Oddbean new post about | logout
eb7246eb | 7 months ago (raw) | root | parent | reply | flag 
 The JVM has the String pool. An area of memory which is NEVER garbage collected. It only cleans itself on heap dump or application restarts. Unless you are encrypting client-side, your PII and credentials are stored in plain text in memory. #NoMoreJava
mleku | 7 months ago (raw) | root | parent | reply | flag 
 that sounds like a nightmare... but in android runtimes it is one memory map per app right?
eb7246eb | 7 months ago (raw) | root | parent | reply | flag 
 That gets a little complicated. The short answer is yes, but the are not any security measures preventing heap dumps from memory access violations. If your application is on the device, it can cause a dump and grab the info from it.
mleku | 7 months ago (raw) | root | parent | reply | flag 
 does this require an exploit in the app itself or is this an exploit in linux LXC namespaces?
eb7246eb | 7 months ago (raw) | root | parent | reply | flag 
 Neither. This is a weakness in how the JVM responds to invalid memory access. While there are some security issues existing in the LXC namespace, they do not correlated with this issue.