Hello to the group, I am working on an Android application for the Enterprise which needs to keep all the application's on-device data secured. We use an encryption scheme that requires user input to generate the data decryption key, and is not stored on the device - only cached in memory.Data is decrypted only when required. The application is pure java, no native parts.We try to detect rooted devices and not allow the application to run on them.
Recently one of our evaluators reported that their security department insists that it is possible to attach a debugger on a running application (which is built on release mode and with the debuggable flag set to false) and single step the application AND examine the memory in order to retrieve the in memory cached keys and data.They have not provided info or proof on how to do this, though. I know that anyone can retrieve the source through decompiling, and even create an Eclipse project with that,but how is it possible to attach the debugger on the running process (which was build in release mode)?Doesn't Android prevents that? Is it possible to modify the installed (and signed apk) in place so that he enables debugging without even uninstalling the app (which will delete all its data)? Is there a mechanism on Android to detect tampered/corrupted apks? I am talking mainly about a real attack on a stolen device where the attacker cannot afford to erase the data,and the legitimate user pass-phrase is not known. As of today I was not able to find anything related to such an attack, so If you are aware of any resources I can consult for familiarizing with the risk and maybe taking extra measures , it would be greatly appreciated. Regards, Nick -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
