Dear Sam I am sure many people follow the Guardian Project, but for those who don't here is a repost that may be worth considering.
QUOTE Hey folks, I'm inviting Android app developers to check out a new library from Guardian Project that aims to solve your password handling woes. Password handling is not a trivial task. This is especially so in security and privacy conscious applications. Prompting the user for the pass is the easiest part, after that there are a myriad of questions, * How do you store the password? * Do you hash it? * With which hash function? * How many iterations? * How do you verify the password? * Reset it? * How often do I prompt the user for the password? * How do you use it to actually encrypt things? .. to name a few. We see this regularly issue across apps using SQLCipher and IOCipher. I present CacheWord, a library that aims to answer and implement as many of those questions as possible. Source Code & Simple Sample https://github.com/guardianproject/cacheword/ Security Notes https://github.com/guardianproject/cacheword/edit/master/SECURITY.md Complex Sample https://github.com/guardianproject/notepadbot/tree/cacheword NOTE: Development is still under way and this library IS NOT ready for production use. However, I'd like it to start getting some exposure and getting feedback from developers regarding the API. Cheers, ~abel UNQUOTE On 20 Mar, 2013, at 1:36 AM, Sam Bull <[email protected]> wrote: > Hey guys, > > Having a seamless security system, is something I think is very > important and have been thinking a lot about this recently. > > I recently wrote a proposal for desktop security, and maybe this might > give you something to think about when designing security on the phone. > http://blog.sambull.org/security-design > > As a quick thought about what I'd like to see. I would like to keep the > current design, with no lock screen. Then have a settings page where you > can choose which applications to lock. If you try to open one of the > locked applications, it unlocks it with your keyring, asking for your > password if needed. > > It would be even better if we could also allow more fine-grained > control, as supported by each application. So, for example, the > telephony application could allow you to access it and view everything, > but require a password from the keyring in order to make a phone call or > send a message. This fine-grained control should be available in the > same settings page. > > As the phone is used differently to a desktop, I would suggest that the > keyring would automatically re-lock after a time delay (like 10 mins), > when the screen is switched off, or a combination of both. > > I might make a mock-up of the settings page when I get back later. What > do people think about this design? > > -- > Mailing list: https://launchpad.net/~ubuntu-phone > Post to : [email protected] > Unsubscribe : https://launchpad.net/~ubuntu-phone > More help : https://help.launchpad.net/ListHelp
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
