Skip to content
This repository has been archived by the owner before Nov 9, 2022. It is now read-only.

Get JXCore to expose native key stores #44

Open
yaronyg opened this issue Jul 23, 2015 · 1 comment
Open

Get JXCore to expose native key stores #44

yaronyg opened this issue Jul 23, 2015 · 1 comment

Comments

@yaronyg
Copy link
Member

yaronyg commented Jul 23, 2015

We keep our public keys in PKCS12 files which have a password that is used to encrypt them. But that password is just a string that is burned into our app. We don't even both to randomly generate that string since we would then have to save it in a file right next to the PKCS12 file, so what is the point? We are trying to make sure that the PKCS12 is in app only storage (so other apps can't get to it) but that's about it.

Both iOS and Android do provide for 'key stores' but they are not really useful in my personal opinion. The reason is that both just end up storing a file with the secrets encrypted using a key derived from the device key. So anyone who breaks the device key can get to those keys no problem.

In fact I would argue that the key stores are completely useless for anyone who encrypts their phone drive since that too is encrypted with a key derived from the device key.

Nevertheless if someone has a phone that isn't encrypted but does have a device key and so is 'locked' then using the key chain provides some tiny amount of protection against completely unsophisticated attackers.

So we probably should get JXCore to expose an API to access the mobile platform's key store and then use it.

@obastemur obastemur self-assigned this Jul 23, 2015
@obastemur
Copy link
Contributor

obastemur commented Jul 23, 2015

Sounds good. Adding to my todo list.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants