1

I read all the answers from Does it help GC to null local variables in Java where everybody agrees that by nullifying a local variable in Java does not help the GC (with some specific exceptions mentioned there). However I refer now not to Java in general, but to an Android app. Moreover, my goal is not merely to "help the GC" but to prevent a possible attacker from getting the value of the local variable before the attacker could ask for a memory dump. (Assuming the attacker has this ability.)

In short, here's my question: is it safer to assign some random value to a local variable in an Android app immediately after the actual value is no longer needed, or is this as safe as relying on GC? Why?

Community
  • 1
  • 1
Monica Marcus
  • 187
  • 2
  • 10

2 Answers2

0

Each Android app runs inside it's own sandbox. Your app's variables will be safe as long as you don't expose it to other applications, such as via content providers or writing variables to external storage (microsd card). Another thing to avoid is installing apps that ask for any suspicious permissions or an excessive amount.

Here is a helpful reference from Google for app security: http://developer.android.com/training/articles/security-tips.html

nickle_nine
  • 71
  • 3
  • Thanks for your answer, but what about doing a memory dump? It is possible to analyze memory both statically and dynamically. – Monica Marcus Jun 24 '15 at 00:02
  • 1
    Yes, that should be possible, assuming the person hacking already has root access to the device. – Stephan Branczyk Jun 24 '15 at 00:24
  • I do not think that is possible, unless as Stephan said the person has root access. With that though, you have bigger issues to worry about. – nickle_nine Jun 24 '15 at 00:43
  • Yes, of course, @nickle_nine if the attacker has root access there are many things to worry about. But my question still remains... – Monica Marcus Jun 24 '15 at 00:50
  • The answer is no then. With Android Dalvik, each app has its own garbage collection inside its own vm, even if it is sharing memory with another application. – nickle_nine Jun 24 '15 at 02:31
  • @nickle_nine you may be right, but why? The garbage collection may be delayed, even if for a short time. An assignment statement is executed immediately as soon as the program reaches it. So then wouldn't it be possible to erase the value of the local variable before that local variable (object) is gc-ed? Then a memory dump might not reveal the erased value. Where am I wrong? – Monica Jun 24 '15 at 03:07
  • @Monica can you please give an example of how your scenario would work? Or what kind of data you are worried about someone modifying? If a variable is waiting to be garbage collected then that means you no longer care/need the variable. Without root access, app A cannot access data from app B unless app B has setup mechanisms/permissions for that to happen. – nickle_nine Jun 24 '15 at 23:29
0

Keep local variables in the private, so they can't access from outside of this class.

Dmytro Chaban
  • 1,106
  • 1
  • 11
  • 19