0

Security penetration tools are able to get sensitive information from Memory dump. As far as I know setting null to any variable should be fine I guess ... But I am unable to call dispose any C# varialbes.

Basically I am planing to store everything in keychain and whenever I get the value and after using I willl be setting null to clear off...but why dispose couldn't be called ... I don't know

If there are any better way to handle sensitive data variables in xamarin kindly let me know.

Shiva
  • 545
  • 1
  • 10
  • 41
  • 1
    All bets are off when the attacker has access to your system. Is this really where you should be focusing? – Jeroen Vannevel May 02 '17 at 21:32
  • @JeroenVannevel - Its better to make this as tough as possible from the available methods – Shiva May 02 '17 at 21:33
  • There is the `SecureString` class but the API's you are using with it needs to accept that type as an argument for it to be safe to use. The only other solution is call out to use native code that can securely erase it's data once you are done with it. – Scott Chamberlain May 02 '17 at 21:33

1 Answers1

2

The Dispose() is meant to be called on those objects that implement a destructor or finalizer. To hide sensitive data that is lingering, I'm assuming you mean string values. You could implement SecureString. This will convert the area of memory where your string is stored into cipher text.

Proper usage is all over Stack Overflow for the SecureString. But not sure if it is supported via Xamarin. At least while it is cipher text, it will not be exposed via a memory dump. I warn you, it is a weird api to implement.

Greg
  • 11,302
  • 2
  • 48
  • 79
  • 1
    The following should be required further reading about `SecureString`: http://stackoverflow.com/questions/26190938/is-securestring-ever-practical-in-a-c-sharp-application – NotMe May 02 '17 at 21:45
  • @NotMe Yeah, I think that is the number one article that loads for `SecureString` in search. But that is one of the many great articles on it. – Greg May 02 '17 at 21:48
  • I couldn't install SecureString in my PCL ... it says couldn't be installed any idea please ? – Shiva May 02 '17 at 23:41
  • @Shiva Just use [Xamarin Form's DependencyService](https://developer.xamarin.com/guides/xamarin-forms/application-fundamentals/dependency-service/introduction/) to access the native code. Using that, you setup an `interface` in your PCL project and implement the `interface` in your native projects. – hvaughan3 May 04 '17 at 18:35
  • @hvaughan3 - I am not using xamarin forms ... :( – Shiva May 04 '17 at 21:44
  • 1
    @Shiva I believe the idea is the same, you will just need to do it without using `DependencyService`. So you can have a `static` ISecureString property: `public static ISecureString SecureStringInstance { get; set; }`, for example, in your PCL code. Then in your Android or iOS project, when the app starts up, you assign your platform specific interface implementation to that `static` property like: `PclProj.SecureStringInstance = new SecureStringImplementation();`. Now your PCL code can us `PclProj.SecureStringInstance` assuming that it will have native code access. – hvaughan3 May 05 '17 at 15:55
  • @hvaughan3 - Thanks , I will give a try – Shiva May 08 '17 at 10:07
  • @Shiva Would be interested to see your implementation if you get it working. Maybe you could post it as a second answer or an edit to your question. – hvaughan3 May 08 '17 at 14:16
  • @hvaughan3 - yes ,sure will do – Shiva May 08 '17 at 15:40