Obsolete
Status Update
No update yet.
Comments
no...@gmail.com
Due to TapLogging, password and pattern input actvitites [probably] should disable the accelerometer. "TapLogger: Inferring User Inputs On Smartphone Touchscreens Using On-board Motion Sensors," www.cse.psu.edu/~szhu/papers/taplogger.pdf .
no...@gmail.com
[Comment deleted]
no...@gmail.com
"Lock Pattern/Pattern uses Immutable Strings (LockPatternUtils.java)," https://code.google.com/p/android/issues/detail?id=37220 ; "Password/Pattern Serialization use 8 byte salts (LockPatternUtils.java)," https://code.google.com/p/android/issues/detail?id=37219 ; "Lock Pattern uses Unsalted SHA Hash (LockPatternUtils.java)," https://code.google.com/p/android/issues/detail?id=37218 .
Description
Also see
Not mentioned in the comments from Android Security Discuss: a PBKDF or memory-hard function should be used in 2012. Solar Designer (author of John the Ripper) provides a nice treatment of state of the art at
771. public byte[] passwordToHash(String password) {
772. if (password == null) {
773. return null;
774. }
775. String algo = null;
776. byte[] hashed = null;
777. try {
778. byte[] saltedPassword = (password + getSalt()).getBytes();
779. byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword);
780. byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword);
781. hashed = (toHex(sha1) + toHex(md5)).getBytes();
782. } catch (NoSuchAlgorithmException e) {
783. Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo);
784. }
785. return hashed;
786. }