Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,781,664 Members 42,621 Now Online
XDA Developers Android and Mobile Development Forum

[Q] Android Security : A question for Developers (in light of govt spying, etc)

Tip us?
 
steve_77
Old
#1  
Member - OP
Thanks Meter 8
Posts: 88
Join Date: Jun 2010
Question [Q] Android Security : A question for Developers (in light of govt spying, etc)

Ok so this is a question for lets say hardcore developers, lately Ive taken an interest in android security after the Snowden revelations, (not that any of us have anything to hide), but mainly due to the simple principle of privacy in the digital age... anyhow in my research ive found various ways and sites that can help harden ones security on android , and there are also tools that have been developed to purposely get around these same security precautions on android. My question is to various developers that design security related apps, those who design custom recoveries (TWRP, CM, etc), and even those that work on fastboot (Google).

1) I know there are plenty of apps that are made for security, but are developers sure they are cleaning up (read "wiping ram, on say an app FC, a reboot, or upon receiving a fastboot request from a host")? In the age of NSA and everyone else wanting all in your business, are developers making sure that keys, and other secure info is destroyed, and not still in memory or God forbid in some file on the SD card?

2) Is there any way to make/modify the bootloader so that before you could even get to the bootloader menu (ie. fastboot/recovery/boot/etc..) the bootloader either nukes the entire RAM or fills it with random data? Granted there are always ways to get to ones data, but i was just wondering if there was consideration for the lifespan of said 'security' once one is done with some secure app are the keys tossed(?) ram cleared before deallocation, etc?

3) And... in the interim is there a way users can auto clear/wipe deallocated RAM and SD/internal storage space (as well as within the system area on rooted devices) every so often using something like the Tasker app, remote wipe or something similar?
 
HTCDreamOn
Old
(Last edited by HTCDreamOn; 21st March 2014 at 11:48 PM.)
#2  
HTCDreamOn's Avatar
Recognized Contributor
Thanks Meter 679
Posts: 811
Join Date: Jun 2012
@steve_77 RAM (at least the RAM we have in phones at the moment) is volatile, meaning it only retains data when powered, therefore there's no need to go to any lengths to wipe it. A reboot will do that. Besides, if any data is being loaded into memory at all in the first place, the NSA probably already have it . Just kidding of course, if you have measure in place already like encryption; I don't think it's possible to retrieve data from memory like that anyway, but I'm no expert.
 
steve_77
Old
(Last edited by steve_77; 22nd March 2014 at 04:12 AM.)
#3  
Member - OP
Thanks Meter 8
Posts: 88
Join Date: Jun 2010
I understand that the measures mentioned are extreme, but there is already a way to break encryption via reading the keys out of the RAM as outlined in the link provided in the previous post from a German university that was able to do it.

I'm sure this is also not the only type of tools designed to hack into peoples phones and bypass encryption, but if exiting an app does not erase/wipe the RAM allocated to that app, all that data is up for grabs. Sure in this particular case someone would have to physically have your phone, but what if there were some new way, say in the future that could use some sort of exploit to access your data, and what can be done now to mitigate this potential pitfall and make our phones more secure?
Tags
encryption, ram, security
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes