It's really impossible to provide security on a rooted device. Even if you figured out a place to store the key, a rooted device could just intercept the key while it was in transit to the application, compromising your security.
I really wish people would understand that "being rootable" is a bad thing in most cases. There's ways to legitimately get access "root" access to your device, such as Google's "fastboot oem unlock" command, which are safe from attackers. However, in pretty much all the cases I've seen, rooting the device involves exploiting a known security hole, which could also be used by a malicious attacker. It really shouldn't be called "rootable", but rather, "an unpatched security hole with exploits in the wild". -- Nick On Wed, Dec 15, 2010 at 5:18 AM, azahara <[email protected]>wrote: > Hi everybody, > > I am working on a project that requires to store sensitive data on an > android mobile phone. Up to now, it seems that the suitable place to > store that data is the private folder that is owned by the > application. However, in a rooted phone this folder can be accessed > easily. > > Other alternative is related to encryption. Again, the point is where > to store the corresponding key. The security API of android provides a > keystore class that can contain cryptographic keys. Does anybody knows > where this file is stored?, is it necessary to create a keystore for > each application that required it? and how secure is the access to > the information in this file by unauthorized applications?. > > Any idea or suggestions will be welcome! > > thanks > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
