New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get JXCore to expose native key stores #44

Open
yaronyg opened this Issue Jul 23, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@yaronyg
Member

yaronyg commented Jul 23, 2015

We keep our public keys in PKCS12 files which have a password that is used to encrypt them. But that password is just a string that is burned into our app. We don't even both to randomly generate that string since we would then have to save it in a file right next to the PKCS12 file, so what is the point? We are trying to make sure that the PKCS12 is in app only storage (so other apps can't get to it) but that's about it.

Both iOS and Android do provide for 'key stores' but they are not really useful in my personal opinion. The reason is that both just end up storing a file with the secrets encrypted using a key derived from the device key. So anyone who breaks the device key can get to those keys no problem.

In fact I would argue that the key stores are completely useless for anyone who encrypts their phone drive since that too is encrypted with a key derived from the device key.

Nevertheless if someone has a phone that isn't encrypted but does have a device key and so is 'locked' then using the key chain provides some tiny amount of protection against completely unsophisticated attackers.

So we probably should get JXCore to expose an API to access the mobile platform's key store and then use it.

@obastemur obastemur self-assigned this Jul 23, 2015

@obastemur

This comment has been minimized.

Show comment
Hide comment
@obastemur

obastemur Jul 23, 2015

Member

Sounds good. Adding to my todo list.

Member

obastemur commented Jul 23, 2015

Sounds good. Adding to my todo list.

@yaronyg yaronyg added the 1 - Backlog label Nov 18, 2015

@yaronyg yaronyg added the jxcore label Apr 1, 2016

@yaronyg yaronyg added enhancement and removed 0 - Icebox labels Oct 6, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment