rene_mobile’s avatarrene_mobile’s Twitter Archive—№ 8,038

    1. …in reply to @maxzks
      @maxzks @matthew_d_green Congrats on the paper! However, I can't avoid a nitpick: Android backup has been fully E2EE with strong keys derived from HSMs locked with the user's LSKF (lockscreen knowledge factor) for 3 years (since Android 9), including insider attack resistance: research.nccgroup.com/wp-content/uploads/2020/07/Final_Public_Report_NCC_Group_Google_EncryptedBackup_2018-10-10_v1.0.pdf
      oh my god twitter doesn’t include alt text from images in their API
      Permalink On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 8 Favorites Mood +4 🙂
  1. …in reply to @rene_mobile
    @maxzks @matthew_d_green That is, Google cannot decrypt backups without knowledge of the user's LSKF, and the HSMs have brute force protection baked into their firmware. Forcibly overwriting this firmware will erase the stored keys, which is the insider attack resistance (IAR) part also used on-device.
    On twitter.com Twitter logo rene_mobile’s avatar ❤️ 2 Favorites Mood -1 🙁
    1. …in reply to @rene_mobile
      @maxzks @matthew_d_green Some more details can be found e.g. in security.googleblog.com/2018/10/google-and-android-have-your-back-by.html, usenix.org/conference/enigma2019/presentation/mayrhofer, and dl.acm.org/doi/10.1145/3448609
      Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 3 Favorites Mood 0