This is the first thing that comes to my mind: https://www1.informatik.uni-erlangen.de/frost
Besides that, you said that you "try to detect rooted devices and not allow application to run on them", and that the first point of failure. Instead of rooting in a traditional manner (adding su binary, superuser apk...) an attacker could use one of the exploits available for the target device to inject a setuid gdbserver in the device and then just attach to your application. If gdbserver is running as root, it doesn't matter if your application is set as debuggable or not. And this is just an example... if you fail to detect a compromised device, the key can likely be retrieved. On Fri, May 31, 2013 at 5:33 AM, nick lidis <[email protected]> wrote: > Hello to the group, > > I am working on an Android application for the Enterprise which needs to > keep all the application's on-device data secured. > We use an encryption scheme that requires user input to generate the data > decryption key, and is not stored on the device - only cached in > memory.Data is decrypted only when required. > The application is pure java, no native parts.We try to detect rooted > devices and not allow the application to run on them. > > Recently one of our evaluators reported that their security department > insists that it is possible to attach a debugger on a running application > (which is built on release mode and with the debuggable flag set to false) > and single step the application AND examine the memory in order to retrieve > the in memory cached keys and data.They have not provided info or proof on > how to do this, though. > > I know that anyone can retrieve the source through decompiling, and even > create an Eclipse project with that,but how is it possible to attach the > debugger on the running process (which was build in release mode)?Doesn't > Android prevents that? > Is it possible to modify the installed (and signed apk) in place so that > he enables debugging without even uninstalling the app (which will delete > all its data)? Is there a mechanism on Android to detect tampered/corrupted > apks? > > I am talking mainly about a real attack on a stolen device where the > attacker cannot afford to erase the data,and the legitimate user > pass-phrase is not known. > > As of today I was not able to find anything related to such an attack, so > If you are aware of any resources I can consult for familiarizing with the > risk and maybe taking extra measures , it would be greatly appreciated. > > Regards, > Nick > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
