Hacker 10 – Security Hacker

Category: Mobile Phone

Mobile phone security

  • Mobile phone private messaging with Schmoose App

    Mobile phone private messaging with Schmoose App

    Schmoose is a privacy messaging app for your mobile phone with end to end encryption, the ciphers used to secure your data are well known standards like AES256-bit, SHA-256 and RSA-2048-bits. Schmoose itself is not able to read what you send, a public/private encryption key is created in your phone during installation and data is encrypted before it leaves it, only the person you are sending the message to can decrypt it.

    When the sender and receiver both have the app installed they can chat like they would do in the popular WhatsApp and Kik without any messaging costs,the main difference is the strong privacy added to Schmoose. If anybody intercepted your messages, they would only be able to see meaningless random characters and the company can not be forced to decrypt them as they do not have the means to do that.

    You will be asked to verify your mobile phone number or email during installation and after that you are able to sync your contacts online, to keep contacts private, only hash values are sent to Schmoose servers in Germany, they don’t see names and addresses.

    Schmoose encrypted messaging app
    Schmoose encrypted messaging app

    The messaging program is very colourful, it can include embedded photos, custom backrgounds, avatars and fun chat features like in other chat messaging apps. If you choose to store the photos people send you in Schmoose make sure that it will not be something embarrassing, media storage is not encrypted and if you lose your phone there is potential for somebody to access the photo gallery.

    I did not like having to register to be able to use the app but it is possible to select email registration only, if you have an anonymous email account this should keep your identity hidden and it will not be as intrusive as using your mobile phone number linked to your real identity. I suspect that registration is necessary to assign you a Schmoose ID and to be found in the network.

    The good features are end to end public key encryption with no backdoor and easy of use. The bad part was that data was not being encrypted locally, to fix this your phone should be fully encrypted. Schmoose is a free app for a single device, a paid version increases the number of mobile phones in which it can run and lets you block other users and send videos (the free version only sends photos).

    I am glad to see more and more companies locking themselves out of customer’s encryption keys, this allows them to fight back against unreasonable legal requests asking for access to customer’s personal messages. The hard part, is that there is no interoperability in between similar privacy messaging apps and it is next to impossible to agree with all of your contacts to use the same app.

    Visit Schmoose homepage

  • Mobile phone end to end encrypted chat with Sicher

    Mobile phone end to end encrypted chat with Sicher

    Sicher is a free Android, iPhone ($1) and Windows Mobile messaging up with end to end encryption and message self-destruction. It can be used to securely chat and exchange files in group or individually with anybody in your contact list. As usual in alike apps, Sicher will not work unless your friends also have it installed.

    The company developing Sicher is based in Germany and they can’t gain access to your private encryption key, generation takes place in your mobile phone and never leaves it, in addition all Sicher servers are located in Germany and they do not store the data you send, after an encrypted message has been delivered it is automatically erased from the server.

    To strengthen your security a self-destruction timer can be set with all messages or files you send, the lifetime of a message can be fixed from 30 minutes to up to 15 days. During the app set up you will be asked to enter a password used to encrypt data locally, this will block access to your account if your phone is lost or stolen, the company has no way to restore forgotten passwords, content will be lost if you forget about it. The app can be set to lock itself up after 15 minutes of inactivity, hourly or the more risky option of never asking for the password again while the phone is on, customize it to your security needs.

    Sicher encrypted chat messaging app
    Sicher encrypted chat messaging app

    I liked that Sicher has not been developed nor has servers in the USA, where the government is known for issuing gagging orders to technology companies forcing them to install a backdoor in their communication services. Sicher developers should also get bonus points for not sending crash logs, spy agencies are known to collect Windows logs sent over the Internet to learn more about a target’s computer, no such privacy risk here, and there is no social network integration, Facebook and Twitter apps don’t have access to Sicher, two companies that all privacy apps should block. Another nice feature is the settings allowing you to route Sicher communications through a proxy to hide your mobile phone IP.

    Besides the appalling app installation experience where I had to try multiple times before receiving the necessary SMS with a PIN code to activate the app, and besides Sicher’s freezing my screen when I finally entered the PIN number, forcing me to uninstall the app and reinstall again, security specs look fantastic.

    I would be willing to use this app if they did not enforce mobile phone number registration with them prior use, the requirement strips away your anonymity and I don’t understand why this is necessary. Even if the company can’t see the encrypted data being sent, Sicher servers, and anybody wiretapping them, should be able to see computer IPs connection length with timestamp and amount of data being transferred, what it is known as metadata, a very useful source of information for spy agencies.

    I trust that the developers will solve Sicher SMS registration problems, but as long as they insist that my mobile phone number must be registered with them, I will not use the app. If you don’t care about anonymity and all you long for is privacy, Sicher security far surpasses that of WhatsApp or Kik and it is preferable than those apps.

    Visit Sicher homepage

  • Encrypted mobile phone chat, video and calls with PQChat

    Encrypted mobile phone chat, video and calls with PQChat

    PQChat is a free private messaging app for iPhone (Android version coming soon), protecting data with the McEliece cryptosystem and  a propietary Never-The-Same encryption algorithm from SRD Wireless, a UK company.

    The app stores minimal user information, everything is encrypted before leaving the device. The user’s phone number, nickname and ID-image are stored as one way hash values, the app masterpassword and a 5 digit alphanumeric PIN are set by the user, PQChat developers don’t know what they are or read your data, if you lose your masterpassword you will lock yourself out of your account for ever, there is no backdoor.

    User authentication to establish a video call or send a text message to one of your contacts employs PQChat own Man At The End patented algorithm.

    PQChat mobile phone encrypted chat
    PQChat mobile phone encrypted chat

    The user keeps total control over the messages he sends, first by encrypting them on the phone, secondly by being able to remotely delete the messages from the server or set a timer for automatic erasing. You are protected from wire-tapping with a single use encryption algorithm, akin to perfect forward privacy. Deleting the encrypted messages strengthens your security by stopping future attempts to break the cipher and it can help you when sending a message to the wrong contact.

    This is a zero knowledge app being marketed as resistant to quantum computer cipher breaking, with PQChat standing for Post-Quantum Chat. The company claims that most standard encryption will be broken in the future with yet to be made Quantum computers.

    The app includes a personal locker where to store encrypted passwords and bank details, it is doubtless a much better option than WhatsApp and other popular insecure messaging apps but you need to trust that the closed source encryption algorithm is safe and as usual in this kind of apps, the receiver and the sender both need to have the app installed to be able to communicate.

    If it worries you that this is a UK company that could be forced to spy on you by blanket surveillance government order, PQChat developers acknowledge that will have to comply with authorities requests to monitor a user but since they are unable to decrypt messages there wouldn’t be much they can provide.

    Visit PQChat homepage

  • Android news reader with Tor,encryption and wiper

    Android news reader with Tor,encryption and wiper

    Courier Secure News Reader is a Guardian Project mobile phone app for secure and anonymous news reading.  The app works with Orbot, a Tor proxy for Android phones from the same developers. It hides your computer IP when downloading RSS feeds,  gets around ISP censorship in countries where they block websites and it encrypts what you download to thwart wire-tapping. The feeds can be synced automatically or manually, with the option of only syncing when on a Wi-fi network to stop expensive data roaming charges.

    Download news and personal data are stored encrypted in your mobile phone, in case of emergency they can  be wiped altogether with the app by swapping on the screen.  A smart move if you expect arrest but bear in mind that most arrests are never expected and the chances of you being able to wipe evidence that you have accessed banned news sites will not be too successful unless you have forewarning of the arrest in which case disposing of the whole device would be safer.

    Courier Secure News Reader Android
    Courier Secure News Reader Android

    The menu is simple and easy to use,  a button on top lets you know when you are connected to the Tor network, a “My Favourites” tab to bookmark sites and “Stories Received” tab can be tapped to read the news. Any data you receive from a friend will be listed separately in the “Receive a Share” tab.

    People who have no Internet access can still read the news as long as one of their peers manages to get online and shares it with them P2P using Courier Secure News Reader via Bluetooth.

    Courier Secure News Reader is open source, free and without any advertisements, the developers aim is to help those living in countries where news sites access is censored to be able to read them anonymously.

    The app has been digitally signed with a 4096-bit key to verify that it really came from the developers and nobody has replaced it with a fake malware app that spies on the user.

    Note: Courier Secure News Reader is currently in beta.

    Visit Courier Secure News Reader

  • Secure mobile instant messaging App Chadder

    Secure mobile instant messaging App Chadder

    Chadder is secure Instant Messenger app for Android, Windows mobile and iOS (soon to be realeased), launched by a joint venture in between McAfee antivirus founder John McAfee and Internet privacy start-up Etransfr.

    Chadder encrypts messages with public key cryptography taking place in the background, the user does not have to deal with passwords, other than his own Chadder account password and there are no encryption keys to manage. The best of Chadder traits is that it is as simple and easy to use as Vibe but with added security and unlike WhatsApp it is not owned by NSA friend Facebook CEO Mark Zuckerberg.

    Private messaging app Chadder
    Private messaging app Chadder

    When you send an instant message in Chadder the encryption keys used to cipher the message are directly forwarded to your contact, the Chadder server only receives the encrypted message, the company has no way to read it, they never have access to the encryption keys. Your contact is forwarded the encrypted message and only him will be able to decrypt it with the encryption keys you forwarded separately to his mobile device.

    I liked how easy it is to register with the service, picking up a username and a password gives you a Chadder account straight away without any waiting period or verification.

    When you first launch the program a tutorial tour guides you through the intuitive features, consisting on how to add contacts and where to access settings by taping on a wrench icon to go to your profile. Users profile is set to private by default, changing it to public will make it easier for others to request a connection typing in your name, email address or phone number. A more private way of connecting with somebody is by generating a numeric code that you can post anywhere. You will not be able to exchange private messages with people until you both have agreed to be added as friend first

    The service is still in beta and features kept to a minimum, for example, there are only two available avatars called “Boy” and “Girl“, you can’t upload a custom one. More relevant missing functionalities that Chadder does not offer are group chat, visible message delivery notifications and vanishing messages.

    My view is that they have released this app too early but the proof of concept seems fair. Until they release a more advanced version, I will stick with Wickr for secure mobile phone communications.

    Visit Chadder homepage

  • Best smartphone apps to exchange secret messages

    Best smartphone apps to exchange secret messages

    Even if you take care of your personal privacy the people you are communicating with might not be as privacy conscious or knowledgeable. If one of your contacts misplaces their phone with your private pictures and messages you would also be compromised, or if they stop being your friends and become your enemies anything you have previously sent, could be used against you.

    The following smartphone apps will make it hard for others to permanently store text, photos and videos you send to them.

    Confide: It sends end to end encrypted messages that will disappear after reading and you will get a receipt once the message has been opened. There is built-in screenshot protection that makes it difficult to take a screenshot by concealing the message until somebody swipes the screen.

    Confide smartphone app
    Confide smartphone app

    Telegram: Cloud based encrypted self-destructing messages, you can create private group chats to share files and store data on the cloud that is available across devices. For higher security is best to adopt Telegram “Secret Chats” option, where encryption is end to end without going across any intermediary server.

    Whisper: This app will post messages and photos to your social network without revealing who you are. The idea is to allow people to share thoughts and information with people they known through a nickname. Whisper provides a huge amount of photos you can customize with your own feelings before posting, you can use it to vent frustration, people reading the messages can then choose to have a one to one private chat with you.

    Wickr: This is an app targeted at those really serious about security, it encrypts all communications, you can send texts, videos, photos and make calls in total privacy, with an expiration date. The app has security audit to make sure there are no flaws, and it is used by businesses to hide their trade secrets as well as people who want a private life, the app allows you to choose who has access to your messages and how long for.

    Self-destructing messages app Wickr
    Self-destructing messages app Wickr

    Dust: Available for Android and iPhone, this app can send messages that will self-destruct after a set number of days or hours, no data touches the memory card, nothing can be recovered and it warns you if anybody takes a screenshot of a message you sent. You can create discussion groups and invite other Dust users.

    DontTalk: If you make a mistake sending something the app allows you to recall messages before your friends see them, set up group chats, whispers and self-destructing pop messages. This app is appropriate for those trying to protect from pseudofriends leaking the information you send, but it will not serve as protection from a law enforcement agency although no doubt it will make their job harder.

  • Smartphone encrypted messenger HushHushApp

    Smartphone encrypted messenger HushHushApp

    HushHushApp is a secure Android messenger (iPhone planned), for encrypted chat and file sharing. This app will secure your conversations from eavesdropping but it will not make you anonymous, in fact, you have to register to open an account before you can use the messenger. For this you can use your phone number or an email address that will have to be confirmed with a registration code.

    During the registration process you are asked what country you live in and the app makes it very easy sending a text message or email to your contacts, querying if they want to chat with you using HushHushApp. You should be careful not to carry out a mass mail by mistake as all contacts are checked by default, and most likely people will only want to suggest the encrypted chat to a couple of friends.

    Smartphone encrypted chat HushHushApp
    Smartphone encrypted chat HushHushApp

    Once you have opened the account you will be assigned a HushHush ID, HID, and be able to manage your profile where you can upload an avatar. The HID is used for other people to find you in the network and add you to their list of contacts. You don’t need to hand over your phone number to chat with others, the short HID alphanumeric code will be your contact ID. Another option is to individually control if a contact will be allowed to be notified when you read a message and if your location can be revealed to them.

    You can create a chat group from the interface where three or four people can chat securely at the same time. If files are sent, they will be encrypted and stored that way, only accessible through the application.

    Security wise, you are only told that HushHushApp uses a scrambling algorithm with no additional knowledge of what algorithm is or how it works. HushHushApp mentions that messages are deleted from the server, this means your data flows across a central server, a potential weak spot if the server is compromised. The good points are that messages have a digital fingerprint, with local storage and users database being kept encrypted, but again, no mention of what encryption they are using, you are supposed to trust they are doing a good job but you know nothing about the company either, other than their website features section is unfinished and written all in Spanish.

    After I used the “Delete Account” option and uninstalled this app, browsing the storage phone I noticed a folder named com.hushhushapp.android and a tiny file named hushushgirl.3gp left behind on my phone, this shows some sloppiness by the developers part.

    HushHushApp interface is user friendly and easy to use but the lack of detailed information about what security measures HushHushApp deploys does not inspire trust. You can’t confide privacy on anybody saying that they will scramble your messages and hope that all will be fine. Using a central server to deliver your messages is also not ok, it adds an additional way to break your security. I would avoid this app for secure chat based on this but it should be fine for non privacy chatting, just like MSN or Yahoo.

    Visit HushHushApp homepage