Popular Android Package Uses Just XOR -- and That's Not the Worst Part

siddesu writes A popular "encryption" package for Android that even charges a yearly subscription fee of $8 actually does nothing more than give a false sense of security to its users. Not only is the app using a worthless encryption method, it also uses weak keys and "encrypts" only a small portion of the files. One wonders how much snake oil flows through the app stores, from "battery savers" to "antivirus." What is the most worthless app purchase you made? Did you ask for a refund?

ROT13

[Trax3001BBS]

I mentioned to the subscription that Microsoft used Rot13 to "encrypt" some registry entries in version W2K (I think was the version)

After reading bout XOR, ROT13 would be just about as good.

Not familiar with ROT13? = Abg snzvyvne jvgu EBG13?

Re:questions answered below

[squiggleslash]

Same here, kinda. I ended up sticking with the flip phone because I just found the issues I had with using Android devices as telephones bad enough for me to stick with it, but yeah, there's a lot of basic stuff you miss, that you kinda wonder why no efforts have been to update flip phones to have at least some of the functionality of their power-sucking overloaded not-quite-optimal-for-phone-calls-UI-encumbered cousins.

Would it really be a problem adding Wifi support, with things like the ability to sync contacts and other PIM stuff add that much to the costs of devices?

Many things you mention are better done by a dedicated tablet device, but it's a shame that I have to make the choice between a shitty phone that's integrated with the rest of the world, and a good useful phone that I have to manually copy phone numbers to and from or else find awkward Bluetooth applications that never quite work correctly to update.

Re:The big advantage of XOR

[swillden]

If the key is as long as the message, XOR is not that weak.

As long as the key is as long as the message, and all of the key is unpredictable, and is never reused, then you have a provably unbreakable encryption system called a one-time pad. However, if you ever reuse the key someone can XOR the two ciphertexts together and the result will be the XOR of the two plaintexts, which can often be disentangled. Also, if the key is somewhat predictable, plaintext can be recovered. The US actually managed to decrypt some texts encrypted with a Russian one-time pad system, because the keys were produced by humans pounding "randomly" on typewriters... except humans aren't very good at generating random keystreams.

Re:Web sites

[AmiMoJo]

Maybe they read the actual description of the app. The only thing it claims to encrypt is text messages, which TFA doesn't bother to check. The description doesn't claim to encrypt files, so unless it has been changed since the article was written it seems to be making stuff up to complain about.

The app hides files on your device. It does that by using a simple XOR cypher to encrypt the header of files and make them invisible to apps like the Gallery that look for files with valid JPEG/PNG/GIF headers. It works perfectly, the XOR cypher has the desired effect. Obviously it won't stop forensic examination from finding and decrypting the files, but it doesn't claim to. It's an app designed to hide your nude selfies and dick pics, not stops the NSA/GCHQ dataraping your phone.

Re:Web sites

Good info, thanks. What caught my eye was the criticism of using XOR for encryption. That makes no sense. In fact, given suitably secured random bit strings, and xor'ing them with the input, will give you a very secure form of encryption. Of course you need to be able to recreate the random bit string without saving in plain text somewhere etc but the point is that criticizing xor is like complaining that computers only use binary arithmetic.