Making sure password is gone from termux and system memory (overwritten by random or nulls)

[passcombo]

When I use a password in termux:

1. will be saved in termux history
2. temporarily will be saved in RAM memory

I'd like to learn how to make sure the password string is deleted from RAM and termux memory so that it will not be possible to be accidentally used by another app scanning memory.

[sylirre]

Sorry, but I can't understand how password management is related to Termux application itself. Termux app is just a terminal emulator. It is only a convenient interface for working with shell.

As Termux developers team we develop only Termux app and few helper utilities. We do not develop bash, coreutils, git, openssh and the most of other packages that you can install. This means password handling is in complete responsibility of third parties who developed such software. If you have concerns about security of specific package, visit its home page (can be seen by apt show <your-package-name>) and try to contact the author.

I would not go into details (other wise it worth for long article), but it is not possible for Termux to wipe passwords from memory of other programs.

Now what you can do:

• Minimize exposure of passwords to interactive shell session. Technically this is the only way Termux has direct access to your password. Use command reset to discard terminal buffers.
• Learn some shell usage tips, for example: https://medium.com/@prasincs/hiding-secret-keys-from-shell-history-part-1-5875eb5556cc
• Don't store passwords in plain text on your device.

If your device has an app scanning memory, then you have much more things to worry about: the device is fundamentally compromised. It is actually hard to distinguish password from other data of process memory. Much effective just to collect what you are typing on keyboard.

P.S. Passwords and other data should gone from memory once the process terminates. No need for manual cleanup.

[passcombo]

Thanks, good tips! Just try to minimize exposure and we can never fully trust devices, so to minimize exposure good to know how to clear buffers. The mobile keyboards are another problem of itself - they tend to collect what is being typed to "help" later with suggestions. It's kind og trend to collect as much user data as possible, and how do we know if those collected texts will no leak when a new dev will join mobile phone keyboard app? How do we know if they are not sending these suggestions to the central/keyboard app dev? Since many apps requires connections security is often a concern on many layers.

[sylirre]

If you have concerns about data leaking, check if you can turn off networking for specific apps that should not need Internet.

On my device the setting can be accessible by: Android settings --> Applications --> (app name) --> Network usage. In menu there should be something like:

• Background
• Wifi
• Mobile data

If all three are turned off (or except Background), the app won't have Internet access anymore.

That seems also to improve battery life to some extent, if networking allowed only to few apps that really need it.

In general that's really not a question of Termux.