Hacker 10 – Security Hacker

Category: Mobile Phone

Mobile phone security

  • Smartphone encrypted messenger HushHushApp

    Smartphone encrypted messenger HushHushApp

    HushHushApp is a secure Android messenger (iPhone planned), for encrypted chat and file sharing. This app will secure your conversations from eavesdropping but it will not make you anonymous, in fact, you have to register to open an account before you can use the messenger. For this you can use your phone number or an email address that will have to be confirmed with a registration code.

    During the registration process you are asked what country you live in and the app makes it very easy sending a text message or email to your contacts, querying if they want to chat with you using HushHushApp. You should be careful not to carry out a mass mail by mistake as all contacts are checked by default, and most likely people will only want to suggest the encrypted chat to a couple of friends.

    Smartphone encrypted chat HushHushApp
    Smartphone encrypted chat HushHushApp

    Once you have opened the account you will be assigned a HushHush ID, HID, and be able to manage your profile where you can upload an avatar. The HID is used for other people to find you in the network and add you to their list of contacts. You don’t need to hand over your phone number to chat with others, the short HID alphanumeric code will be your contact ID. Another option is to individually control if a contact will be allowed to be notified when you read a message and if your location can be revealed to them.

    You can create a chat group from the interface where three or four people can chat securely at the same time. If files are sent, they will be encrypted and stored that way, only accessible through the application.

    Security wise, you are only told that HushHushApp uses a scrambling algorithm with no additional knowledge of what algorithm is or how it works. HushHushApp mentions that messages are deleted from the server, this means your data flows across a central server, a potential weak spot if the server is compromised. The good points are that messages have a digital fingerprint, with local storage and users database being kept encrypted, but again, no mention of what encryption they are using, you are supposed to trust they are doing a good job but you know nothing about the company either, other than their website features section is unfinished and written all in Spanish.

    After I used the “Delete Account” option and uninstalled this app, browsing the storage phone I noticed a folder named com.hushhushapp.android and a tiny file named hushushgirl.3gp left behind on my phone, this shows some sloppiness by the developers part.

    HushHushApp interface is user friendly and easy to use but the lack of detailed information about what security measures HushHushApp deploys does not inspire trust. You can’t confide privacy on anybody saying that they will scramble your messages and hope that all will be fine. Using a central server to deliver your messages is also not ok, it adds an additional way to break your security. I would avoid this app for secure chat based on this but it should be fine for non privacy chatting, just like MSN or Yahoo.

    Visit HushHushApp homepage

  • Exchange encrypted SMS messages with Tinfoil-SMS

    Exchange encrypted SMS messages with Tinfoil-SMS

    Tinfoil-SMS is a free open source Android app to exchange encrypted SMS messages with other Tinfoil-SMS users. After installation you can import contacts from your phone and all future conversations will be handled by Tinfoil-SMS but communications with contacts will not be secure until a successful key exchange has been executed.

    To stop man in the middle attacks, where encryption keys are replaced by an attacker and messages forwarded after logging them, a signed encryption keys exchange must take place first. In the app menu you will see two fields labelled Shared Secrets, there you need to input two secret passphrases and save them, Tinfoil-SMS advises a minimum of 8 characters for each shared secret, you have to transmit the secret to your contact by secure means (not your phone).

    The receiver will get a notification showing your phone number next to “Pending key exchanges“, he will have to enter the passphrase you have given him and from then on any future message exchange will be encrypted.

    Tinfoil-SMS encrypted Android SMS message
    Tinfoil-SMS encrypted Android SMS message

    Messages are secured using AES256-bit in CTR mode, in the SMS thread you will see a padlock attesting that encryption is on. Tinfoil-SMS settings allow you disable and enable SMS encryption, manage encryption keys and delete/adding contacts. It is similar to TextSecure, another encryption SMS app, the main differences in between both are that Tinfoil-SMS signs key exchange with the shared secret, encryption algorithms are slightly different, Tinfoil-SMS cipher is AES256bit and TextSecure AES128bit and Tinfoil-SMS will not encrypt messages locally in your phone whereas TextSecure does.

    The reason Tinfoil-SMS developers give to support SMS instead of real time chat encryption is that many oppressive regimes are in third world countries where people does not have data plans and use SMS messages to communicate, this has the added benefit that the app would still work if the government shuts down Internet access.

    Tinfoil-SMS future plans include incorporating steganography to hide that you are using encryption. There is also planned a detailed cryptanalysis of the application which will always be free and open source.

    This is an app I would trust due to its open source nature and what it looks like a good security model, with the only inconvenience of having to exchange the shared secrets by secure means before encrypted communication can be established, which can be problematic and it is likely to force some people to transmit the secrets insecurely.

    You can download Tinfoil-SMS from Google Play or F-Droid, an alternative Android marketplace made up entirely of free open source software and not controlled by Google.

    Visit Tinfoil-SMS homepage

  • Smartphone privacy Internet browser Dolphin Zero

    Smartphone privacy Internet browser Dolphin Zero

    Dolphin Zero is a privacy focused Internet browser for Android (iOS version planned). It does not store visited internet sites, cookies, passwords, favicons, or cache. Dolphin Zero is analogous to your desktop Internet browser privacy or Incognito mode with the distinction that in this browser privacy mode is always on by default.

    The browser’s default search engine is DuckDuckGo, a searcher that does not log computer IP or keep tracks of its users. If you are not happy with DuckDuckGo you can easily swap it to Google or Bing tapping on the toolbar.

    This browser will not block advertisements or scripts, your online movements will still be tracked by websites during each Internet session but on closing the window you will see an animated shredder graphic telling you that all temporary cookies and files have been erased. Websites will not be able to track your movements for more than one session at the time, the downside is that settings will never be saved.

    Smartphone privacy Internet browser Dolphin Zero
    Smartphone privacy Internet browser Dolphin Zero

    Do not be fooled by the shredding graphic, Dolphin Zero does not wipe data, it simply does not store it on the phone’s or SD card to start with. Your Internet session runs in RAM memory that vanishes when you close down the browser. This method is safer than erasing the data after it has touched the memory card. The Dolphin Zero browser main function is to protect you from people who could get hold of your mobile device, and it does it well.

    Dolphin Zero has Do Not Track enabled, a quirk in the HTTP browser headers indicating all websites you visit that you don’t want them to monitor your online behaviour to serve you advertising based on the pages you visit. However, only a few companies considerate this request and it is not compulsory to do so by law.

    Dolphin Zero is the privacy version of the long established Dolphin browser, hinting at a valuable development team behind the program, Dolphin Zero is compatible with all websites I tried it on and my experience has been that it is more polished to have a dedicated privacy browser to visit websites you don’t want anybody to know about, than switching in between private and non private tabs that are easily forgettable or mixed up.

    I find it very effective having Dolphin Zero installed alongside my main browser, I missed bookmarking but that feature would defeat the whole purpose of hiding the list of sites you visit. This browser is perfect to keep visited sites secret from anybody with access to my phone and to reduce online tracking, undoubtedly I am keeping this app.

    Visit Dolphin Zero in Google Play

  • Blackphone, a smartphone with encryption designed to stop the NSA

    Blackphone, a smartphone with encryption designed to stop the NSA

    A new smartphone designed to be secure by default is in the works by a joint venture in between PGP’s creator Phil Zimmerman company, Silent Circle and the first Firefox OS mobile maker GeekPhone.

    Full details will be released next month at the Mobile World Congress in Barcelona but initial technicalities made public in the press release point towards a smarphone running a custom open source Android operating system called PrivatOS, able to make secure voice or video calls and send secure text messages or files and store them, there is also mention of a VPN, this should stop data packet sniffing when surfing the Internet on the mobile phone.

    Blackphone security could be defined as secure hardware, custom OS and security applications. I would imagine that Silent Circle’s own software security suite will have a role to play in securing Blackphone communications.

    Secure smartphone with encryption Blackphone
    Secure smartphone with encryption Blackphone

    The good points of what it is known so far are that one of the people behind the company developing it is Phil Zimmerman and he does not come across as the kind of person who would sell people’s privacy to the NSA. The second good point is that hardware security will be taken into account, the third good point is that the project will be open source, at the very least PrivatOS, not sure about hardware, and the fourth good point is that Blackphone will be unlocked and not tied to any carrier.

    Blackphone’s bad point of what it is known so far, is that it has been named as a high end device, the price will likely be out of the reach for ordinary people.

    For those of you who can’t afford to pay businessman prices for a secure smartphone, I would recommend you to get an Android phone that is supported by Cyanogenmod, a forked version of Android without all the spyware that Google embeds in Android phones.

    Wipe Android OS for good when you have the device and install Cyanogenmod, open a fake Google Play account, which I only managed to do with a Chinese proxy as attempting to do so with a USA IP made Google insist on verifying the account using a mobile phone number. Download Orbot, a Tor proxy to surf the Internet, Redphone to make secure calls and ChatSecure to encrypt real time chat conversations. All of the applications named and Cyanogenmod are free. Your phone could not be as pretty as the Blackphone but it will be secure enough to fool well funded adversaries.

    Visit Blackphone homepage

  • How to stop the NSA from tracking your mobile phone calls

    How to stop the NSA from tracking your mobile phone calls

    The latest documents leaked by Edward Snowden, called “Spain last 30 days“, show that in a single month the NSA illegally spied on 60 million phone calls in Spain. Further details reported by the press mention that although calls were not recorded, location, dialled number, call duration and mobile phone serial numbers were all looked at by the NSA.

    Based on that one can figure out that if the NSA was looking at mobile phones serial numbers they must have a way to link those numbers to people.

    Mobile phone serial vs IMEI number

    There are two kind of mobile phone serial numbers, IMEI (International Mobile Station Equipment Identity) and IMSI (International Mobile Subscriber Identity).

    Mobile phone serial number and IMEI
    Mobile phone serial number and IMEI

    IMEI numbers are embedded in the device, it will be displayed if you type *#06# on your dialpad, forming 15 or 16 digits, the software version called IMEISV contains 16 digits.

    The first 8 digits of an IMEI number identify the model and phone’s origin, the remainder numbers are defined by the manufacturer and could be anything they want.

    IMSI numbers contains 15 or less digits and they are embedded in the SIM card, the number is constantly send by your mobile phone to the network provider, enabling mobile phone companies to trace the phone using a technique known as triangulation. Tracing will work even if you don’t have GPS in your phone, triangulation relies on mobile phone network towers to locate you.

    The first 3 IMSI digits contain the country code, followed by mobile network code and other numbers show subscription details.

    For example if you go abroad the IMSI number will be used by the network to connect you to the foreign company that has a roaming agreement with your home network provider.

    Both IMEI and IMSI numbers are transmitted to mobile phone companies. There are devices that can change a mobile phone IMEI number but in some countries like the United Kingdom this is illegal alleging that it hinders mobile phone theft investigations.

     Stopping NSA metadata collection

     With leaked documents showing that metadata is the main element used to flag calls by the NSA grid, using a calling card would should stop them from seeing the final numbers you are dialling, buying calling cards from a non USA company should add privacy.

    It is probably rational to assume that the NSA knows about the calling card problem and receiving and making lots of calls using them with the same phone could raise a red flag in the system and mark you for further attention. Combining calling cards with different phone lines would be then a good idea if possible.

    Another way that might fool NSA metadata collectors is by using a virtual phone number service like FlyNumber, where two people from Africa could communicate with each other using USA local phone numbers that are then forwarded to the phone of their choice or VoIP. Make sure it is not Skype, past documents showed that Skype is linked to the NSA PRISM global spying program.

    As for stopping location tracking, opening your phone and taking the SIM card and battery off is the only secure way to do that. If this is too inconvenient then stick to VoIP calls tunnelled using a VPN.

  • Islamic terrorists release Mobile Encryption Program for Android phones

    Islamic terrorists release Mobile Encryption Program for Android phones

    The Global Islamic Media Front, a Jihadist propaganda arm for Alqeda, Somalia’s al-Shabaab and the Pakistani Taliban, has released an encryption program for Android and Symbian smartphones.

    Originally named “Mobile Encryption Program” it is being advertised as being able to send encrypted SMS messages and files as a way for “fighters in the frontline” to securely communicate in between them. The program is using the Twofish algorithm in CBC (Cipher Block Chaining) mode, the program is based in public key encryption and digital fingerprints can be displayed to make sure that encryption keys have not been tampered with. Encrypted messages can be exchanged in Arabic and English using up to 400 characters, one of the settings allows you to enter SMTP and POP3 hostnames detailing port numbers to send encrypted files via SSL email, it will work with any SMTP email provider.

    Ballkan Islamik Media Front video
    Ballkan Islamik Media Front video

    Various terrorist groups, like Alqeda in Yemen, encourages its supporters to communicate with them using encryption programs produced by their propaganda arm.

    Global Islamic Media Front programmers have avoided the AES algorithm, a US government standard, but it is highly unlikely that a couple of guys in the bedroom can defeat the best mathematicians the NSA can hire and billions of dollars of budget available to crack it. With all of the available open source encryption program this is totally uncalled for, they could have easily saved themselves the effort, unless of course the CIA wanted them to release this tool.

    As soon as you spot that The Islamic Emirate of Afghanistan financial department is using a Gmail address and most terrorist related files are hosted in American servers, you can tell that everything is under control. However, the GIMF is highly skilled at creating amazing videos with beautiful background music and footage to recruit new members.

    The Global Islamic Media Front official download site is down at the moment but you can read the announcement at the usual jihadist terrorist NSA monitored forums, like Ansar1, Ballkan-Islamic or Shumukh al-Islam forum.

    Ansar1 announcement of Mobile Encryption Program (Jihadist forum gone)

  • Hide photos and videos in Android with Sectos

    Hide photos and videos in Android with Sectos

    Sectos is a free Android app to hide photos and videos, it is fairly easy to use. After launching the app you select the photos or albums you would like to hide and they will be moved, changing the file so that no app can recognize them as media. A camera mode will automatically hide any pictures you take right away without needing to manually hide them.

    The app unlocking code is stored as MD5 hash and photos are secured with what the developer calls a “high-secure algorithm“. I would be wary of using Sectos to hide very sensitive pictures from a resourceful attacker due to lack of app information about what encryption they are using if any. It is impossible to evaluate what they call a high secure algorithm, more specific information is obviously needed to trust something marketed as a security product.

    Sectos Android app to hide photos
    Sectos Android app to hide photos

    I liked from this app that it can hide its existence by removing Sectos logo from view and the app can be locked using a PIN or pattern. This stops noisy people from looking about after coming across a photo hiding app, which is very tempting to play with for one too many. Sectos PIN number prompt only becomes visible after dialling a preset number on the phone without that nobody should be aware it exists.

    You can back you up your hidden data using the app integrated cloud storage services, Dropbox at the moment and Google Drive support planned for the future. Cloud back up can be set to automatic. If you forget the passcode, it can be reset via email link going to Settings > Privacy settings.

    Visit Sectos in Google Play