Bug #3714
passwords with non-ASCII chars will not work if OS is upgraded to 4.4.2/android-20/KitKat
Status: | New | Start date: | 09/05/2014 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | - | |||
Target version: | - | |||
Component: |
Description
Due to a bug in Android's implementation of PBKDF2WithHmacSHA1
, which is what CacheWord uses. It was only using the first 8-bits of any unicode character when deriving a key from a password. This was fixed in KitKat, but that means that a password with non-ASCII characters in it will then cause a different key to be generated since it is now using all the bits of the unicode characters.
https://android-developers.blogspot.com/2013/12/changes-to-secretkeyfactory-api-in.html
So if a user installed this app on <4.4.2, set a password with non-ASCII characters, then upgraded to 4.4/KitKat or newer, they will be locked out.
This should be entirely handled in CacheWord, but that has not be done yet.
Related issues