[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FB's Conceal secure-storage API

Bullshit or not?

  It has some interesting elements to it, and would be a step in the
right direction for more-secure app content storage.  Though at its
base, it has some conceptual flaws.  If you root the device, you can get
the private key.  By design, there's no way to put the key on external
media (there's only one external microSD slot, and that contains your
encrypted files).  Files could be cached once decrypted.  And of course
it doesn't prevent a Finfisher-style screenshot-taking backdoor from
just viewing what's displayed on the screen.

  That's not going into the quality of encryption (which remains to be
seen).  Conceal uses a stripped-down version of OpenSSL for its
encryption algorithms.  Still, could be fun. =)



"Caching and storage are tricky problems for mobile developers because
they directly impact performance and data usage on a mobile device.
Caching helps developers speed up their apps and reduce network costs
for the device owner by storing information directly on the phone for
later access. However, internal storage capacity on Android phones is
often limited, especially with lower to mid range phone models. A
common solution for Android is to store some data on an expandable SD
card to mitigate the storage cost. What many people don't realize is
that Android's privacy model treats the SD card storage as a publicly
accessible directory. This allows data to be read by any app (with the
right permissions). Thus, external storage is normally not a good
place to store private information.

We saw an opportunity to do things better and decided to encrypt the
private data that we stored on the SD card so that it would not be
accessible to other apps. To do this efficiently, we built Conceal, a
set of Java APIs to perform cryptography on Android and make storage
more secure and lightweight. We created Conceal to be small and faster
than existing Java crypto libraries on Android while using memory