Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Android Encryption Privacy Software

Popular Android Package Uses Just XOR -- and That's Not the Worst Part 277

siddesu writes A popular "encryption" package for Android that even charges a yearly subscription fee of $8 actually does nothing more than give a false sense of security to its users. Not only is the app using a worthless encryption method, it also uses weak keys and "encrypts" only a small portion of the files. One wonders how much snake oil flows through the app stores, from "battery savers" to "antivirus." What is the most worthless app purchase you made? Did you ask for a refund?
This discussion has been archived. No new comments can be posted.

Popular Android Package Uses Just XOR -- and That's Not the Worst Part

Comments Filter:
  • Web sites (Score:5, Insightful)

    by danbob999 ( 2490674 ) on Sunday April 05, 2015 @07:49PM (#49411935)
    CTIA - "The Best App of CTIA by the Techlicious 2012 Best of CTIA Awards"
    PC Magazine - "PC Magazine Best Apps"
    TRUSTe - Received "TRUSTe Privacy Seal"
    Global Mobile Internet Conference App Space - "A top 50 app"

    Thanks, I will take a note to never trust these web site reviews.
    • Yeah, before downloading any app I google it to see what the reviewers say. No or few reviewers? I don't take the chance.
    • Google search of
      "CTIA nq vault" no relevant result
      "PC magazine nq vault" => 4/5 by junior software analyst Sara Yin
      "TRUSTe nq vault" => indeed [truste.com]
      "Global Mobile Internet Conference App Space" => ???
      • Re:Web sites (Score:4, Informative)

        by pushing-robot ( 1037830 ) on Sunday April 05, 2015 @09:29PM (#49412301)

        http://www.techlicious.com/gui... [techlicious.com]

        http://gmic2012.greatwallclub.... [greatwallclub.com] (I imagine NQ Mobile's Vault is the 'Vault' listed, NQ published a press release [nq.com] about it)

        I can't find a free copy of PC Magazine's 2012 best apps, but given the others I have little reason to doubt it. The average reviewer has nary a clue about cryptography, and from an end user standpoint, the app seems well made and has several clever features. It would be easy to assume the app lives up to its claims.

        Mind you, it still seems a useful app just for its ability to hide content from casual snoops (the app can even hide its presence on the device), though it is quite overpriced and likely to disappear after this entirely deserved PR disaster.

        • "The average reviewer has nary a clue about cryptography"

          The average user's review is of no value anywhere.

          Just go Amazon and check the reviews of any item at hand, say, a french skillet. They are "physical" items, the kind of things people have been using for ages and still, half of the reviews will be more or less like "the item arrived this morning; I haven't used it yet, it's still in its package so I didn't even see it, but I'll give it five stars because, hey, I'm happy".

    • Re:Web sites (Score:5, Informative)

      by macklin01 ( 760841 ) on Sunday April 05, 2015 @10:53PM (#49412503) Homepage

      Here's the TRUSTe info:

      http://privacy.truste.com/privacy-seal/NQ-Mobile-US-Inc-/validation?rid=e0f97027-af9a-4b8a-91b5-2a33c58a520a [truste.com]

      It only seems to cover security/privacy of their ecommerce site. So, their shopping cart may be secure, but it says nothing about app security as they seem to imply in their press releases [nq.com], etc.

    • by galaad2 ( 847861 )

      looks like the company has quite a few such "protection" apps deployed on the play store and they even use their stock ticker symbol in the developer name, lol.
      https://play.google.com/store/... [google.com]

      NYSE:NQ feeling slashdotted in 3..2..1... now... https://finance.google.com/?q=... [google.com]

    • by gl4ss ( 559668 )

      you trusted those websites before this? that's funny, sorry.

      my most worthless purchase from play store? GTA III, probably. why? i don't make lots of purchases from the android market, play market or whatever they want to call it this year.

      and that had it's worth only brought down by the crappy sniping control, which made one mission way too hard.

    • Re:Web sites (Score:5, Interesting)

      by AmiMoJo ( 196126 ) * on Monday April 06, 2015 @04:36AM (#49412989) Homepage Journal

      Maybe they read the actual description of the app. The only thing it claims to encrypt is text messages, which TFA doesn't bother to check. The description doesn't claim to encrypt files, so unless it has been changed since the article was written it seems to be making stuff up to complain about.

      The app hides files on your device. It does that by using a simple XOR cypher to encrypt the header of files and make them invisible to apps like the Gallery that look for files with valid JPEG/PNG/GIF headers. It works perfectly, the XOR cypher has the desired effect. Obviously it won't stop forensic examination from finding and decrypting the files, but it doesn't claim to. It's an app designed to hide your nude selfies and dick pics, not stops the NSA/GCHQ dataraping your phone.

  • by ArcadeMan ( 2766669 ) on Sunday April 05, 2015 @07:51PM (#49411945)

    Unless it's used with ROT13.

    • by Gordo_1 ( 256312 )

      Twice.

      • I prefer to up my security level by using ROT13 exactly 24 times. I mean, you can't make heads nor tails of that mess of letters.

      • by ls671 ( 1122017 )

        I find it gives much harder to decrypt data when running it 3 times.

    • XOR is much much faster than your run-of-the-mill encryption algorithm.

    • Wait!? They just released the remastered version. When did Rise Of the Triad 13 come out?
    • Funnily enough, XOR is used in a number of encryption schemes, but for it to work you've gotta make a bitstream to XOR the plaintext with. Like, encrypt a random value, then re-encrypt the result, repeat over and over, then line them all up and use that as an XOR pad.
  • by hey! ( 33014 ) on Sunday April 05, 2015 @07:51PM (#49411949) Homepage Journal

    is that it doesn't matter how weak your keys are!

    • by MichaelSmith ( 789609 ) on Sunday April 05, 2015 @07:55PM (#49411963) Homepage Journal

      Also its implemented directly in the CPU, so both encryption and decryption are very fast.

    • by hcs_$reboot ( 1536101 ) on Sunday April 05, 2015 @08:34PM (#49412089)
      If the key is as long as the message, XOR is not that weak.
      • by ShakaUVM ( 157947 ) on Sunday April 05, 2015 @08:59PM (#49412195) Homepage Journal

        In fact, it's unbreakable if you do it right. (http://en.wikipedia.org/wiki/One-time_pad)

        I'm disappointed that the person who submitted the story said "Just XOR".

      • by swillden ( 191260 ) <shawn-ds@willden.org> on Sunday April 05, 2015 @10:02PM (#49412403) Journal

        If the key is as long as the message, XOR is not that weak.

        As long as the key is as long as the message, and all of the key is unpredictable, and is never reused, then you have a provably unbreakable encryption system called a one-time pad. However, if you ever reuse the key someone can XOR the two ciphertexts together and the result will be the XOR of the two plaintexts, which can often be disentangled. Also, if the key is somewhat predictable, plaintext can be recovered. The US actually managed to decrypt some texts encrypted with a Russian one-time pad system, because the keys were produced by humans pounding "randomly" on typewriters... except humans aren't very good at generating random keystreams.

      • by Beryllium Sphere(tm) ( 193358 ) on Sunday April 05, 2015 @11:51PM (#49412603) Journal

        And what data structure do you have lying around at encryption time that's as long as the plaintext?

        That's right, the plaintext. Use that as your one time pad. It saves you the headache of generating high-quality randomness if you just XOR the plaintext with itself.

        The resulting ciphertext is not only theoretically unbreakable without the key, it is also highly compressible for economical transmission.

    • If the key is as long as the message and only used once XOR is ok.

  • by fuzzyfuzzyfungus ( 1223518 ) on Sunday April 05, 2015 @07:57PM (#49411979) Journal
    I hardly expect high standards, adherence to even basic good practice, or other non-awfulness from most of the wretched 'app' morass; but I'm a bit surprised that whoever made this one found it easier to build a hilariously worthless system from scratch, rather than misuse, and probably violate the license of, some existing encryption library or command line application(or, y'know, go crazy and use the Android Cryptography API)...

    There's still plenty of room for error when using someone else's tools, so I wouldn't necessarily expect the results to be bulletproof; but "actually uses an encryption algorithm; pity it fucks up key management." would at least be doable.
  • ROT13 (Score:5, Interesting)

    by Trax3001BBS ( 2368736 ) on Sunday April 05, 2015 @08:02PM (#49411989) Homepage Journal

    I mentioned to the subscription that Microsoft used Rot13 to "encrypt" some registry entries in version W2K (I think was the version)

    After reading bout XOR, ROT13 would be just about as good.

    Not familiar with ROT13? = Abg snzvyvne jvgu EBG13?

    • by Dunbal ( 464142 ) *
      Everyone knows that real pros use the _strrev function...
    • That reminds me of some Office version, maybe 2000, where the string "Microsoft Office" in the code was XOR encrypted with a key of 1 byte. The password "protected" documents were also dumbly encrypted (a Linux tool broke that in no time).
    • As others have pointed out, xor is actually very strong - unbreakable in fact, IF the key is long enough. A key may be made long enough by any of many key-stretching algorithms. Also, the same portion of the identically stretched key shouldn't be reused.

      In practice, that means that plain xor by itself is limited to either a) short plaintexts such as passwords or other keys or b) highly secure one time pad based systems, which require that key books be shared ahead of time. XOR can also be used as an es

      • Your first line is wrong, wrong, very wrong. XOR is unbreakable if used with a proper one-time pad, but no output of a key stretching algorithm is going to meet that bar. The absolutely essential characteristic of a one-time pad is that every value it could contain is equally likely.

        What you're trying to describe is more like how stream ciphers, such as RC4 work: you supply a key, and the cipher stretches that key into a bitstream of whatever length you require. XOR that bitstream with the plaintext to get

    • No, if you want an easy and unbreakable encryption system for your text just use EBCDIC. No programmer has stayed sane long enough to implement it.
      • No, if you want an easy and unbreakable encryption system for your text just use EBCDIC. No programmer has stayed sane long enough to implement it.

        meh, dd if=ebcdic conv=acsii

  • by turkeydance ( 1266624 ) on Sunday April 05, 2015 @08:06PM (#49411997)
    What is the most worthless app purchase you made? Did you ask for a refund? 1. several were worthless. 2. no. only cost $0.99. bottom line: gave up on the smartphone in 2013. have a dumb phone now. ignorance is bliss.
    • I've thought about it, and while agree most of the smartphone universe is pointless, I do like Google Maps, Shazam and my mobile banking. Apart from that and maybe a few things like large hi-res screen, email and camera, the rest of the smartphone world can go jump.
      • Re: (Score:3, Informative)

        Comment removed based on user account deletion
        • I never had a flip phone, but I always thought having one that played a Star Trek communicator chirp when opened would be cool.
        • Comment removed (Score:5, Interesting)

          by account_deleted ( 4530225 ) on Sunday April 05, 2015 @09:53PM (#49412371)
          Comment removed based on user account deletion
          • You're talking about "feature phones" by the sounds of it. The old Nokia ones were not bad at all. They were excellent for calls and the UI, especially for calls, texts and the address book was far better than any Android phone I've ever used.

            They also had a J2ME interpreter and ran some apps like a basic email client and so on. I could even thether through mine using a cable and some old style modem calls.

      • by pspahn ( 1175617 )

        I would like to report that I have been free of a cell phone for approximately 3 years now and am still alive, happy, and savvy to the things happening in the world.

        You don't need to have that thing attached to your face at all hours of the day.

        • There is a discipline to not letting it control your life. I see people who are slaves to their devices and make a conscious effort to not fall into that trap. No silly games or FB, I very rarely even answer it unless I'm expecting a call. Let calls go to voicemail and listen when I feel like it. But having the technology available for when you want it is handy (ie maps or transport schedules when traveling).
    • by x0ra ( 1249540 )
      I don't know, I never bought a single app...
    • by Grishnakh ( 216268 ) on Sunday April 05, 2015 @09:53PM (#49412373)

      Have fun living in the past.

      Here's the reasons my smartphone is extremely valuable to me:
      1) Mobile internet access / WiFi hotspot: I can use my phone to give my laptop internet access anywhere there's cellular data service available.
      2) Camera: it's not as good as a dedicated camera, but it's better than no camera at all, and is really handy for taking quick photos of things if image quality isn't paramount. Also can take reasonably good videos. You never know when you'll need to film the cops beating someone.
      3) Email access: While definitely not as powerful as reading it and typing on my laptop, it's handy to be able to check my email on-the-go.
      4) Voice mail: With Google Voice, I can see a transcript of people's rambling voicemail messages. I can read them in seconds, instead of having to waste time listening to them drone on and on.
      5) Games: I like doing crosswords when I'm stuck somewhere and bored and have nothing better to do. The "Shortyz" app is brilliant for this.
      6) Weather: My phone tells me what the temperature in my zipcode is, and can easily bring up further weather info. It's nice knowing what the high and low will be without having to watch the weather report on TV like in the bad old days, or having to get to a computer to look on a weather website.
      7) Google Maps: I use this for navigation all the time. I really don't know how I ever got along without it; oh yeah, I do know, it was horrible, as I had to mess around with paper maps, stopping and asking for directions, making wrong turns, getting lost, etc. Maybe if you never leave your little town or go anywhere new, you won't see the point of this, but for those of us who travel a lot and move frequently it's a godsend. It's also amazingly useful for finding businesses, looking up their phone numbers, seeing their hours at a glance, etc.
      8) Texting: For close friends this is pretty handy for staying in touch at times, though I don't use it that much. Smartphones make this better with an actual (on-screen) keyboard, instead of the shitty dumbphone method of using the 0-9 keypad to try to type messages.
      9) Playing music (like a "walkman" if you remember those): I can store my entire music collection in my phone and play anything I want through headphones, like when I'm at the gym. No need for a separate iPod. You can also use internet music services like Pandora.
      10) Alarm clock: I not only don't need a separate alarm clock, I can set multiple alarms for all kinds of different events. It also has a stopwatch and a countdown timer.
      11) Calculator: With the "RealCalc" app, I have an on-screen calculator and looks and works a lot like my old HP-48G RPN calculator.
      12) Flashlight: It's handy to have a flashlight on hand sometimes.
      13) Uber/Lyft: With these apps, you can call up a ride easily, see where the car is, and pay for it all with your phone and without having to mess around with calling for a cab and talking to people.

      If you don't see the need for a smartphone, you probably live an extremely simple life consisting mostly of sitting in a rocking chair on your porch and watching the world go by all day long. For those of us who aren't retired and idle, it's an enormous convenience.

      • Have fun living in the past.

        I really hope that the future contains more than the dubious benefits of owning a smartphone.

    • What is the most worthless app purchase you made? Did you ask for a refund? 1. several were worthless. 2. no. only cost $0.99. bottom line: gave up on the smartphone in 2013. have a dumb phone now. ignorance is bliss.

      And that is what they are counting on. If you cheat a billion people out of $1, then hopefully those billion people won't care enough about it to tell the net person not to buy it. P.T. Barnum rides again.

  • by pcritter ( 2606235 ) on Sunday April 05, 2015 @08:08PM (#49412007)
    There's nothing wrong with XOR for encryption as long as your key size is >= plain text size. In fact it's uncrackable!
  • DMCA (Score:5, Funny)

    by martin-boundary ( 547041 ) on Sunday April 05, 2015 @08:39PM (#49412125)
    I think Slashdot should take down this article. Under the DMCA it's illegal to bypass flimsy methods intended to enforce security.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      you are modded funny, but the sad thing is your post is actually informative.

    • Re:DMCA (Score:4, Informative)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Sunday April 05, 2015 @09:58PM (#49412389) Journal

      I think Slashdot should take down this article. Under the DMCA it's illegal to bypass flimsy methods intended to enforce security.

      To be precise, it's illegal to bypass flimsy methods intended to enforce copyright. Since this tool isn't marketed as a DRM system, the DMCA doesn't apply.

  • So encryption. What are you protecting? Many Many passwords to your banking, health care, etc. ?

    So the question re:

    • Data value?
    • Data value lifetime?
    • Data Recoverilability?

    You can build a sophisticated cypher that does not require polynomials, massive primes or any of the stuff that RSA uses in an afternoon with a little imagination that will stifle pretty much anyone except for the most ardent code breakers. So the questions need to be answered.

    Create a two dimensional array each dimension being 64K in siz

  • Thought it would unlock the java/android lessons. Turns out they needed a subscription for that.
  • Google them. They're a publicly traded company. NQ Mobile [google.com]
  • by aaronb1138 ( 2035478 ) on Sunday April 05, 2015 @10:29PM (#49412461)
    I make it a rule to never pay for an app to provide what should be basic OS functionality. Whole device encryption is pretty well handled in Android. There are lots of areas where I make do with available tools, like TRWP for point in time / image backups. If I find a specific, basic feature missing, I'm not terribly above obtaining decent software through alternate channels (root / administrative access browsers, configuration changing applications).

    It's silly that Windows XP from 2001 still has a better list of basic OS functionality, bundled applications, and diagnostic tools than either Android or iOS can claim today. I'd gladly pay for a phone OS separate from my phone if I could get solid functionality covered.

    Android also falls way short of iOS and Windows Phone for device to device migration. Settings and preferences from apps only migrate if they are Google first party or if the app developer stores your settings on their server and uses a Google (or similar) sign in. Setting up a new device, or even ROM is nowadays a longer process (~4 hours) than on a PC to get everything operational, and that is with using tools like Titanium Backup and similar.
    • by PRMan ( 959735 )
      My new phone started downloading immediately as soon as I logged into Google. It definitely didn't take 4 hours. I was 99% functional within the hour.
  • by gweihir ( 88907 ) on Sunday April 05, 2015 @11:58PM (#49412615)

    You could at least have some minimal accuracy in the stories. XOR is not a problem and perfectly secure if used with a secure key-stream, like is done in modern stream ciphers. The problem here is that this is a "Vigenère cipher", where a very short, repeating key-stream is used. It was designed in 1553 and a general break was published in 1863.

    • secure key-stream, like is done in modern stream ciphers.

      RC4 biases paper (PDF) [cr.yp.to] would like to hear more about your secure key streams...

      Yes, XOR can be used as a component of perfectly secure cipher (and is, indeed, used in one part or another of many real-world ciphers) but in practice the most popular stream cipher in the world is broken.

  • So the single byte key is derived in some undiscovered manner from the password. Given how weak the encryption is known to be already, I wonder if one out of 256 encryption keys turn out to be a zero byte. In such a case, the encryption would leave the file unchanged. (Could be patched with "key=key?key:1;")

  • After reading just the title I thought that they were bragging - other people have figured out how to use just NAND gates to build their computers (theoretically) - WE USE ONLY XOR!!!!! :)

    (Thankfully, the summary cleared it right up for me)

  • char
    EncryptChar(char x)
    {
            return 0;
    }

  • The "app" Start Scratch is a scam, in my opinion. My daughter (9) is quite keen on programming using Hopscotch on the iPad, but it is very limited at the moment. At school, she's been introduced to Scratch which can do a lot more, so I figured that it would be good to get Scratch for the iPad so she can use it at home. So I do a search on the iOS App Store and find Start Scratch, which appeared to be the Scratch environment as an iOS app. So I bought and paid the $1.49 - admittedly not a lot. But after some

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...