On Mon, Jun 10, 2013 at 11:09 PM, Paul Theriault <[email protected]> wrote: > I've started a risk assessment here: > https://wiki.mozilla.org/Security/Reviews/AppsOnSDcard > I'll keep it updated as the discussion continues. > > On Jun 11, 2013, at 8:26 AM, Anthony Jones wrote: > >> On Mon, Jun 10, 2013 at 9:23 AM, Mike Habicher <[email protected]> wrote: >>> On 13-06-10 12:18 PM, Jonas Sicking wrote: >>> I think someone else has already mentioned that since USB mass storage mode >>> mounts the SD card as a block device, there's no security we can provide to >>> the contents of the SD card when the phone is plugged into a PC with USBMS >>> enabled. >> >> Using a loopback device would allow us to use directory permissions. If >> we want the data to be non-transferable then we encrypt it and store the >> key on the main flash. Storing the encryption key in the network (or the >> SIM) would make it transferable. > > In such a manner that you don't have to just steal both the sdcard & the SIM > I assume. > > Encryption is the only effective control against the just reading data off > the sdcard directly in another machine, so I think we either need to encrypt > the data, or somehow guarantee that sensitive data isn't stored on the > sdcard. It would be nice to have encryption support though anyways for > improving the protection of all data no matter where it is stored (see the > recent discussion around the Gaia credential manager).
Can you explain exactly the type of attack that you're wanting to protect against? / Jonas _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
