seedvault icon indicating copy to clipboard operation
seedvault copied to clipboard
verified publisher icon seedvault-app

Counter measures against exfiltration of user data (for unlocked devices)

Open grote opened this issue 1 year ago • 2 comments

Threat: Device is unlocked in hands of the attacker. They then use Seedvault to exfiltrate data of all apps.

Counter measures:

  • require device credential when changing recovery code (currently done), circumvention: clear app data, create new code, make new backup with known code
  • require device credential when making manual backup, circumvention: wait for automatic backup to happen or kick one off with adb shell bmgr

We should come up with more counter-measures that are harder or impossible to circumvent.

grote avatar Dec 09 '24 19:12 grote

One option could be to require device credential even on initial setup when writing down recovery code, would be slightly worse UX, but should ensure that the attacker can't know the recovery code without also providing device credential authentication which seems to be our only defense here anyway.

grote avatar Dec 09 '24 19:12 grote

adb shell bmgr

If adb isn't enabled, enabling Developer options does need device credentials.

chirayudesai avatar Dec 09 '24 19:12 chirayudesai