Investigate whether IMK is written into non-volatile memory #26
Description
The SQRL protocol declares that the identity master key must never be written, even briefly, into non-volatile memory, only existing in RAM. Although the application never explicitly breaks this rule, some investigation needs to be carried out into whether Android breaks it. In particular, the unencrypted master key is passed between several Activities when the identity is first created, using the Parcelable interface to achieve this. It is possible that the master key could be written to disk as a side-effect. Better care could also be taken in regards to how long the decrypted key remains in RAM, as it currently exists until the garbage collector destroys it. Implementing a reference counter and forced delete of the key would be a much better and more secure solution.