lma
|
2010-10-29
, 07:35
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#11
|
|
2010-10-29
, 07:39
|
|
Posts: 3,159 |
Thanked: 2,023 times |
Joined on Feb 2008
@ Finland
|
#12
|
Thanks for all the replies. I guess the issue is, in this case, is with the actual native mail client on the N900. It does not encrypt stored messages. This is a major security issue since the application does not comply with industry security standards. I was actually very surprised.
sudo gainroot
|
2010-10-29
, 07:51
|
Posts: 196 |
Thanked: 224 times |
Joined on Sep 2010
@ Africa
|
#13
|
Thanks for all the replies. I guess the issue is, in this case, is with the actual native mail client on the N900. It does not encrypt stored messages.
This is a major security issue since the application does not comply with industry security standards.
So the correct solution is for the native email client to store this info encrypted.
I have done some other research and apparently there are a number of apps both native and/or developed that stores info like usernames, passwords, chat messages, SMS, etc, in plain text.
For the time being does anyone know of a secure email client?
Should we report this as a bug?
|
2010-10-29
, 07:54
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#14
|
what is the point complying to industry standards when you can bypass everything with one single
?Code:sudo gainroot
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/Linux) hIwDAAAAAAAAAAABA/0Qt/YgWTEfXfB3hwNc5IqiL3lIaDU0Iqw5tWG9M4/b59Sp d+cO8c4COL18+xSPjvp7mVJ4/wsZWPq0B3ujmvm2hMPpX4DeUWR1klB3+kBqyKyg Hb9GcDhqdiu+eEKH95zr8rc/NxuVAPtc5x1/3h5p5/o0w6aFz+DXgBVNelnedYUC DgMAAAAAAAAAABAH/07UepgQKfPVsMeJfxRTDfdkxKHmuCP8j9dDBOjhNQTteiiN XB+lhLoYjjeXM/EYMlpzuGSWdQ54TIfz6Q3Gh9Wqs0TU6R9eSsl9RjeLeSELkXp1 r+fXu0xpVHJdRciVJ9zn+a0s3LZosxXT9Ub8TaNORJ1hF813ncHT/NxuQM259ao6 SRgPXDKv2L0Qzv6Tdvi/caa47cpNxVNYUbfPtCQW15yAVfofKcsn3Kweq8wIvNzg PJ3s6mIbPuo09SeVS3SFwf37wuSElqdtrciu0aSDpR3IyTOjR4+Ak2ifpK4TFhVP H8Cz7rMfg3actFpEip2UUi7JgkOXfD3qNefCcE8H/1WlqzOmVE945H+EzhrZS6iQ B1vkdcNsgUKcI+JSM6arswm8MNcBeBOq34Yx0G7qiEMA8gLQx2qi5aKb4+foPd7X 39fuJ4mVhSKc1v7mtciGfdwbwjySayFXWFT7+T2b5jrX0WSir1kx1128QCDGkJNn KTfoQiCB8BSUWXUhtGuPJY6YOnlOQaOnw8GyEPV1+kOrtsd5NNS9xQKrHUzI+dnj eMDVZTJCmK/7NLtwiiB22TuMGqr7sLVUC0Jo5vRMpWk7nDbpiuerWwMlyQC6yf0/ zy2OxlzUjhmi6UmNaozEFH2DiLL5Jt4hv5iJXSk5kQacPF6BfWyMzyFKGKiYwqnS UgHM9pwP3BO0hLyYCPZS5AC6VoWoguZYdGcnJycNveFkvT0mmdpZDD5uxA+7Tfyl Ow4sNv0QqAb0OtX83A9bzZ7IOSAFCY9wCqvvsk/o/xKnE5s= =ECnd -----END PGP MESSAGE-----
|
2010-10-29
, 08:18
|
|
Posts: 186 |
Thanked: 192 times |
Joined on Jan 2010
@ Finland
|
#15
|
And then what? Should it prompt for the decryption key every time you access a stored message? Anything else would mean the key is stored somewhere (even if it's just in RAM) which defeats the purpose.
|
2010-10-29
, 08:31
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#16
|
The password could be asked every time the app is started for example (and that would mean no automatic mail fetching in background).
Easiest thing for an user to do is to set up home dir (or full disk) encryption. Both should be within reach, however will require some hacking.
|
2010-10-29
, 08:46
|
|
Posts: 186 |
Thanked: 192 times |
Joined on Jan 2010
@ Finland
|
#17
|
That would mean storing the key in RAM, from where it's trivial to retrieve it.
Besides, the email app is autostarted at boot time, even if you don't want it and don't even have any accounts configured :-(
But the encrypted block device/filesystem would be mounted (and thus accessible as plaintext) while the device is on. The only protection it would add would be in case the thief rebooted the device before trying to read the messages.
Strict device lock policy is also necessary, so that an average attacker is forced to clear the RAM (and the enc. key) as his first move.
|
2010-10-29
, 09:03
|
|
Posts: 3,159 |
Thanked: 2,023 times |
Joined on Feb 2008
@ Finland
|
#18
|
If you think root privileges can bypass everything, then
Code:-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/Linux) hIwDAAAAAAAAAAABA/0Qt/YgWTEfXfB3hwNc5IqiL3lIaDU0Iqw5tWG9M4/b59Sp d+cO8c4COL18+xSPjvp7mVJ4/wsZWPq0B3ujmvm2hMPpX4DeUWR1klB3+kBqyKyg Hb9GcDhqdiu+eEKH95zr8rc/NxuVAPtc5x1/3h5p5/o0w6aFz+DXgBVNelnedYUC DgMAAAAAAAAAABAH/07UepgQKfPVsMeJfxRTDfdkxKHmuCP8j9dDBOjhNQTteiiN XB+lhLoYjjeXM/EYMlpzuGSWdQ54TIfz6Q3Gh9Wqs0TU6R9eSsl9RjeLeSELkXp1 r+fXu0xpVHJdRciVJ9zn+a0s3LZosxXT9Ub8TaNORJ1hF813ncHT/NxuQM259ao6 SRgPXDKv2L0Qzv6Tdvi/caa47cpNxVNYUbfPtCQW15yAVfofKcsn3Kweq8wIvNzg PJ3s6mIbPuo09SeVS3SFwf37wuSElqdtrciu0aSDpR3IyTOjR4+Ak2ifpK4TFhVP H8Cz7rMfg3actFpEip2UUi7JgkOXfD3qNefCcE8H/1WlqzOmVE945H+EzhrZS6iQ B1vkdcNsgUKcI+JSM6arswm8MNcBeBOq34Yx0G7qiEMA8gLQx2qi5aKb4+foPd7X 39fuJ4mVhSKc1v7mtciGfdwbwjySayFXWFT7+T2b5jrX0WSir1kx1128QCDGkJNn KTfoQiCB8BSUWXUhtGuPJY6YOnlOQaOnw8GyEPV1+kOrtsd5NNS9xQKrHUzI+dnj eMDVZTJCmK/7NLtwiiB22TuMGqr7sLVUC0Jo5vRMpWk7nDbpiuerWwMlyQC6yf0/ zy2OxlzUjhmi6UmNaozEFH2DiLL5Jt4hv5iJXSk5kQacPF6BfWyMzyFKGKiYwqnS UgHM9pwP3BO0hLyYCPZS5AC6VoWoguZYdGcnJycNveFkvT0mmdpZDD5uxA+7Tfyl Ow4sNv0QqAb0OtX83A9bzZ7IOSAFCY9wCqvvsk/o/xKnE5s= =ECnd -----END PGP MESSAGE-----
|
2010-10-29
, 09:16
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#19
|
No, really, how do you do it without access to the device?
(Edit: OK, we're probably talking about different things, I meant the naive way where the GUI == app)
And how do you do it with access to a LOCKED device?
It's not about if it's running or not, it's about if it's keeping key material in RAM. Two different things.
You only quoted half of that block, and it also seems that you only read half of it. Here's the second half again:
Strict device lock policy is also necessary, so that an average attacker is forced to clear the RAM (and the enc. key) as his first move.
|
2010-10-29
, 09:22
|
|
Posts: 549 |
Thanked: 299 times |
Joined on Jun 2010
@ Australian in the Philippines
|
#20
|
Dante, I don't store the email passwords on the device (email setup), so the thief won't be able to log into the account, however emails are being stored as plain text which is a huge security issue.