2

Please I have the following scenario:

the app uses a password to access to some remote webservice over HTTPS;

to do so, the app asks the user the password, does NOT store it on the device (and use it in a safe manner to access the webservice).

My concern is the following: it's theroetically possible to access the memory to read the data it contains and eventually retrieve the password.

Please how do I prevent this from happening?

Thanks

Lisa Anne
  • 4,482
  • 17
  • 83
  • 157
  • 2
    Hash and salt the password maybe? – Bidhan Jun 14 '15 at 11:25
  • 2
    In addition to other safeguards, store the password in a char[] rather than a String, then overwrite the char[] after using it: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – samgak Jun 14 '15 at 11:29
  • @samgak that is a pretty neat idea! Thanks! – Lisa Anne Jun 14 '15 at 11:58

2 Answers2

5

Please how do I prevent this from happening?

I wear tin-foil hats on a professional basis (besides, I think they look spiffy...), and this is beyond what I normally worry about. I'd worry about making your HTTPS code won't be the victim of a Martian-in-the-middle (MITM) attack, as that's a lot easier for an attacker to execute.

That being said, as samgak alludes to in a comment, String is immutable. Once the password is in a String, you are at risk for the attack that you describe.

If you use an EditText to collect the password, do not call getText().toString() to get what the user typed in. getText() will return an Editable, which allows you to get at characters, not a String. Then, if your HTTP client API allows you to fill in the password using a char[], once the HTTP request is done, you can clear out the contents of the char[], clear() the Editable, and then pray that EditText and kin aren't holding onto a String anywhere that represents what the user typed in. This may vary somewhat by device, as device manufacturers have had a long history of screwing around with EditText behavior, and so what may be clean in terms of AOSP code may be less clean on the hardware from some certain manufacturers.

If you are getting the password by some other means (e.g., your own set of PIN entry buttons), just avoid a String representation of the result, and wipe out the char[] when you're done with it.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
0

Yes, theoretically it is possible, when having physical access to the device. At least it possible to debug the application and to catch a value in any point when encoded/decoded, i.e. it is open.

But much more simple way it is to catch user input itself, when he enters a password. So, you not need to worry about memory sploits.

AterLux
  • 4,566
  • 2
  • 10
  • 13