Securely Store Sensitive Data in RAM

When an application is in use, user- or application-specific data may be stored in RAM and not properly cleared when the user logs out or the session times out. Because Android stores an application in memory (even after use) until the memory is reclaimed, encryption keys may remain in memory. An attacker who finds or steals the device can attach a debugger and dump the memory from the application, or load a kernel module to dump the entire contents of RAM.

Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use. Avoid using immutable objects for sensitive keys or passwords such as in Android and use char array instead. Even if references to immutable objects are removed or nulled, they may remain in memory until garbage collection occurs (which cannot be forced by the app).

There are some recommendations in order to clear those buffers bypassing the compiler optimizations, but they are all toolchain, language and platform dependant.

• CWE-316: Cleartext Storage of Sensitive Information in Memory