This is a mirror of official site: http://jasper-net.blogspot.com/

The story of Android, cryptography and a crippled 3DES

| Thursday, August 25, 2011
remote-notifier-1.png


Asymmetric and symmetric encryption, different algorithms (AES/DES), block/stream ciphers, operation modes - all of these terms are difficult enough on their own, put aside their specific implementation in Your Programming Environment of Choice. You usually need strong math skills to get through all the tiny details that matter in cryptography. To make things worse, cryptanalysis attacks are constantly improving, so you also need to stay current.

Thankfully, you don't need all that much to simply use it. After all, you're not inventing a new home-brew encryption algorithm (if you do - stop immediately!), so all you need to do is RTFM.

But that enough is difficult, because the web is filled with code examples that are simply wrong. It's always a good idea to do some code review for a cryptography related parts of your project. As an example, we'll look into Android Remote Notifier project - it had a few interesting vulnerabilities which significantly weakened its cipher strength. Author took my comments into consideration and fixed the issues, so consider this a "responsible disclosure" ;).


Short introduction

Android remote notifier is a application for Android phones that "sends notifications to a desktop computer when certain events happen on an Android device, such as the phone ringing, an SMS being received, or the battery running low. The notifications can be sent over Wifi, Bluetooth, or (in the future) USB.". There is an app in the phone that broadcasts notification, and a receiver on the desktop which listens to those and reacts e.g. displays a message box with SMS text. It's a new project (beta-quality), but it is already gaining attention in Android community.

The notifications include confidential information and may be transmitted over insecure channel (e.g.  broadcasted to 255.255.255.255 over current WiFi connection). This was not fun - after all, a simple network sniffer could reveal all the SMSes of your colleague sitting nearby.


Read more: Mobile Zone
QR: story-android-cryptography-and

Posted via email from Jasper-net

0 comments: