Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

evaluate the need for encryption #8

Open
inthewaves opened this issue Feb 17, 2022 · 0 comments
Open

evaluate the need for encryption #8

inthewaves opened this issue Feb 17, 2022 · 0 comments

Comments

@inthewaves
Copy link
Owner

Is there a point to using SQLCipher with an Android KeyStore key that requires no extra
authentication?

  • From the issues from Tink (used by the Jetpack Security library), the Android KeyStore is
    apparently super unreliable; sometimes, the key entries get mysteriously corrupted due to
    faulty OEM implementations or other unknown issues 1
  • Since Android 5.0, there's mandatory disk encryption (on Android 10 and up, it's FBE). There's
    also sandboxing between apps, so other apps can't access the app's files easily anyway. Users
    of the device aren't even able to access the app's files (unless they rooted their phone?)
  • If an attacker gets root access, they can just call use the KeyStore as the app's process 2
  • From the nature / context of this app, targeted attacks don't seem to be expected

Footnotes

  1. https://github.com/google/tink/issues/535#issuecomment-912170221 and many other similar issues

  2. https://github.com/google/tink/issues/339#issuecomment-642198030

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant