Currently I am looking to develop an application for mobile devices that would be hosted by the mobile devices browser.
As I understand, when the browser operation of the devise is suspended/hibernated, i.e. the phone rings and they answer the call, then the browser state is written to memory (NAND) and is un-encrypted. This state includes everything that is inside the OSI 6 & 7. For example everything that is viewable from the screen.
Is this understanding correct? If so, is it possible to encrypt this data (without using the native API) and can this be configured on the devise?
Note: This question is aimed at both Android and iOS.
The following is for Android.
There is no such concept in Android. Android devices do not use Linux swap.
This does not involve “suspended” or “hibernated” as those terms are used in modern operating systems. The browser process simply moves to the background.
What “state” a browser retains is up to the implementer of the browser. There are many browsers for Android.
When a browser writes whatever state there is, is up to the implementer of the browser as well. There are many browsers for Android.
Whether a browser elects to encrypt that state is also up to the implementer of the browser as well. There are many browsers for Android.
Note that the user may also have elected to encrypt such state, insofar as they turned on whole-disk encryption for their Android 4.0+ device. That is independent of whether the browser itself does any encryption. Note that it is theoretically possible that a browser will persist “state” to external storage, which may yet be unencrypted — encrypting external storage may be an option for the user.
Users can enable whole-disk encryption if they so choose. You are welcome to implement your own Web browser that stores “state” encrypted, if you so choose. If you use in-browser storage mechanisms, you can elect to encrypt the data you pass to those APIs, if you so choose.