allow in-memory pass phrase for consumer release

[martgil]

Hello sir, @DenBond7,

Good Morning!

We have the following concern from a user related to the in-memory passphrase. The user is wondering how could he use/enable the in-memory passphrase option. I checked upon the said feature and, the option is also disabled for me with the FlowCrypt for android 1.2.4.

Like him, I also have the following questions below:

Can the duration be configured and does closing the app, locking the phone or putting the app in the background delete the password cache?
Also is the password cache memory overridden after usage or could a memory dump even afterwards show the password?

Reference: https://mail.google.com/mail/u/2/#inbox/FMfcgzGlksLZDKQHlXVwZQzFjZdjKnNv

Thanks,
Mart Gil

[DenBond7]

Hi Mart,

The user is wondering how could he use/enable the in-memory passphrase option. I checked upon the said feature and, the option is also disabled for me with the FlowCrypt for android 1.2.4.

For now, this option is available for enterprise builds only. You can ask @tomholub about plans for regular customers.

Can the duration be configured

For now, we have timeout == 4 hours. After this timeout, a passphrase will be removed from RAM. Maybe we will add some settings in the future to be able to configure it.

and does closing the app, locking the phone or putting the app in the background delete the password cache?

It is a little difficult question for answering. It depends on the system, Android version, phone manufacturers, and so on. We only can guarantee that a passphrase will not be in RAM after 4 hours. But if the app will be excluded from RAM due to different reasons(a user killed the app process, a system killed the app process due to a low level of RAM, the app was crashed itself and etc.) a passphrase will be removed from RAM.

You can find more details here #372

Also is the password cache memory overridden after usage

After timeout == 4 hours a user should retype a passphrase.

or could a memory dump even afterwards show the password?

It is one more difficult question for answering. To be short, if a user has non-rooted device he will not be able to make a dump of RAM.

[martgil]

Hi Den,

Thank you so much for sharing your thoughts about it. It's very helpful and, I have a better understanding of it now.

I will update the concerned user now.

Thanks again,

[martgil]

Hi @DenBond7,

In case the user wants to use the enterprise builds to use this feature, are these builds manually sent/available to the customer at the moment?

[DenBond7]

@tomholub Could you add more details here? I'm not sure I have all related info.

[tomholub]

We can enable this for consumers too. @DenBond7 is it just a matter of enabling the disabled input? Or is it more work that that?

[DenBond7]

is it just a matter of enabling the disabled input? Or is it more work that that?

Just need to change a few lines

[tomholub]

Ok. Then we can enable this for next release.