The Risks of String

One flaw in ToDoUser is that the passphrase is being passed around as a String.

While String is convenient, String is immutable. We have no way to get rid of a String, other than to let go of it, hope that it gets garbage-collected quickly, then hope that something else allocates that same bit of memory and overwrites it.

Passphrases in memory are like nuclear waste: they served a role and now are just disasters waiting to happen. Fortunately, usually, disasters do not happen, but for some people, “usually” is insufficient.

So long as passphrases remain in memory, it is possible, through advanced techniques, for them to be extracted from memory. That almost always requires somebody to have physical access to the device, be able to obtain superuser privileges (a.k.a., “root the device”), and be able to use specialized tools to save a snapshot of the app’s heap to disk. Those are significant barriers, but ones that are manageable by attackers who are skilled, wealthy, or both.

Ideally, once we use the passphrase to gain access to the encrypted database, we would clear the passphrase itself out of memory. That is not possible with a String.

This is why ToDoGen uses a ByteArray. SQLCipher for Android, by default, will “zero out” the ByteArray, replacing all its bytes with zeros, once the passphrase has been used. This ensures that the passphrase can no longer be retrieved via examining the application’s heap.