device ID can be obtained by attacker, the same way original application did it. And since the key is calculated decompiling the code will reveal internals, so attacker, instead of extracting keys from running program, would generate the same key. Just thoughts. Thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
Then is it safe to assume that if our application creates file then this file will be not accessable by anyone ? Safe is vague. Based on hackbod's information it would be nearly impossible to gain access to an application's private files. However, there are always extraordinary possibilities such as a privilege escalation exploit allowing a user or process to gain root or the user physically modifying the devices and removing internal storage media. Both of these possibilities are extremely remote. Cheers, Justin Android Team @ Google On Jun 11, 4:14 am, rayback_2 [EMAIL PROTECTED] wrote: Hi, and thanks for prompt responses to all, really appreciate that. The keystore itself is password protected, so the the password is needed to start using keystore (and maybe even another password for accessing individual entries inside the keystore itself, like secretkeys and private keys). My first problem lies in the possibility of brute-force attacking the keystore file after it is exported to some external device (like PC). Out of curiosity, are you interested in protecting your data from access by the user, or malicious access from others? We kinda want both. We got a scenario where a keystore contains ECDSA keypairs which should be used by user for signing (who knows passwords). And this keystore should be protected from malicious users. But even user himself should not be able to export it to another device (its a requirement since those keys are used for authentication and other operations) In other scenario we need our application to encrypt some data , thus we need to keep the keys secret and protect the keys from user too. from hackbod's post I understand that the access to internal flash will be limited to low level services only. And the root access to adb shell is not what is expected to have. Then is it safe to assume that if our application creates file then this file will be not accessable by anyone ? For example, we could store an encrypted datafile with a key based on the application signature itself seeded with the device ID. Since the key can be calculated with code, it wouldn't be stored anywhere, so any attacker would have to extract the key from a running program (which is quite hard!); and even if someone did manage this and was able to decrypt the datafile, they'd need to repeat the process on every other phone. I guess this is not a good option since device ID can be obtained by attacker, the same way original application did it. And since the key is calculated decompiling the code will reveal internals, so attacker, instead of extracting keys from running program, would generate the same key. Just thoughts. Thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
Because while a privilege escalation is, as you say, not particularly likely, it wouldn't be necessary if the user could just plug their phone into a PC and do 'adb shell'! As hackbod noted in the current SDK the shell exposed through 'adb shell' is running as root. This won't be the case in the 1.0 release. 'adb shell' will run as its own user, and therefore not have access to an application's files. What I mean is , if the mobile device running android is connected to PC (or other device) as secondary device (analogous to secondary hard drive) In this instance, access to the internal storage would still be mediated by Android. The internal storage would not be exposed as a dumb disk. Any means of accessing the filesystem would require a process on Android and therefore be under the restrictions discussed. Cheers, Justin Android Team @ Google On Jun 11, 8:55 am, David Given [EMAIL PROTECTED] wrote: Justin (Google Employee) wrote: [...] Safe is vague. Based on hackbod's information it would be nearly impossible to gain access to an application's private files. However, there are always extraordinary possibilities such as a privilege escalation exploit allowing a user or process to gain root or the user physically modifying the devices and removing internal storage media. Both of these possibilities are extremely remote. Is it likely that production phones will have the debug interface? Because while a privilege escalation is, as you say, not particularly likely, it wouldn't be necessary if the user could just plug their phone into a PC and do 'adb shell'! -- David Given [EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
If the keystore file is password protected, why not store it encrypted? Then have the user enter her password to start using the keystore and decrypt it on demand? I believe this is the approach used by many keystore implementations. Cheers, Justin On Jun 10, 5:06 am, rayback_2 [EMAIL PROTECTED] wrote: Hi My puprose is to safely store a secretkeys ,used for encryption/ decryption process., in a keystore file in android. The keystore is password protected, but open to brute force attacks if it can be exported to regular PCs. I read in SDK that application can not access private memory of other applications, which is great, so inside a phone I am considering myself as safe. My concern is when the phone (device) is connected to computer, then everything is exportable to computer (as in emulator), and so is the keystore file which is then open to attacks. One solution to this would be to use cryptographic mini/microSD cards, but its rather expensive (and beside could not find such a product too). So my question is : Is there any area inside an android, where we could keep a private data which will not be exportable in any way ? Sincerely Ray --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
Hi You have the keystore of the browser. You can access it from a WebView. Andre On Tue, Jun 10, 2008 at 6:04 PM, Justin (Google Employee) [EMAIL PROTECTED] wrote: If the keystore file is password protected, why not store it encrypted? Then have the user enter her password to start using the keystore and decrypt it on demand? I believe this is the approach used by many keystore implementations. Cheers, Justin On Jun 10, 5:06 am, rayback_2 [EMAIL PROTECTED] wrote: Hi My puprose is to safely store a secretkeys ,used for encryption/ decryption process., in a keystore file in android. The keystore is password protected, but open to brute force attacks if it can be exported to regular PCs. I read in SDK that application can not access private memory of other applications, which is great, so inside a phone I am considering myself as safe. My concern is when the phone (device) is connected to computer, then everything is exportable to computer (as in emulator), and so is the keystore file which is then open to attacks. One solution to this would be to use cryptographic mini/microSD cards, but its rather expensive (and beside could not find such a product too). So my question is : Is there any area inside an android, where we could keep a private data which will not be exportable in any way ? Sincerely Ray --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: Secure area inside android
I think it'd be nice if Android had something like Keychain in Mac OS X for storing keys and other secure data accessible for other applications which have special permissions. By the way I'm wondering how expensive would be adding a TPM-like cryptographic chip to android device... On 10 Cze, 17:09, André Charles Legendre [EMAIL PROTECTED] wrote: Hi You have the keystore of the browser. You can access it from a WebView. Andre On Tue, Jun 10, 2008 at 6:04 PM, Justin (Google Employee) [EMAIL PROTECTED] wrote: If the keystore file is password protected, why not store it encrypted? Then have the user enter her password to start using the keystore and decrypt it on demand? I believe this is the approach used by many keystore implementations. Cheers, Justin On Jun 10, 5:06 am, rayback_2 [EMAIL PROTECTED] wrote: Hi My puprose is to safely store a secretkeys ,used for encryption/ decryption process., in a keystore file in android. The keystore is password protected, but open to brute force attacks if it can be exported to regular PCs. I read in SDK that application can not access private memory of other applications, which is great, so inside a phone I am considering myself as safe. My concern is when the phone (device) is connected to computer, then everything is exportable to computer (as in emulator), and so is the keystore file which is then open to attacks. One solution to this would be to use cryptographic mini/microSD cards, but its rather expensive (and beside could not find such a product too). So my question is : Is there any area inside an android, where we could keep a private data which will not be exportable in any way ? Sincerely Ray --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
