Hacker 10 – Security Hacker

Category: Mobile Phone

Mobile phone security

  • Create disposable phone numbers with Burner iPhone app

    Create disposable phone numbers with Burner iPhone app

    Burner is an iPhone app allowing people to create as many disposable phone numbers as needed, the messages can be set to expire in a day, week or months and used to send and receive SMS, inbound calls or as voice mail, the caller ID will also be modified during outgoing calls and it can be replied to the disposable number. This app could be of use to post a throw away phone number to Craiglist or Facebook and wipe it if you get harassed or once the item has been sold.

    Calls and messages go through your mobile network carrier but changing the sender ID so that it appears it came from your Burner disposable phone number, the receiver will be totally unaware and will not get any kind of warning about the sender using a disposable number. Burner interface allows you to organize your various disposable phone numbers creating new ones or erasing them. When a number is erased it will be gone for ever, future callers will hear an out-of-service message, the number could be recirculated again after a two week quarantine period.

    Burner disposable phone number
    Burner disposable phone number

    Burner will keep logs associating your original phone number with the disposable one and disclosure it to US law enforcement agencies with a valid warrant, they do not say how long for logs are kept, terms and conditions also bar users from using Burner for “objectionable” activities, which could be anything they want.

    Note: This is not a free app, only available in the US and Canada with future United Kingdom coverage planned.

    Visit Burner app homepage

  • Droidcat the Android app for hacking

    Droidcat the Android app for hacking

    Droidcat is a collection of security and penetration testing tools for security professionals, it includes packet sniffers, network tools, scripts and attack tools to check your own network security using an Android phone, the idea is to use a mobile phone as a penetration testing toolkit, source code is provided for review.

    Droidcat Android PEN testing app
    Droidcat Android PEN testing app

    The developer’s plan is to compile a full suite of ethical hacking tools accessible using a single app, as more and more people start using smartphones this seems like a good idea , smartphones can be easily moved anywhere in a building inside your pocket taking advantage of Wifi proximity signal and people do not expect others to sniff passwords or run malicious scripts using a mobile phone.

    Visit Droidcat GooglePlay page

  • Serval Project, a self-powered mobile phone network

    Serval Project, a self-powered mobile phone network

    Serval Project is an autonomous mobile network for non coverage areas, it requires no mobile phone company to operate, using Wifi enabled mobile phones transmit data in P2P mode, ideal for deployment in disaster areas where mobile phone towers have been destroyed and remote places where mobile phone signal can not reach.

    The software called Distributed Numbering Architecture (‘DNA’) turns an Android phone into an independent network router broadcasting and managing calls in mesh P2P mode. To enjoy adhoc wireless networking you will have to root your phone invalidating its warranty, if you choose not to root your mobile phone you can still use it for free P2P calls with people connected to the same Access Point but you won’t be able to transmit data like SMS messages, called MeshMS, and share files.

    Serval Project batphone P2P mobile mesh
    Serval Project batphone P2P mobile mesh

    The Serval Batphone software will guide through installation using a configuration wizard, the settings allow you to make a call through the Serval network, suspend services to allow your phone to operate as normal with a mobile phone company providing coverage, and reset your phone number, which can contain from 5 to 32 digits, numbers starting with 11 are reserved for emergency lines. If something does not work you can troubleshoot problems by going to the Wifi settings changing the SSID, frequency channel or router implementation, advanced users can create a new mesh on a different subnet changing the network address.

    Serval makes use of SipDroid, an open source free VoIP client for Android, options found on SipDroid can be found in Serval too.

    Serval Project mesh phone network P2P
    Serval Project mesh phone network P2P

    Although the initial idea of this project is to provide mobile phone coverage to extreme poverty and remote zone areas, I can envision the utility of this network by a group of acute paranoid people concerned about mobile phone companies keeping logs of their calls or fed up paying high fees, but every single node in the network would have to be trusted for this since they route the calls, probably not feasible with you have a large number of devices and impersonation is fairly trivial since there is no central authority allocating phone numbers, solutions to these problems could come in the form of call encryption and requiring a verbal identification password when the call is established.

    Currently still in development, it has been successfully tested by the developers in the Australian outback to make P2P mobile phone calls covering 1 square kilometer, future features include filesharing with people who are not reachable at the moment and a version for Apple iOS.

    Visit Serval Project homepage

  • Encrypt Android and iPhone text messages with TXTcrypt

    Encrypt Android and iPhone text messages with TXTcrypt

    TXTCrypt is a free app for Android, iPhone, Palm and desktop computer to encrypt any text message, from SMS up to notes, an online version exists to encrypt/decrypt messages if you do not want to download the app.TXTCrypt uses RC4 for encryption, a malleable and quick stream cipher designed in RSA laboratories, these days it is not considered secure enough to withstand a state sponsored attack on your communications but it should stop the average hacker.

    TXTCrypt uses symmetric encryption, where you password protect your text message and it can be decrypted by anyone who knows it, a system will have to be designed to pass on the password, which should be as long as possible to employ the full 64bit cipher strength.

    TXTCrypt mobile phone text encryption
    TXTCrypt mobile phone text encryption

    While more secure encryption apps exist, TXTCrypt appeal lies on its simplicity and multiple platform support, being available as a Java download means that this program will run in obscure operating systems like Solaris and FreeBSD, adding to Windows, Mac and Linux.

    Being available for desktop as well as mobile phones it is also a strong point, as long as your security needs are low this is a good app, otherwise search for an encryption app using the AES cipher.

    Visit TXTCrypt homepage

  • Anti-forensics mobile phone app Wickr

    Anti-forensics mobile phone app Wickr

    Wickr is an all-round free smartphone app for the iPhone with an Android version coming soon, it provides text, image, audio and video encryption with AES256bit, self-destructing messages with a timer regulating who can read text, photo or video messages and how long for they are available for retrieval but its best feature is possibly Wickr destroying files metadata erasing all attached personal information identifying the author and file creation details with a data shredder making sure that when you erase something it is really gone beyond recovery. The service also hides usernames and phone serial number by adding several random digits to each value and salting and hashing it to make it undecipherable.

    Even thought you need an account with Wickr you can still use this app anonymously, you are not asked for any identifiable information, minimal connection logs are kept and they do not contain anything that could be linked to a user, the messages stored in Wickr servers are all encrypted, it would not be possible to force the company to reveal its content, the password to decipher the data is only kept in your own phone. Your mobile phone provider will see that your are connecting Wickr servers but they will not be able to read your messages or learn who you are communicating with, any logging from their part to spy on you would be unproductive.

    Wickr antiforensics mobile app
    Wickr antiforensics mobile app

    The only weak spot Wickr has is that the phone screen capture utility can be used to copy a time restricted message, Apple does not allow developers to disable screen capture on their iPhones and there is nothing that can be done about this. The app complies with HIPAA requirements for encryption and privacy and encryption is FIPS 140-3 compliant, a U.S. government computer security standard issued by NIST, standing for Federal Information Processing Standards. The app is the brainchild of a former defense contractor and a former forensics investigator, these are people with the know how, not some some CEO expert in marketing learning about a product on the go as it often is, the antiforensics expertise of the people behind the app shows in the end product quality.

    To secure your communications the app will have to be installed in both phones, sender and receiver, home users can use all features for free but if you would like to send a message to multiple people at once, a typical corporate use, you will be asked to upgrade. This app can punch a big hole in data retention laws.

    Visit Wickr homepage

  • ArmorText Android app to encrypt SMS&MMS messages

    ArmorText Android app to encrypt SMS&MMS messages

    ArmorText is a free Android app to secure text messages, it uses RSA1024 and AES256bit to encrypt your SMS&MMS messages, the receiver will need to have the same app installed to be able to decrypt the messages. ArmorText will connect to the Internet after launching it for the first time to retrieve your friends public key encryption. Security can easily be enabled tapping an ON/OFF lock button, a Smart Predict option will detect when the app believes you need to encrypt your text messages (based on the last texts sent) and automatically turn security on unless you decide otherwise, the app can stop message forwarding by the recipient too.

    ArmorText is a pure text messaging solution, not a chat client, it only encrypts SMS and MMS messages with photos.

    ArmorText Android SMS encryption
    ArmorText Android SMS encryption

    With smart phones increasingly used for mobile payments, email and online banking they have become a prized asset for thieves, ArmorText will protect your data even when it is not stored in your phone but the person you are communicating with, messages are encrypted before sending, stopping middle man eavesdroppers, like your network provider. Planned features for the future include controlling how many times a text message can be viewed, how long the message is available for and non-repudiation.

    Update 2014: This app is no longer available in Google Play

    Visit ArmorText homepage

  • Android phone encrypted IM chat with ChatSecure

    Android phone encrypted IM chat with ChatSecure

    Gibberbot renamed ChatSecure is a secure Instant Messenger app for Android phones, it works with any Jabber or XMPP compatible chat software (Facebook chat, GTalk, Ovi, Openfire, etc) this open source messenger developed by the Guardian Project uses end to end encryption with Off-the-Record messaging (OTR) standard, it will keep your service provider out of the equation making it impossible for an eavesdropper to read the messages.

    Optionally ChatSecure can be used with Orbot (tor on Android app) to chat over the tor network, adding anonymity to an already private chat and circumventing censorship firewalls. Before signing into the chat you will be asked if you would like to save your password, you shouldn’t do this as anyone with access to your phone would be able to impersonate you.

    Android secure IM Gibberbot
    Android secure IM ChatSecure

    Off-the-Record encryption needs both parties to be using it, the people you are chatting with must have ChatSecure installed or be using a desktop computer with an instant messenger that has the plugin installed, Pidgin (Windows&Linux) and Adium (Mac) can all use Off-the-Record (OTR).

    You should swap digital fingerprints first to make sure he/she is the right person behind the keyboard, ChatSecure allows you create a scannable QR (Quick Response) code out of a digital fingerprint making it easy to exchange in person, after verifying fingerprints with your partner the chatbox will be shown green indicating that encryption and identity have all been authenticated, if you can not verify your partner’s identity the chatbox will be coloured orange indicating that encryption is working but identification failed, if encryption doesn’t work because the other end hasn’t got ChatSecure installed the chatbox will be shown in red colour and can still be used.

    Visit ChatSecure Google Play page