KSafe 2.1.3 - Security Patch
This is a critical security patch resolving a vulnerability where aggressive memory caching could bypass the requireUnlockedDevice hardware policy.
🔒 Security Fixes
- Fixed an in-memory cache bypass for
requireUnlockedDevice
Previously, a key-value pair written withrequireUnlockedDevice = truecould be read while the device was locked if the value or its decryption key had been cached in RAM during a prior unlocked state. This bypassed the native OS hardware security modules entirely. - Coordinated Cache Bypass Architecture
We have implemented a strict bypass mechanism across all architectural layers for keys requiring unlocked devices:- Core Level:
KSafeCorenow evaluates metadata before hitting theplaintextCacheormemoryCache, forcing a native read if an unlocked device is required. - Android Engine:
AndroidKeystoreEncryptionnow bypasses its software DEK cache and queries the Keystore hardware directly, restoring the nativeUserNotAuthenticatedExceptionon locked devices. - iOS/macOS Engine:
AppleKeychainEncryptionnow bypasses itskeyBytesCacheand queries the Keychain directly, strictly enforcing thekSecAttrAccessibleWhenUnlockedThisDeviceOnlypolicy.
Highly sensitive keys are now guaranteed to be cryptographically enforced by the underlying OS hardware on every read, fixing the lock bypass vulnerability on both Android and iOS.
- Core Level:
Full Changelog: 2.1.2...2.1.3