WhatsApp Is Using IMEI Numbers As Passwords

← Back to Stories (view on slashdot.org)

WhatsApp Is Using IMEI Numbers As Passwords

Posted by Soulskill on Saturday September 8, 2012 @10:58AM from the security-through-handwavery dept.

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

102 comments

Min score:

Reason:

Sort:

Seriously? by thePowerOfGrayskull · 2012-09-08 11:08 · Score: 4, Insightful

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.
Nicely done with the "responsible disclosure".
1. Re:Seriously? by Lehk228 · 2012-09-08 11:15 · Score: 4, Insightful
  
  responsible disclosure is something earned by responsible actions on the part of developers.
  
  do something retarded and you deserve to have it blow up in your face like that
  
  --
  Snowden and Manning are heroes.
2. Re:Seriously? by Anonymous Coward · 2012-09-08 11:26 · Score: 5, Insightful
  
  If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.
  Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.
  It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.
  Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.
3. Re:Seriously? by watice · 2012-09-08 11:28 · Score: 1
  
  wow. sorry i didn't spend my last mod point on you. Realer words have never been typed.
4. Re:Seriously? by MrHanky · 2012-09-08 11:29 · Score: 2, Informative
  
  Meh. It's a proprietary extension to a free protocol, with lock-in included. Fuck them.
5. Re:Seriously? by Anonymous Coward · 2012-09-08 11:30 · Score: 0
  
  I recently installed the BlueStacks Android emulator on Windows and then joined WhatsApp. Their authentication SMS obviously failed but I was given an option for WhatsApp to call and give me a code which I could use to confirm via the BlueStacks instance. Therefor any IMEI number from my cellphone could not have been used as a password.
6. Re:Seriously? by Anonymous Coward · 2012-09-08 11:41 · Score: 0
  
  Sorry, but what obligation does the blog owner have to WhatsApp?
  I dont work for free, and I dont expect the blog owner to either.
7. Re:Seriously? by Anonymous Coward · 2012-09-08 11:57 · Score: 0
  
  The auth method has been publicly available since at least May 29th, as per the README here https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md
8. Re:Seriously? by Anonymous Coward · 2012-09-08 11:57 · Score: 0
  
  Right, did whatsapp provide responsible notice regarding what they had planned to do? Or is this a one way street?
9. Re:Seriously? by kylegordon · 2012-09-08 11:58 · Score: 5, Informative
  
  There's no need for responsible disclosure when it's been around for months on Github.
  Just check https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md and you'll see.
10. Re:Seriously? by Bogtha · 2012-09-08 12:05 · Score: 2
  
  I see he made no mention of warning whatsapp
  
  This isn't an accidental security vulnerability, they deliberately designed their system this way. They obviously already knew their system works this way.
  
  --
  Bogtha Bogtha Bogtha
11. Re:Seriously? by Anonymous Coward · 2012-09-08 12:27 · Score: 0
  
  And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.
  Dude, Whatsapp has a terrible track record when it comes to security. Embarassment is the only thing they might take seriously. Originally they used the cell phone number as the authenticator. The IMEI is a slight improvement.
  But Whatsapp still copies your entire address book (you should have read the terms & conditions) and spams your contacts.
  But I still don't get why whatsapp is so popular. It's just instant messaging. But there are lots of IM networks with a large user base (google, ICQ, MSN, etc) that also work with non-mobile devices.
  Whatsapp only works with mobile devices, and brings nothing new to the table.
12. Re:Seriously? by Anonymous Coward · 2012-09-08 12:51 · Score: 0
  
  Some of this is out of date, though. If you look at packet sniffs on the latest versions, it's not cleartext as this doc says.
13. Re:Seriously? by Anonymous Coward · 2012-09-08 13:32 · Score: 5, Insightful
  
  Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.
  Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.
  Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.
14. Re:Seriously? by carlos92 · 2012-09-08 14:09 · Score: 1
  
  The only thing new it brings to the table is that it feels more like a replacement of SMS. It's easy to install (they obviously prioritized ease of use over security) and it works with your contacts that are already stored on the phone.
15. Re:Seriously? by Anonymous Coward · 2012-09-08 14:38 · Score: 5, Insightful
  
  So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.
16. Re:Seriously? by Anonymous Coward · 2012-09-08 14:39 · Score: 0
  
  Nicely done with the "jumping to conclusions and being an ass without knowing anything about the situation".
17. Re:Seriously? by Anonymous Coward · 2012-09-08 15:18 · Score: 0
  
  Who said it's cleartext? The readme on github from 3 months ago says
  
  The password is hashed and happened to be an MD5’d, reversed-version of the mobile’s IMEI (International Mobile Equipment Identity) or equivalent unique ID
  Same in TFA:
  
  your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).
  md5(strrev(‘your-imei-goes-here’))
18. Re:Seriously? by Anonymous Coward · 2012-09-08 15:34 · Score: 0
  
  I tutor math students on my own time, for free. If a math student is obviously not attempting to work the problem, I avoid him like the plague. He will only either: 1. Expect me to teach him basic concepts he should already know (and will nod his head even if he doesn't get it thus ensuring everything I say that follows sails over his head). 2. Try to get me to do the work for him.
  If you contact someone who has made no apparent effort to learn anything about security and try to discuss a security problem they are likely to do the same thing (and probably won't pay you, either).
19. Re:Seriously? by Anonymous Coward · 2012-09-08 16:18 · Score: 1
  
  Maybe people will start being more careful about which companies they trust.
20. Re:Seriously? by Anonymous Coward · 2012-09-08 17:03 · Score: 0
  
  I'm not talking about the password, dumbass. Read the whole readme.
21. Re:Seriously? by mwvdlee · 2012-09-08 19:02 · Score: 2
  
  Responsible disclosure has nothing to do with the developer, it's meant to protect it's users.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
22. Re:Seriously? by Anonymous Coward · 2012-09-08 21:02 · Score: 0
  
  And this is relevant to the vast majority who are using their cellphones for this exactly how?
23. Re:Seriously? by Anonymous Coward · 2012-09-08 21:10 · Score: 1
  
  The "dick move" here would be to let people remain ignorant about the fact that they are using a "dick" company. Whether they mentioned it to whatsapp or not is entirely inconsequential to the much larger issue of whatsapp being total morons when it comes to security in the first place.
  If my neighbour was worried about security, locks his doors but I notice he always leaves the bathroom window open, I would mention that to him, pointing out his security problem. But if he buys a big sturdy security gate and plops it down on his driveway without even connecting it to his fence, then I'm more likely to laugh about him over a beer with my mates. Stupidity doesn't deserve feedback.
  But if I then saw someone giving their valuables to my neighbour for "safe keeping", you can bet your ass I'd mention that to them, not to my neighbour. He's already proven he doesn't take it seriously.
24. Re:Seriously? by 2fuf · 2012-09-08 22:22 · Score: 1
  
  The problem with this attitude is that the end users gets the shit poured over them, as a retribution for the developers' lack of responsibility.
  What kind of dick do you have to be to think that's fair?
25. Re:Seriously? by Hatta · 2012-09-09 01:42 · Score: 3, Insightful
  
  "Responsible disclosure" is a completely disingenuous term. Full disclosure is the only responsible route.
  
  --
  Give me Classic Slashdot or give me death!
26. Re:Seriously? by Hatta · 2012-09-09 01:44 · Score: 2
  
  The person who delays announcement of a security hole is allowing a bunch of people to get hacked. If a "security researcher" found the hole, you have to assume a black hat has as well. Make the announcement immediately, so those affected can take the affected systems offline immediately, or make other arrangements.
  Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.
  
  --
  Give me Classic Slashdot or give me death!
27. Re:Seriously? by noh8rz9 · 2012-09-09 03:33 · Score: 0
  
  whats whatsapp? i've never heard of it. is it on the app store?
  
  --
  let's have a conversation! let me know what you think.
28. Re:Seriously? by lindi · 2012-09-09 06:38 · Score: 1
  
  I have never used whatsapp but I was still fully aware that they use IMEI as a password. This was no secret.
29. Re:Seriously? by JoeMerchant · 2012-09-09 06:59 · Score: 1
  
  Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.
  Wrong, it protects and benefits the black hats who are using the vulnerability even more...
30. Re:Seriously? by DMiax · 2012-09-09 07:22 · Score: 1
  
  Sure, they should have alerted WhatsApp that they programmed their system to use IMEI as passwords...
  Hey! I just noticed that you wrote your comment and pushed the submit button and now everyone can read your thoughts! Are you aware of that?
31. Re:Seriously? by DMiax · 2012-09-09 07:28 · Score: 4, Insightful
  
  since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.
32. Re:Seriously? by burne · 2012-09-09 10:22 · Score: 1
  
  Your IMEI is 00-000000-000000. Remember that the checksum calculation is optional.
33. Re:Seriously? by r1348 · 2012-09-09 12:34 · Score: 1
  
  Not so much. The best way to protect users is to let them know that the programs they're using are insecure.
  For what we know, a black hat might have discovered this vulnerability (of the moronic kind) months ago and already exploiting it in the wild without user knowledge. Full disclosure fixes this lack of information, the developer now should really fix the app.
34. Re:Seriously? by kelemvor4 · 2012-09-09 13:16 · Score: 1
  
  Well.. it's Oracle. Did you really expect them to provide good support?
35. Re:Seriously? by LingNoi · 2012-09-09 16:30 · Score: 1
  
  Regardless of it being a dick move..
  > So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards.
  If it's breakable then it's just poor security. This isn't tabs or spaces. This is either you can break into someones account or you can't.
36. Re:Seriously? by Anonymous Coward · 2012-09-09 17:58 · Score: 0
  
  Up until 2 days ago, at least, the cleartext servers still worked. They most likely still do, except that they've changed some bits in the authentication method, so the third-party APIs can't work for a little while until someone figures out what bits changed to what.
37. Re:Seriously? by Pausanias · 2012-09-09 18:28 · Score: 1
  
  Why would anyone ever want to user WhatsApp over google voice is something I don't get.
38. Re:Seriously? by monzie · 2012-09-09 23:26 · Score: 1
  
  I wish I had mod points. You hit the bulls' eye there. Developers cannot be stupid and then expect others to be kind to them. Yes I develop mobile apps as well - and If I ever do something this stupid, I deserve to have it blow in my face.
39. Re:Seriously? by Dishevel · 2012-09-10 03:19 · Score: 1
  
  Not true.
  If you find yourself dealing with a company that fixes the things you disclose in a timely manner then just throwing exploits out and sitting back
  with your popcorn trying to see if the hackers can fuck the public over before the company can fix it then you are just a dick.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
40. Re:Seriously? by tlhIngan · 2012-09-10 03:36 · Score: 1
  
  So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.
  OTOH, who's to say they haven't ALREADY been hacked and this disclosure merely was bringing attention to the public?
  That's the problem with responsible disclosure - it's really hard to do. Wait too long and people exploit it without your knowledge. Wait too short and they have no chance to fix it (and how long is "enough"? QA processes vary and some places do extensive testing to ensure things don't break, others only do a casual (i.e., it compiles) and ship that).
  And then you have to figure out how much to tell people. I mean, tell too little and the developer just says "it's a theoretical hack". Tell too much and people cry "you just told everyone how to hack everyone's account!".
  It's just like how PSN was shut down last year. It wasn't because hackers got the information and triggered some sort of Sony network monitoring alarm. It was because a bunch of people were getting PSN downloads (games and DLC) for free using PS3s that should never been able to access it. Only when they looked deeper did they realize something was wrong. But until then, who knows how much data was taken, or how long they had access to it?
What's WhatApp? by Anonymous Coward · 2012-09-08 11:10 · Score: 0

And who cares what is uses for passwords?
What the fuck is WhatsApp? by Anonymous Coward · 2012-09-08 11:10 · Score: 0

And why should I care?
Also. Get off my lawn.
I love the last line of the article by Meshach · 2012-09-08 11:11 · Score: 5, Insightful

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
Yes and porn is watched for the acting.

--
"Maybe this world is another planet's hell"
Aldous Huxley
1. Re:I love the last line of the article by Anonymous Coward · 2012-09-08 11:17 · Score: 2, Funny
  
  Yes and porn is watched for the acting.
  porn with acting is called drama on HBO
  spartacus
2. Re:I love the last line of the article by Viceice · 2012-09-08 14:47 · Score: 3, Insightful
  
  Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.
  
  --
  Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
3. Re:I love the last line of the article by Anonymous Coward · 2012-09-08 19:02 · Score: 0
  
  Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.
  At least they're good about filling in the plot holes.
I call... by msauve · 2012-09-08 11:12 · Score: 1

Acronym abuse! If you use an acronym, spell it out the first time you use it, or expect your communications to be taken as nonsense.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:I call... by Anonymous Coward · 2012-09-08 11:26 · Score: 0
  
  There could also be some more description in the summary such as what WhatsApp is!
2. Re:I call... by Anonymous Coward · 2012-09-08 11:43 · Score: 0
  
  Your problem might or might not be solved by RTFA.
3. Re:I call... by Anonymous Coward · 2012-09-08 11:52 · Score: 0
  
  Would it be so hard to actually put it in the summary?
4. Re:I call... by Anonymous Coward · 2012-09-08 12:10 · Score: 0
  
  Look, if you're completely uninformed about a subject on a technical website, maybe you ought to quit complaining and just read the damn article. Summaries are already full of mistakes as it is, the last thing we need is a bunch of redundant acronym explanation crap because people are ignorant and can't bother clicking the URLs.
5. Re:I call... by AuMatar · 2012-09-08 13:13 · Score: 1
  
  If you're on a tech website and reading an article about cell phones without knowing what an IMEI is, you're hopeless to begin with. It's a common enough acronym that no, they shouldn't spell it out- you should stop being a dumbass.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
6. Re:I call... by Anonymous Coward · 2012-09-08 14:02 · Score: 0
  
  BIOYA.
7. Re:I call... by bipbop · 2012-09-08 15:44 · Score: 1
  
  i don't think that's true. People should be expected to raise themselves to minimum standards, not meet them ahead of time. After all, it's basically effortless to look it up and learn what it means, and lazy evaluation in reading slashdot doesn't have any negative consequences I can think of.
8. Re:I call... by MikeBabcock · 2012-09-08 17:01 · Score: 1
  
  The number of people who ask me what acronyms and even plain English words mean while in front of an Internet-connected PC or smart phone just astounds me. I keep saying "Google it" and they keep looking at me stupid.
  So you type the word you're looking up into Google, hit enter, and voila, its probably the first result.
  
  --
  - Michael T. Babcock (Yes, I blog)
9. Re:I call... by AuMatar · 2012-09-08 20:50 · Score: 1
  
  If you type " define" its almost always the first result. Works well for acronyms too.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
10. Re:I call... by AuMatar · 2012-09-08 20:52 · Score: 1
  
  That was supposed to be "<word> define". Fuck slashcode, I posted it at plain old text.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
11. Re:I call... by Anonymous Coward · 2012-09-08 21:10 · Score: 0
  
  This would be what Preview is for, Holmes. (And character entities.)
12. Re:I call... by msauve · 2012-09-09 00:50 · Score: 1
  
  LOL
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
13. Re:I call... by Anonymous Coward · 2012-09-09 06:44 · Score: 0
  
  You call it minimum standard, yet readers ought to raise to it by reading TFA. Kinda useless argument.
  And I agree. If someone reads an article about mobile phone equipment and doesn't know what an IMEI is AND doesn't have the mental capacity to do a Google search, he has absolutely no point for argument.
This is why Apple got rid of the UDID... by SuperKendall · 2012-09-08 11:19 · Score: 1

Even though the UDID was not supposed to be used for authentication like purposes, some app developers were leaning on it... really better to just make apps create a UUID themselves and make use of that. Of course, then for authentication you need a real login of some kind.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:This is why Apple got rid of the UDID... by Anonymous Coward · 2012-09-08 12:31 · Score: 0
  
  Even popular apps like pandora. Learned that one the hard way with a used iphone.
2. Re:This is why Apple got rid of the UDID... by petsounds · 2012-09-08 13:55 · Score: 1
  
  Same thing with Social Security Numbers; they were never supposed to be used as a Federal identification number, but companies wanted to track people in a more consistent manner and there was no alternative. In both cases, that doesn't forgive the companies for using these numbers.
Not Quite by Anonymous Coward · 2012-09-08 11:25 · Score: 1

To be fair, they are using the MD5 of the IMEI. Not just the IMEI in plain text. But I think people are more worried about someone getting their WhatsApp info from the IMEI, and not the other way around.
warning? by kenorland · 2012-09-08 11:42 · Score: 4, Insightful

What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.
1. Re:warning? by Anonymous Coward · 2012-09-08 14:19 · Score: 0
  
  You misunderstand what the disclosure is for. You seem to think it's to be nice to the software developers.. a chance to fix their mistake.
  that is NOT what disclosure is for.
  Disclosure is to give the software developer a chance to fix the problem and issue a patch before hackers become aware of the issue. It is to be nice to the USERS of the software. The people who had no say in how it was developed.
  Say FU to the developers for being incompetent.. fine. Their idiots anyway, I don't care.
  But why do you feel the need to say FU to the software users, who had no idea that the software was vulnerable, and now may need to deal with hackers exploiting the problem.
2. Re:warning? by Anonymous Coward · 2012-09-08 19:10 · Score: 0
  
  With such a gaping hole it's quite likely that hackers have already found the vulnerability and are already exploiting it or working on exploits. Don't be so sure you're protecting users by keeping it quiet.
  "Responsible" disclosure is responsible only if the vulnerability is not too obvious. The disadvantage of alerting the bad guys must be weighed against the advantage of putting pressure on the vendor to make repairs as quickly as possible.
  In this case the hole is big and the vendor has shown incompetence or indifference in such a big way that it does not give much confidence in how they will respond if they are not forced to respond adequately. Making it explode in their face may be what this vendor needs to become aware of the importance of security, and it puts pressure on them to take it seriously (which they obviously haven't until now, otherwise they would have built a better authentication method). Despite the risks of a full public disclosure this may actually be the best thing to do for the users.
3. Re:warning? by Anonymous Coward · 2012-09-08 22:20 · Score: 0
  
  Disclosure is to give the company's lawers time to send you a letter.
4. Re:warning? by Anonymous Coward · 2012-09-09 06:56 · Score: 0
  
  >Disclosure is to give the software developer a chance to fix the problem and issue a patch before hackers become aware of the issue.
  Hah, with a black market in the billions about that, fat chance. They already knew.
Re:Nobody Seems To Notice and Nobody Seems To Care by viperidaenz · 2012-09-08 12:00 · Score: 1

Don't forget your tinfoil hat
Anybody who cares about their security... by Anonymous Coward · 2012-09-08 12:19 · Score: 0

Anybody who cares about their security with mobile texting should be using one of the services out there that are designed for it, like Gliph or TigerText.
WhatsApp has had security problems in the past, and it seems like their users really don't care.
nice app to use this by Anonymous Coward · 2012-09-08 12:30 · Score: 0

http://javazkript.blogspot.in/p/download-thatsapc.html
Always the same stupid, stupid mistakes by gweihir · 2012-09-08 13:01 · Score: 3, Insightful

Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Always the same stupid, stupid mistakes by StripedCow · 2012-09-08 13:21 · Score: 1
  
  In case you didn't notice, these days companies are only after the quick buck. This means that they target as large a group of people as they can with minimal effort. This in turn means that security, for example, gets neglected. In other words, the reason is companies have found out that they can exploit the following concept:
  99% OF USERS DON'T CARE
  
  --
  If Pandora's box is destined to be opened, *I* want to be the one to open it.
2. Re:Always the same stupid, stupid mistakes by ahoog · 2012-09-08 13:45 · Score: 2
  
  They don't even have to ask. After years of doing mobile security audits, we complied 42+ best practices for secure mobile development and posted it free online. It's just that secure development takes extra time (and talent) and very few are willing to make that commitment. https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/
  
  --
  Andrew Hoog
  viaForensics
3. Re:Always the same stupid, stupid mistakes by Anonymous Coward · 2012-09-08 14:13 · Score: 1
  
  13 and 14 are kind of bullshit. If an "attacker" can modify your code, you've already lost. Obfuscating your code to make it harder to crack the binary is not security, it's obfuscation. It might give comfort to those seeking solutions to the impossible problems (DRM, copy protection) but in the end it won't help you beyond preventing the most casual/unskilled crackers, and it will make your job as a developer harder.
  Basically if you can't trust the integrity of your own address space you've lost, there is no sense in denying it by making your code harder to read.
4. Re:Always the same stupid, stupid mistakes by gweihir · 2012-09-09 03:37 · Score: 1
  
  They are not BS, they are shifting attacker effort. Depending on your attacker model, that may or may not make the app more secure. Unfortunately that is worth far less than it seems can even lower security.
  Unfortunately, it looks like most attackers are not that rational (the Homo economicus is a nice theoretical model, but unfortunately complete BS in practice, as there are basically none of these creatures around) and will keep at one target a lot longer than is economically viable. That means simple obfuscation techniques may keep the kiddies out that do not get it, but no advanced attacker will be impressed in the least. (As you rightfully point out.) As targeted attacks are on the raise (and these are not done by incompetent kiddies in general), obfuscation techniques are even worse then BS, as they create a false sense of security.
  I know from personal experience that it is extremely hard to explain the non-value of such techniques that seem to work on first glance to non-experts (read: managers) and to explain to them that their level of preparedness is actually far, far lower than they think. If that explanation fails, these techniques make the system actually less secure, because other steps that would have helped are not undertaken. After all, "it is already secured".
  So, calling this BS is far too nice ;-)=)
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Always the same stupid, stupid mistakes by gnasher719 · 2012-09-09 08:09 · Score: 1
  
  One goal should always be to make an attack expensive. That doesn't help _your_ app very much, but it helps _everyone_. If it was more expensive to attack _your_ app, then the attacker has less money or time to spend on attacking other apps, and if other apps are more expensive to attack, then anyone who attacked those apps has less money and time to attack your app.
  
  The perfect app would be one that is actually safe, but looks as if it could be attacked successfully, making an attacker waste their time. So obfuscation as _first_ line of defense is useful. Not as protection, but as a drain on the bad guys' money.
In a way it's useful by Z00L00K · 2012-09-08 15:00 · Score: 1

But they should use the IMSI number, not the IMEI number. And combine it with a password, then you get into a better level of security than with only a password since you are using something you have.
However with the recent rise in malicious apps for phones using the phone for anything secure is risky.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
New password by Anonymous Coward · 2012-09-08 15:04 · Score: 0

Couldnt they just use said IMEI and mix user name or or another mix inside of the imei for the password to keep the a identifier unique?
1. Re:New password by Anonymous Coward · 2012-09-09 07:18 · Score: 0
  
  The issue is having something unguessable, not something unique.
If they aren't doing anything wrong... by Anonymous Coward · 2012-09-08 18:13 · Score: 0

"If they aren't doing anything wrong, what have they got to hide? Why do they need to encrypt things?"
Any discussion about security has to have that in there somewhere. This time I got there before the NSA dude...
Apple removed UDID by gnasher719 · 2012-09-08 20:34 · Score: 1

Anyone who writes mobile apps _must_ have noticed that Apple is removing the APIs to read UDIDs (Universal Device Identifiers) - because of privacy concerns, and because using a device to identify a user is stupid in the first place. IMEI numbers are supposed to be unchangeable, so they are UDIDs as well, so it is obvious that the reasons why UDIDs shouldn't be used apply to IMEI numbers as well.

I don't write Android code, but I would be sure that they have some easy means for an app to generate a UUID (Universally Unique Identifier) and stash it away safely, which is what an app should use.
Not on Windows Phone 7 by Anonymous Coward · 2012-09-08 20:41 · Score: 0

This isn't a problem on WP7 (can't speak for 8). We needed the IMEI on a project, and only signed OEM applications can get access to it. iOS has UUID access for applications to get around this, as does WP7, but that generally raises issues around privacy.
Issues with IMEI are a bit heavier than UUID style usage. You can block an entire phone globally by reporting the phone stolen with the IMEI to participating carriers. This is irreversible. Malicious though, and rather unlikely. What's more likely is your IMEI can be sold to fake phone manufacturers, which if they ever appear on the same network as your phone simultaneously, both will get blocked globally.
IMEI not just "easily readable" by richard.cs · 2012-09-08 20:44 · Score: 2

The IMEI is not just "easily readable" it's sent unencrypted whenever a call is made. This was a deliberate design choice, it could have been sent after the encrypted connection was established but the writers of the specification chose otherwise - the motivations for this have never been explained but a lot of people have drawn their own conclusions.
In any case my point is that it's even easier than TFA suggests to obtain someone's IMEI.
Re:The Mind Has No Firewall by myowntrueself · 2012-09-08 23:16 · Score: 3, Funny

âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.

The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process...

I was half expecting this to turn into another 'MyCleanPC' spam post.

--
In the free world the media isn't government run; the government is media run.
Jitsi by Hatta · 2012-09-09 01:49 · Score: 1

So when is Jitsi going to get an android port?

--
Give me Classic Slashdot or give me death!
Re:The Mind Has No Firewall by maxwell+demon · 2012-09-09 10:00 · Score: 1

Actually the mind has a very effective firewall, as everyone has experienced who tried to convince someone else that his believe system is wrong. However, like any firewall, it can only keep off threats if configured properly.

--
The Tao of math: The numbers you can count are not the real numbers.
Re:Slashdot and Wikipedia are for fags. by Anonymous Coward · 2012-09-09 13:12 · Score: 0

Mitt, don't you have an election to steal?
I prefer the term "finesse".

-Mitt
Re:The Mind Has No Firewall by Anonymous Coward · 2012-09-09 13:20 · Score: 0

I just upgrade my firewall to Fox News 3.2.
Re:"Full disclosure is the only responsible route" by Rozzin · 2012-09-09 13:29 · Score: 1

Hatta, you're actually not far off from Bruce Schneier's "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'".

--
-rozzin.
It should NOT be used for authentication by Anonymous Coward · 2012-09-09 20:53 · Score: 0

"Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."
I think this should read that IMEI numbers should not be used for authentication.
Re:Slashdot and Wikipedia are for fags. by Anonymous Coward · 2012-09-09 23:46 · Score: 0

I'm not FAT
Re:Slashdot and Wikipedia are for fags. by mynameiskhan · 2012-09-10 03:08 · Score: 1

I hate name calling from behind the internet. Wassup Mr. Coward?