Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Android Package Uses Just XOR -- and That's Not the Worst Part

Posted by timothy on from the ightray-onyay-ethay-urfacesay dept.

siddesu writes A popular "encryption" package for Android that even charges a yearly subscription fee of $8 actually does nothing more than give a false sense of security to its users. Not only is the app using a worthless encryption method, it also uses weak keys and "encrypts" only a small portion of the files. One wonders how much snake oil flows through the app stores, from "battery savers" to "antivirus." What is the most worthless app purchase you made? Did you ask for a refund?

21 of 277 comments (clear)

  1. Web sites by danbob999 · · Score: 5, Insightful

    CTIA - "The Best App of CTIA by the Techlicious 2012 Best of CTIA Awards"
    PC Magazine - "PC Magazine Best Apps"
    TRUSTe - Received "TRUSTe Privacy Seal"
    Global Mobile Internet Conference App Space - "A top 50 app"

    Thanks, I will take a note to never trust these web site reviews.

    1. Re:Web sites by Darinbob · · Score: 4, Insightful

      People will gladly give good reviews to things they haven't even tried out yet. And even if they tried it they probably have no clue how to validate its effectiveness. It's the yelp effect, let someone give a review and they'll jump on board and proclaim "best broccoli beef ever".

    2. Re:Web sites by ShanghaiBill · · Score: 4, Funny

      People will gladly give good reviews to things they haven't even tried out yet.

      Tornado App has good reviews.

    3. Re:Web sites by macklin01 · · Score: 4, Informative

      Here's the TRUSTe info:

      http://privacy.truste.com/privacy-seal/NQ-Mobile-US-Inc-/validation?rid=e0f97027-af9a-4b8a-91b5-2a33c58a520a

      It only seems to cover security/privacy of their ecommerce site. So, their shopping cart may be secure, but it says nothing about app security as they seem to imply in their press releases, etc.

      --
      OpenSource.MathCancer.org: open source comp bio
    4. Re:Web sites by AmiMoJo · · Score: 5, Interesting

      Maybe they read the actual description of the app. The only thing it claims to encrypt is text messages, which TFA doesn't bother to check. The description doesn't claim to encrypt files, so unless it has been changed since the article was written it seems to be making stuff up to complain about.

      The app hides files on your device. It does that by using a simple XOR cypher to encrypt the header of files and make them invisible to apps like the Gallery that look for files with valid JPEG/PNG/GIF headers. It works perfectly, the XOR cypher has the desired effect. Obviously it won't stop forensic examination from finding and decrypting the files, but it doesn't claim to. It's an app designed to hide your nude selfies and dick pics, not stops the NSA/GCHQ dataraping your phone.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. XOR is useless by ArcadeMan · · Score: 4, Funny

    Unless it's used with ROT13.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:XOR is useless by TapeCutter · · Score: 4, Funny

      Must be good, it has ubiquitous hardware support. ;)

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  3. Re:The big advantage of XOR by MichaelSmith · · Score: 4, Funny

    Also its implemented directly in the CPU, so both encryption and decryption are very fast.

    --
    http://michaelsmith.id.au
  4. ROT13 by Trax3001BBS · · Score: 4, Interesting

    I mentioned to the subscription that Microsoft used Rot13 to "encrypt" some registry entries in version W2K (I think was the version)

    After reading bout XOR, ROT13 would be just about as good.

    Not familiar with ROT13? = Abg snzvyvne jvgu EBG13?

  5. XOR encyption is uncrackable as long as... by pcritter · · Score: 5, Informative

    There's nothing wrong with XOR for encryption as long as your key size is >= plain text size. In fact it's uncrackable!

    1. Re:XOR encyption is uncrackable as long as... by Anonymous Coward · · Score: 5, Informative

      And you NEVER reuse that key.

    2. Re:XOR encyption is uncrackable as long as... by meloneg · · Score: 4, Informative

      And it's generated from a quality source of entropy.

    3. Re:XOR encyption is uncrackable as long as... by gman003 · · Score: 4, Informative

      And the key remains private.

  6. Re:The big advantage of XOR by hcs_$reboot · · Score: 4, Insightful

    If the key is as long as the message, XOR is not that weak.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  7. DMCA by martin-boundary · · Score: 5, Funny

    I think Slashdot should take down this article. Under the DMCA it's illegal to bypass flimsy methods intended to enforce security.

  8. Re:The big advantage of XOR by ShakaUVM · · Score: 4, Informative

    In fact, it's unbreakable if you do it right. (http://en.wikipedia.org/wiki/One-time_pad)

    I'm disappointed that the person who submitted the story said "Just XOR".

  9. Re:questions answered below by squiggleslash · · Score: 4, Interesting

    Same here, kinda. I ended up sticking with the flip phone because I just found the issues I had with using Android devices as telephones bad enough for me to stick with it, but yeah, there's a lot of basic stuff you miss, that you kinda wonder why no efforts have been to update flip phones to have at least some of the functionality of their power-sucking overloaded not-quite-optimal-for-phone-calls-UI-encumbered cousins.

    Would it really be a problem adding Wifi support, with things like the ability to sync contacts and other PIM stuff add that much to the costs of devices?

    Many things you mention are better done by a dedicated tablet device, but it's a shame that I have to make the choice between a shitty phone that's integrated with the rest of the world, and a good useful phone that I have to manually copy phone numbers to and from or else find awkward Bluetooth applications that never quite work correctly to update.

    --
    You are not alone. This is not normal. None of this is normal.
  10. Re:The big advantage of XOR by swillden · · Score: 5, Interesting

    If the key is as long as the message, XOR is not that weak.

    As long as the key is as long as the message, and all of the key is unpredictable, and is never reused, then you have a provably unbreakable encryption system called a one-time pad. However, if you ever reuse the key someone can XOR the two ciphertexts together and the result will be the XOR of the two plaintexts, which can often be disentangled. Also, if the key is somewhat predictable, plaintext can be recovered. The US actually managed to decrypt some texts encrypted with a Russian one-time pad system, because the keys were produced by humans pounding "randomly" on typewriters... except humans aren't very good at generating random keystreams.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  11. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  12. Re:The big advantage of XOR by Beryllium+Sphere(tm) · · Score: 5, Funny

    And what data structure do you have lying around at encryption time that's as long as the plaintext?

    That's right, the plaintext. Use that as your one time pad. It saves you the headache of generating high-quality randomness if you just XOR the plaintext with itself.

    The resulting ciphertext is not only theoretically unbreakable without the key, it is also highly compressible for economical transmission.

  13. "XOR"? WTF? This thing is a "Vigenère cipher" by gweihir · · Score: 5, Informative

    You could at least have some minimal accuracy in the stories. XOR is not a problem and perfectly secure if used with a secure key-stream, like is done in modern stream ciphers. The problem here is that this is a "Vigenère cipher", where a very short, repeating key-stream is used. It was designed in 1553 and a general break was published in 1863.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.