Fwd: Hard-coded encryption key on Android

90 views
Skip to first unread message

Jinyoung Hur

unread,
Nov 5, 2021, 1:28:08 AM11/5/21
to securi...@chromium.org
Hi, 

Forwarding below post from chromium-dev group.
Any inputs will be appreciated. Thanks!

Jinyoung

---------- 전달된 메시지 ---------
보낸사람: Jinyoung Hur <알 수 없음>
날짜: 2021년 10월 30일 토요일 오전 3시 14분 57초 UTC+9
제목: Hard-coded encryption key on Android
받는사람: Chromium-dev <알 수 없음>


Hi, 

I've noticed that on Android, login data is encrypted via a hard-coded key. [1]
According to Chrome Security FAQ [2], it seems that in other major platforms, Chromium generates and stores an encrption key using OS's user storage.

I'm curious if we have a plan for improving the hard-coded key on Android using platforms's secure storage, like Android keystore system. [3]
Or, has there been any security decision like, a hard-coded key is safe enough especially on Android platform because login data is stored in app local storage?

Thanks in advance!


Jinyoung

Matt Denton

unread,
Nov 5, 2021, 4:48:23 PM11/5/21
to Jinyoung Hur, securi...@chromium.org, Christos Froussios
That's correct--on platforms with encryption-by-default we don't bother to encrypt with a random key. This includes ChromeOS, iOS, and Android. I don't think that will change in the near future. The hard-coded key is a best-effort obfuscation technique to prevent simple malware techniques like memory scanning for credit cards.

--
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
Reply all
Reply to author
Forward
0 new messages