undefined | Better HN

0 pointspwnna11y ago0 comments

If your device is rooted, and by that I mean real rooted (bypassing SELinux), then it can get the encryption keys as at some point the data needs to be decrypted and viewable by you.

0 comments

kevin_thibedeau11y ago

Encryption keys can be hidden in a way that is next to impossible to decipher. Superfish level of insecurity doesn't have to be the norm. The downside is that there are no open source libraries that make this possible which is why few people know about it.

geofft11y ago

That's obfuscation, which is just an arms race; it's not security in any measurable sense. It's fundamentally equivalent to the DRM problem. And there are no open-source libraries and not a lot of public documentation about how to defeat this sort of thing, so very few people who engage in this work have a good understanding of exactly how robust it is (and, anecdotally, most people tend to overestimate their products by a lot).

The one thing you can do is to put the key in a separate hardware device, and have the hardware refuse to make the key directly available, but only do encryption or decryption operations under certain circumstances (e.g. it's audited what's running on the device). This is definitely doable with a TPM on a standard PC, and there are in fact open-source libraries that will handle this for you.

pwnnaOP11y ago

Which brings a good point: if you have root (and presumably you can even write a different kernel), how do you make sure the TPM can verify what's actually running on the processor when you can just fake it?

Or better yet, if you have full blown root, what's preventing you from just kinda LD_PRELOAD some code for that process and steal the decrypted data before it gets to the legitimate application? Or take a screenshot.

So I think the point is that Google probably will not allow this to be ran on any ROM that's not signed by some key.

1 more reply

sparaker11y ago

No you'd still need the crypt key to decode the data. Why do you assume this is stored on the device?

Someone11y ago

OK. Let's assume that key lives on Google's servers. Then, Google must send it back to the Android device that it cannot trust unencrypted (possibly in a httpd session, but that is irrelevant for this discussion. The pipe may be secure, but you poor the data in a pool that isn't secure)

jahewson11y ago

Where else would the key be?

j / k navigate · click thread line to collapse