Hacker 10 – Security Hacker

Tag: Android encrypted chat

  • Zendo a One Time Pad encryption messaging app

    Zendo a One Time Pad encryption messaging app

    Zendo is a free iPhone and Android app for encrypted chat, users communicate directly with each other using One Time Pad encryption keys that will have previously exchanged in person.

    After installing the app you will see two options on the screen, one displaying a QR code and a second button to scan other people’s codes. Pointing your camera phone to the QR code seen on the screen of your friend’s phone authenticates both devices via Wi-fi direct and encrypts the connection with AES256, it then exchanges multiple One Time Pad encryption keys (o.5MB). If anybody listened nearby and captured the exchange you would not have to worry as the connection was initially encrypted.

    The strength of One Time Pad encryption is that a new key is used for each one of your messages, this is why you need multiple keys, and why if anybody managed to crack one of the keys they would only be able to read a single message, to be able to decipher a whole conversation taking place your adversary would have to crack hundreds or thousands of encryptions keys.

    smartphone encrypted chat Zendo
    smartphone encrypted chat Zendo

    Another security feature is that the messages and photos you send are encrypted before they leave your phone, to extend the longevity of One Time Pad encryption keys, photos are encrypted with AES256bit.

    In advanced settings an “Out-of-Band Messaging” option enables you to send encrypted Zendo messages via email or SMS, you are not required to use Zendo servers to deliver messages to other users you have exchanged keys with, another option deletes all messages on close, ticking the box will automatically erase all messages and photos when you close the app while keeping your contacts and encryption keys you have exchanged, and a third option steps up security to paranoid level allowing you to exchange large encryption keys, this choice will reduce phone performance in low end devices.

    For privacy, Zendo servers do not log any IP, they are quickly erased, and you never facilitate the company any email address or phone number, contact list, messages and photos remain in your phone and not in Zendo servers. The company can’t spy or help anybody spy on you with the information and capabilities they have.

    One Time Pad encryption app Zendo
    One Time Pad encryption app Zendo

    When you run out of One Time Pad encryption keys you will have to meet again in person and top up, this will seem annoying to many people but it is a good excuse to have a face to face meeting with somebody, there is a certain social element in Zendo. This is an app to communicate with people you know in real life and are close to you. The biggest downside of high security is usability as Zendo proves, you can’t use this app to chat with people you just met, keys can not be sent over the Internet.

    Zendo is a niche app where the person you are chatting with will be as overtly suspicious about privacy and security as you are, I see next to zero options to convince my friends to use it otherwise. The app is not open source but the code was opened for an independent audit. The developers say that Zendo will always be free, monetization will be made in the form of premium features to be added in the future.

    Before using this app remember that, no matter how secure your messaging app is, if somebody manages to introduce a virus in your smartphone, they will be able to read everything, security has to be implemented all over the device.

    Visit Zendo in the Apple Store or Visit Zendo in Google play

  • Mobile phone private messaging with Schmoose App

    Mobile phone private messaging with Schmoose App

    Schmoose is a privacy messaging app for your mobile phone with end to end encryption, the ciphers used to secure your data are well known standards like AES256-bit, SHA-256 and RSA-2048-bits. Schmoose itself is not able to read what you send, a public/private encryption key is created in your phone during installation and data is encrypted before it leaves it, only the person you are sending the message to can decrypt it.

    When the sender and receiver both have the app installed they can chat like they would do in the popular WhatsApp and Kik without any messaging costs,the main difference is the strong privacy added to Schmoose. If anybody intercepted your messages, they would only be able to see meaningless random characters and the company can not be forced to decrypt them as they do not have the means to do that.

    You will be asked to verify your mobile phone number or email during installation and after that you are able to sync your contacts online, to keep contacts private, only hash values are sent to Schmoose servers in Germany, they don’t see names and addresses.

    Schmoose encrypted messaging app
    Schmoose encrypted messaging app

    The messaging program is very colourful, it can include embedded photos, custom backrgounds, avatars and fun chat features like in other chat messaging apps. If you choose to store the photos people send you in Schmoose make sure that it will not be something embarrassing, media storage is not encrypted and if you lose your phone there is potential for somebody to access the photo gallery.

    I did not like having to register to be able to use the app but it is possible to select email registration only, if you have an anonymous email account this should keep your identity hidden and it will not be as intrusive as using your mobile phone number linked to your real identity. I suspect that registration is necessary to assign you a Schmoose ID and to be found in the network.

    The good features are end to end public key encryption with no backdoor and easy of use. The bad part was that data was not being encrypted locally, to fix this your phone should be fully encrypted. Schmoose is a free app for a single device, a paid version increases the number of mobile phones in which it can run and lets you block other users and send videos (the free version only sends photos).

    I am glad to see more and more companies locking themselves out of customer’s encryption keys, this allows them to fight back against unreasonable legal requests asking for access to customer’s personal messages. The hard part, is that there is no interoperability in between similar privacy messaging apps and it is next to impossible to agree with all of your contacts to use the same app.

    Visit Schmoose homepage

  • Mobile phone end to end encrypted chat with Sicher

    Mobile phone end to end encrypted chat with Sicher

    Sicher is a free Android, iPhone ($1) and Windows Mobile messaging up with end to end encryption and message self-destruction. It can be used to securely chat and exchange files in group or individually with anybody in your contact list. As usual in alike apps, Sicher will not work unless your friends also have it installed.

    The company developing Sicher is based in Germany and they can’t gain access to your private encryption key, generation takes place in your mobile phone and never leaves it, in addition all Sicher servers are located in Germany and they do not store the data you send, after an encrypted message has been delivered it is automatically erased from the server.

    To strengthen your security a self-destruction timer can be set with all messages or files you send, the lifetime of a message can be fixed from 30 minutes to up to 15 days. During the app set up you will be asked to enter a password used to encrypt data locally, this will block access to your account if your phone is lost or stolen, the company has no way to restore forgotten passwords, content will be lost if you forget about it. The app can be set to lock itself up after 15 minutes of inactivity, hourly or the more risky option of never asking for the password again while the phone is on, customize it to your security needs.

    Sicher encrypted chat messaging app
    Sicher encrypted chat messaging app

    I liked that Sicher has not been developed nor has servers in the USA, where the government is known for issuing gagging orders to technology companies forcing them to install a backdoor in their communication services. Sicher developers should also get bonus points for not sending crash logs, spy agencies are known to collect Windows logs sent over the Internet to learn more about a target’s computer, no such privacy risk here, and there is no social network integration, Facebook and Twitter apps don’t have access to Sicher, two companies that all privacy apps should block. Another nice feature is the settings allowing you to route Sicher communications through a proxy to hide your mobile phone IP.

    Besides the appalling app installation experience where I had to try multiple times before receiving the necessary SMS with a PIN code to activate the app, and besides Sicher’s freezing my screen when I finally entered the PIN number, forcing me to uninstall the app and reinstall again, security specs look fantastic.

    I would be willing to use this app if they did not enforce mobile phone number registration with them prior use, the requirement strips away your anonymity and I don’t understand why this is necessary. Even if the company can’t see the encrypted data being sent, Sicher servers, and anybody wiretapping them, should be able to see computer IPs connection length with timestamp and amount of data being transferred, what it is known as metadata, a very useful source of information for spy agencies.

    I trust that the developers will solve Sicher SMS registration problems, but as long as they insist that my mobile phone number must be registered with them, I will not use the app. If you don’t care about anonymity and all you long for is privacy, Sicher security far surpasses that of WhatsApp or Kik and it is preferable than those apps.

    Visit Sicher homepage

  • Secure mobile instant messaging App Chadder

    Secure mobile instant messaging App Chadder

    Chadder is secure Instant Messenger app for Android, Windows mobile and iOS (soon to be realeased), launched by a joint venture in between McAfee antivirus founder John McAfee and Internet privacy start-up Etransfr.

    Chadder encrypts messages with public key cryptography taking place in the background, the user does not have to deal with passwords, other than his own Chadder account password and there are no encryption keys to manage. The best of Chadder traits is that it is as simple and easy to use as Vibe but with added security and unlike WhatsApp it is not owned by NSA friend Facebook CEO Mark Zuckerberg.

    Private messaging app Chadder
    Private messaging app Chadder

    When you send an instant message in Chadder the encryption keys used to cipher the message are directly forwarded to your contact, the Chadder server only receives the encrypted message, the company has no way to read it, they never have access to the encryption keys. Your contact is forwarded the encrypted message and only him will be able to decrypt it with the encryption keys you forwarded separately to his mobile device.

    I liked how easy it is to register with the service, picking up a username and a password gives you a Chadder account straight away without any waiting period or verification.

    When you first launch the program a tutorial tour guides you through the intuitive features, consisting on how to add contacts and where to access settings by taping on a wrench icon to go to your profile. Users profile is set to private by default, changing it to public will make it easier for others to request a connection typing in your name, email address or phone number. A more private way of connecting with somebody is by generating a numeric code that you can post anywhere. You will not be able to exchange private messages with people until you both have agreed to be added as friend first

    The service is still in beta and features kept to a minimum, for example, there are only two available avatars called “Boy” and “Girl“, you can’t upload a custom one. More relevant missing functionalities that Chadder does not offer are group chat, visible message delivery notifications and vanishing messages.

    My view is that they have released this app too early but the proof of concept seems fair. Until they release a more advanced version, I will stick with Wickr for secure mobile phone communications.

    Visit Chadder homepage

  • Smartphone encrypted messenger HushHushApp

    Smartphone encrypted messenger HushHushApp

    HushHushApp is a secure Android messenger (iPhone planned), for encrypted chat and file sharing. This app will secure your conversations from eavesdropping but it will not make you anonymous, in fact, you have to register to open an account before you can use the messenger. For this you can use your phone number or an email address that will have to be confirmed with a registration code.

    During the registration process you are asked what country you live in and the app makes it very easy sending a text message or email to your contacts, querying if they want to chat with you using HushHushApp. You should be careful not to carry out a mass mail by mistake as all contacts are checked by default, and most likely people will only want to suggest the encrypted chat to a couple of friends.

    Smartphone encrypted chat HushHushApp
    Smartphone encrypted chat HushHushApp

    Once you have opened the account you will be assigned a HushHush ID, HID, and be able to manage your profile where you can upload an avatar. The HID is used for other people to find you in the network and add you to their list of contacts. You don’t need to hand over your phone number to chat with others, the short HID alphanumeric code will be your contact ID. Another option is to individually control if a contact will be allowed to be notified when you read a message and if your location can be revealed to them.

    You can create a chat group from the interface where three or four people can chat securely at the same time. If files are sent, they will be encrypted and stored that way, only accessible through the application.

    Security wise, you are only told that HushHushApp uses a scrambling algorithm with no additional knowledge of what algorithm is or how it works. HushHushApp mentions that messages are deleted from the server, this means your data flows across a central server, a potential weak spot if the server is compromised. The good points are that messages have a digital fingerprint, with local storage and users database being kept encrypted, but again, no mention of what encryption they are using, you are supposed to trust they are doing a good job but you know nothing about the company either, other than their website features section is unfinished and written all in Spanish.

    After I used the “Delete Account” option and uninstalled this app, browsing the storage phone I noticed a folder named com.hushhushapp.android and a tiny file named hushushgirl.3gp left behind on my phone, this shows some sloppiness by the developers part.

    HushHushApp interface is user friendly and easy to use but the lack of detailed information about what security measures HushHushApp deploys does not inspire trust. You can’t confide privacy on anybody saying that they will scramble your messages and hope that all will be fine. Using a central server to deliver your messages is also not ok, it adds an additional way to break your security. I would avoid this app for secure chat based on this but it should be fine for non privacy chatting, just like MSN or Yahoo.

    Visit HushHushApp homepage