I'm not sure I really understand your question. Here's what I think you're saying: Android apps are written to be ephemeral, and routinely get killed (after hey have *hopefully* serialized their state into memory) and restarted at the appropriate points. But you're worried that the programmer will accidentally serialize some piece of information that they shouldn't be because it is sensitive. (E.g., this happens with tokens for webservices, for example..)
Kris On Tue, Mar 26, 2013 at 1:37 PM, Jeffrey Walton <[email protected]> wrote: > Hi All, > > I'm trying to determine the best way to securely handle state > transitions. Specifically, how to securely persist items such as > Session Keys or Session IDs between restarts due to a device rotation, > language change, etc > (http://developer.android.com/guide/topics/resources/runtime-changes.html). > > Is there a per-restart key available in the onDestroy()/onCreate() > cycle? Note that I don't want to store the secret (or an encryption > key) in a Keychain or Keystore since it can be recovered. I would > prefer something that only lives in memory with a limited lifetime > (the time it takes for the restart). > > What does Android provide at the application level to help ensure > sensitive information is not serialized in plain text across restarts? > > Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
