Oh man, find Zdziarski's youTube video showing how useless it is - you can get the phone into a mode where it dumps everything for you. You don't need the pin either - you just need physical possession of the phone for a few minutes - that's it! With respect to the wipe, all one needs is a few seconds with a paperclip and there is no chance of a wipe (extract the SIM).
Your point about fragmented hardware is totally valid. But such pain may be required/useful for alternate use-cases (not even security specific). It will be interesting to see how extensions are handled as Android continues to flourish. TPM would allow you to securely store the private keys associated with a client cert. And IMO that is a pretty useful thing. Especially when there are official loads like this: http://grack.com/blog/2010/07/07/how-we-found-a-backdoor-in-sprints-evo-and-hero-phones-and-lived-to-tell-about-it/ On Thu, Sep 2, 2010 at 4:26 PM, Chris Palmer <[email protected]> wrote: >> I don't see anything in section-8 of the CDD that precludes such >> hardware. > > But because it is not in there, users and developers cannot depend on it. > > Any application that makes use of extra-CDD hardware is not deployable > on all Android devices, and would be a bad candidate for inclusion in > the Market. > > A future CDD could possibly require a TPM or similar hardware, just as > it could require a higher minimum amount of RAM someday. > >> The question is whether anyone is >> finding a compelling reason to go down this road. > > So far, making good use of encryption + key storage/a TPM has proven > difficult on mobile devices, in large part due to the difficulty of > entering a good PIN or password at boot or (better) often. With Bit > Locker on a Windows 7 laptop, typing a good boot-up password is easy; > on a mobile it's very hard. And mobiles are generally always-on, so if > you lose the device in a cab, an attacker may well be able to figure > out a way to get the goods without ever needing the boot-up password. > > Using a TPM to store keys without requiring a PIN/password is fine --- > Bit Locker even supports this mode --- but it has its problems too: > > http://www.wired.com/gadgetlab/2009/07/iphone-encryption/ > > I'm not willing to go as far as Zdziarski and say "useless"; PIN-less > TPM encryption is actually a decent way to do remote wipe (as long as > you can send the wipe signal before the attacker wraps the phone in a > faraday bag). So it's a decent remote wipe feature, not a "useless" > encryption feature. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
