You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is there a point to using SQLCipher with an Android KeyStore key that requires no extra
authentication?
From the issues from Tink (used by the Jetpack Security library), the Android KeyStore is
apparently super unreliable; sometimes, the key entries get mysteriously corrupted due to
faulty OEM implementations or other unknown issues 1
Since Android 5.0, there's mandatory disk encryption (on Android 10 and up, it's FBE). There's
also sandboxing between apps, so other apps can't access the app's files easily anyway. Users
of the device aren't even able to access the app's files (unless they rooted their phone?)
If an attacker gets root access, they can just call use the KeyStore as the app's process 2
From the nature / context of this app, targeted attacks don't seem to be expected
Is there a point to using SQLCipher with an Android KeyStore key that requires no extra
authentication?
apparently super unreliable; sometimes, the key entries get mysteriously corrupted due to
faulty OEM implementations or other unknown issues 1
also sandboxing between apps, so other apps can't access the app's files easily anyway. Users
of the device aren't even able to access the app's files (unless they rooted their phone?)
Footnotes
https://github.com/google/tink/issues/535#issuecomment-912170221 and many other similar issues ↩
https://github.com/google/tink/issues/339#issuecomment-642198030 ↩
The text was updated successfully, but these errors were encountered: