Reputation: 9272
Is it secure to store SecretKey in app memory during runtime
I use AES to encrypt cached data returned from server and user password. During the main flow I initialize KeyStore and store SecureKey there, retrieving it before sending a request to server (to decrypt password) and before loading cached response (if needed).
However, I'd like to give users an option not to initialize KeyStore if they don't want to. In this case user must log in to the application manually each time. A new SecureKey will be generated each time and stored in application memory until it is running or in background.
My question: is it secure enough to store once obtained SecureKey in app's memory (note: not hardcoded at build time), since the application may be running for several days?
Upvotes: 0
Views: 438
Answers (1)
Reputation: 6715
What do you mean by "safe"?
If an opponent gets access to a device on which your application is running, freezes it, disassembles it, and examines the memory, they can find the password.
If your application is running on a device with a compromised kernel, the in-memory password is completely vulnerable.
If your application includes a library from a 3rd party advertising agency, the in-memory password is toast.
If none of these are attacks that concerns you, then you are probably ok.
Upvotes: 2
Related Questions
- Android: Store SecretKey in KeyStore
- Storing a secret key on Android
- How to store secretkey in Android securely?
- How to save secret key securely in android
- Android KeyStore to store the SecretKey for encryption/decryption
- What is the best place to store secret keys in an Android app?
- Is it safe to store encryption key in android class file
- Best way to store secret keys in Android applications
- How to store secret key in Android?
- Keeping secret key SECRET - within Android app.. any ideas