Hi Brian, I have been working with the Android Keystore and have some doubts, I would be glad if you could answer some of them:
- Do you now why AID_SYSTEM is not given the permission to read certificates (~GET)? - And also why are the public certificates stored encrypted? This prevents the system from displaying the contents of the certificates to the user, other platforms only encrypt the private key. - Browser and Email get the certificates from cacerts.bks to use in SSL, Wi-Fi and VPN cannot use these CA certs in their authentication process, the reverse case happens with Browser and Email, they cannot use user-installed CA certs. Is there some reason for the keystores not being unified? Thanks, Gustavo. On May 11, 12:51 pm, Brian Carlstrom <[email protected]> wrote: > On Wed, May 11, 2011 at 6:03 AM, patrick Immling > <[email protected]>wrote: > > > Is the android keystore pass-protected? > > yes, the UI enforces a 8 character minimum password. try it yourself. > > Can any application access the key from the keystore? > > > > there are UID based restrictions, so arbitrary apps cannot access arbitrary > keys. some system services like VPN and WiFi have access to system keys > > > > > Is there any security associated with the access to keys on android? > > the same table that defines the UID access also limits which operations are > restricted to what types of users. > From frameworks/base/cmds/keystore/keystore.c: > > static struct user { > uid_t uid; > uid_t euid; > uint32_t perms;} users[] = { > > {AID_SYSTEM, ~0, ~GET}, > {AID_VPN, AID_SYSTEM, GET}, > {AID_WIFI, AID_SYSTEM, GET}, > {AID_ROOT, AID_SYSTEM, GET}, > {~0, ~0, TEST | GET | INSERT | DELETE | EXIST | SAW}, > > }; > > The whole file is only about 500 lines, I suggest just reading it over to > get an idea of how it works. > > -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
