Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Security

edited February 2016 in Features

One of my concerns with the security of any application is whether a virus can look at the data in your application while it is in memory and then pump it out to some server that is under their control. I am guessing that the online banking services somehow prevent this and certainly when I use the banking app on my phone they seem to use a digital rights function to prevent screenshots.

Is it possible and is it your intention to ensure that data in the PC application and the Android app is secure against this sort of attack? It would certainly be good to use Lexiy to store things like passwords but I'd have to be sure that the data couldn't be scraped before I used it for this purpose.

Comments

  • jkjjkj
    edited February 2016

    Good points. There are two vulnerabilities here.

    • settings files

    The settings file has to remember your cipher key, until you either logout, or it auto-forgets. Of course, if anyone were to get this file, they could decipher your notes. the key is removed from the file when it forgets.

    However, whilst that key is in the file, the app itself will decrypt your notes anyhow. But the vulnerability is if someone were to get that file without you knowing. They could then decrypt your notes without having to have the physical handset, if they managed to get hold of your notes file (eg from a backup).

    There is also the factor that removing something from a file, might not really remove it from the disk. That's a secondary problem.

    Android protects other apps from accessing the local area of other apps (where i store the file). However, this can be circumvented if the device is rooted. Notably, banking apps refuse to run on a rooted device.

    • keys held in memory

    After you've provided your master key during login, it is used to generate you login key and your cipher key, then it is discarded from memory.

    However, java doesn't really discard it! At least not right away.

    Plan

    The development of the desktop version means i am reviewing the idea of how these keys are kept. The PC version is not java, and i want a common solution.

    The idea is to move the management of the keys into the back end. I will manually store the key file in the back end. Some OSs provide a secure erase function for parts of files and also for things in memory (I think windows can do this, but i need to look into it).

    This might beef up the problem of keeping keys in files.

    For the memory problem, even if i make the back end really tight, there is always the problem of handing over the master key from the UI. this could be java or it could be something woolly. There is still a potential memory problem here.

  • Oh, I'd like to add that the key "forgetting" really is forgetting. If you set it to 5 mins, i wake up in 5 mins and erase the key. Specifically, i don't compare the time of next usage to previous usage and then delete the key.

    This, of course would mean anyone acquiring the device after the timeout, could extract the key by reading the internal storage, providing they didn't run the app.

  • edited February 2016

    An article supporting the idea that individuals and companies need to be vigilant in guarding their data on mobiles:

    http://www.thetimes.co.uk/tto/public/cybersecurity/article4693595.ece

  • Unfortunately, the article does not go into specifics like the use of a VPN, which i think is essential in these circumstances.

    Additionally, the use of long and complicated passwords means that staff have more to remember. They're going to write those passwords down somewhere, either on bits of paper or in electronic notes.

    Those electronic notes need to be secured as well.

  • If I had to come up with a solution for secure mobile computing now, it would unfortunately be to have two phones. One for private (work and personal) use whose only access to a network would be via a VPN to a secure server and one for public use where you would assume everything was in public view. This is almost what I do at home with my PCs although I'd like to improve the security still further.

    My wife has had her own phone setup by her company to have a virtual version of this on her (one) phone but it's slow and not very useable.

  • People, in general, are waking up the idea that their personal information should be confidential. You would think this were obvious yet, for a long time, people have been willingly publishing their private lives to FB, Google and just anyone.

    However, I am seeing a social shift away from this. It's slow right now, but it's there. The government debacle on encryption back doors is testament to this fact. Until recently, this wasn't an issue because use of encrypted communications were not significant. But today, it might be.

    People are becoming aware that free services are not private. The corollary of this is that confidential services will be paid for. But, providing the costs are super low - cloud services have fallen tremendously, people will be prepared to pay a small but reasonable fee.

    The likes of FB and Google are on collision course with this problem. I think Apple can see it, which is why they're making big bones over their iPhone security. It's good business.

Sign In or Register to comment.