Related
Allow me to quote egzthunder1 which described very well the application's scope in Android applications area.
If you are as clueless as I am about this whole concept, the first thing that you may have thought is: “there is a typo in the article’s title”. As it turns out, this is an outdoor activity where people will determine a path to follow and will try to make it in the least possible amount of time. This can be done either walking, by bicycle, or car, a good sense of orientation, a map, and a good compass.
Click to expand...
Click to collapse
The Android client is in beta testing but the Windows Mobile 6.5 client is stable and can be downloaded from http://vorienteering.com/downloads
Virtual Orienteering is formed by a team of passionate developers, lovers of nature and surrounding environment.
Together we try to create a large community of curious beginners in discovering the joy of this game, as well experienced players of real orienteering sports.
Everything we offer is free, all you need to do is register (very easy to do) on www.vorienteering.com make a track, download the application for your smartphone and start executing it. After that, if you want you can post a message straight to Twitter of Facebook so that everybody will know what you did The best players will be on top so everyone can see them.
Video tutorials on how to use the site and the application are coming in the next days, but it should be pretty easy to use it. Just give it a try. We also have a feedback button and you can tell us what problems or ideas you have. Every feedback is welcomed. Together we can improve the whole concept.
This community has done so much for me since I join, I'm glad that with VOrienteering we can offer you something in return.
Thank you xda-developers for the chance of showing out application.
Ah... did I mention that you can earn badges ? See you in top 10 users.
I would like to see an app that can block/white list app permissions. Has anyone ran across such a beast?
I would like to have the ability to white list apps to particular permissions. For example, Pandora wants to read my contacts, send e-mails, and modify my calendar... I don't white list that app to those permissions so any request for those permissions get blocked. However, I do wish to give Pandora access to Bluetooth and read phone state... So I white list Pandora to those permissions...
Does this make sense? It is kind of a "Permissions Firewall."
I have searched for this and I have yet to find something like this.
Any suggestions?
One other thought is maybe each permission could get its own user modifiable canned answer, and the white list is the choice between providing the user defined canned information (For example: If you don't white list Fine GPS, the app will always receive one particular GPS coordinate instead of your real coordinates.)
The default could be "block" and the custom "canned" response could be user defined.
It would be nice, but I'm not sure about the ability of the app to run if specific permissions written into the code are changed from the end-user. Someone more knowledgeable about app code should chime in.
t1n0m3n said:
One other thought is maybe each permission could get its own user modifiable canned answer, and the white list is the choice between providing the user defined canned information (For example: If you don't white list Fine GPS, the app will always receive one particular GPS coordinate instead of your real coordinates.)
The default could be "block" and the custom "canned" response could be user defined.
Click to expand...
Click to collapse
Possible, but above...If an app requires specific information to run, it may need to be completely re-programmed/coded on the end-users side.
Yeah, it was that specific thing that my 2nd post was trying to get around. By providing the end user the ability to directly manipulate the answer provided to the app, I don't see why this wouldn't work.
Another thing would be to have profile sets available on the market that an enduser could install to set most of the "known OK" white list permissions, and the blacklist "fake answers" automatically to make managing the white list a bit easier.
Honestly, I have been wondering why I can't find something like this since my early G1 days. I really think that it could be an integral part of protecting one's own private information.
I agree...Have been wondering this myself since last summer--just do not know how to begin a project like this. Would be an AWESOME feature if someone could figure it out.
It would probably require root, but other than that, I think it would be fairly simple and straight forward to program. However, I can't code, do there you go...
Eat at joes
Too bad no one else thinks that this is a good idea. I had one more thought on this though. Configurable alerting on permissions offenses. The Pandora debacle got me thinking about this again.
I believe you have two options but first you must root your device. Check out:
Root Call Blocker
http://forum.xda-developers.com/showthread.php?t=1051274&highlight=firewall
DroidWall
http://code.google.com/p/droidwall/
However, it would be neat to have an app which does not require rooting.
Have you tried Permissions Denied or LBE Privacy Guard?
Hello.
I followed all the New Boston Android videos, did everything, understood everything.
I tried to create a basic RSS feed reader, in order to better incorporate some concepts I learned in the New Boston videos (http processing, xml processing, adapting the content to lists, custom lists, etc). When I got to pass the information from the http processed data to xml parser and the list, that's when I got too much confused and knew I didn't have enough knowledge.
Then I tried to do some "Shopping List Manager" (just like OI Shopping, a bit adapted more to my taste), in order to learn.
However, again, when I neededto pass information to other objects in other classes or something like that, I get confused and don't know what to do.
So I bought CommonsWare book, "The Busy Coder's Guide to Android", which I have the latest version (5.1) and I'm reading, but I don't like to advance when I don't fully understand something. This time I'm stuck on the Action Bar part, more precisely this one:
Code:
private void configureActionItem(Menu menu) {
EditText add=
(EditText)menu.findItem(R.id.add).getActionView()
.findViewById(R.id.title);
add.setOnEditorActionListener(this);
}
I know this will seem very basic to many of you, but I get really confused on all this calls, returning results and more calls.
I don't have a background on OOP, except when I worked with PHP frameworks like Symfony, I work usually with direct task programming (scripting, automation, etc), as I am a Linux System Administrator, so my code is mainly scripting and web interface building (Python, Shell Script, PHP, Javascript, etc).
Can anybody explain what can I do to better understand this? It's just lack of practice and in time I'll understand better? Is it OOP lack of knowledge/practice? Or is it Java lack of knowledge/practice?
Thanks a lot for all your help.
Maybe the best approach is to get some face time with a person who is more experienced and have him explain to you the concept you have trouble with while focusing on the parts you don't grasp. A real human has this flexibility to do a "targeted strike" unlike a tutorial or a book that has no idea where in particular the student may get confused.
For this particular issue, the issue can be summarized as follows. Let's say you have an object call a function:
Code:
orange.peel();
This should be relatively straightforward. The next level of complexity is the fact that obj is just a variable representing an object, and in fact we can substitute anything else that evaluates to an object (i.e.: after it runs, you end up with an object). For example these all are legal ways to call the method as long as types match:
Code:
(new Orange()).peel();
(shouldEatSmallerOrange ? smallerOrange : largerOrange).peel();
retrieveOrangeFromBox().peel();
The last line illustrates calling some other function that returns the object, which is then used to call a second function. The final step from here is to recognize that instead of a single retrieveOrangeFromBox() we can have a chain of functions, each of which returns an object that is used to call the next function in line. For example:
Code:
findCar().accessCarTrunk().unloadBoxFromTrunk().retrieveOrangeFromBox().peel();
The names are unnecessarily verbose to illustrate how functions and their results relate to each other.
OOP + Android system
You're not that clear as to exactly what you are having a problem with, but in general, it sounds like you need to get a java book and learn the basic concepts of classes and interfaces. Since you say you have a background in PHP you could probably go pretty far just by following the Java tutorials on the Sun website. I say java because that's the target language here, any book on OOP in any language would be adequate but learning java would give you the added ability to read other people's android code examples more easily.
After that, you can learn the Android framework. You develop in the Java language but you work within the android framework. What that means is that here, for example, the action bar is provided to you by the android system, and this callback is called by the system, so it is all set up for you. But to understand what is happening, you need to understand when the system calls this method and what it does. That is the framework.
So more specifically, how can you understand this code? This method is called from another method, onCreateOptionsMenu(). OnCreateOptionsMenu() is a method in the Activity class that is called automatically by the system at a specific time. You need to read about the Activity class and the Activity lifecycle on the android developers site. If you want your activity to provide an options menu, you create it in OnCreateOptionsMenu and return it, the system will handle it from there. So back to configureActionItem(Menu menu), here you are passing in the menu object, which contains MenuItem objects, which the system uses to populate the menu (either on the action bar, or when you hit the menu button, depending on the android version). Each MenuItem object has a view that is associated with it (usually created in an XML file).
One thing that may be hard to understand is that all these calls are chained, so if you don't know what they are returning you don't know where to look for help. It's easier if you separate the calls out. Here, the documentation is your friend. If you look at the Menu class on the android dev site, you see that findItem() returns a MenuItem. So then you look up MenuItem, and you see that getActionView() returns a View. Look at the View class, and you can see findViewById() returns another view (a sub-view that is contained within this view). so when you look at it all together, unchained:
Code:
private void configureActionItem(Menu menu) {
MenuItem mi = menu.findItem(R.id.add);
View parentView = mi.getActionView();
EditText add = (EditText)parentView.findViewById(R.id.title);
}
findViewById returns a View, but you know that the view known by the id R.id.title is an EditText view, and you want to use it as an EditText, so you have to cast the View to an EditText (which is a subclass of View) so that the compiler knows that it is an EditText type of view. That's what the (EditText) is doing in front of the findViewById call. To understand that you need to read about subclassing and strongly-typed programming languages. PHP is weakly-typed, so that might be new to you.
finally, you call setOnEditActionListener on the EditText. OnEditActionListener is an interface that you have implemented in this class. An interface defines a common set of methods that are guaranteed to be present in whichever class has implemented it. So when you set the OnEditActionListener to this, (this means the current instance of this class), the EditText will hold on to the "this" object and it knows that it can call a certain set of methods on it. What are those methods? look up the OnEditActionListener interface in the docs:
it only has one method,
Code:
public abstract boolean onEditorAction (TextView v, int actionId, KeyEvent event);
so somewhere in this class, you will have this method defined and this is where you put code that you want to run when the EditText triggers this action. I assume this get called when the user touches the EditText.
It's really not going to be easy to work with android if you don't have a basic knowledge of OOP, specifically classes, inheritance, and interfaces. Also, knowing how java implements these concepts will help a lot. Then you can use your book to learn the Android framework.
GreenTuxer said:
Hello.
I followed all the New Boston Android videos, did everything, understood everything.
I tried to create a basic RSS feed reader, in order to better incorporate some concepts I learned in the New Boston videos (http processing, xml processing, adapting the content to lists, custom lists, etc). When I got to pass the information from the http processed data to xml parser and the list, that's when I got too much confused and knew I didn't have enough knowledge.
Then I tried to do some "Shopping List Manager" (just like OI Shopping, a bit adapted more to my taste), in order to learn.
However, again, when I neededto pass information to other objects in other classes or something like that, I get confused and don't know what to do.
So I bought CommonsWare book, "The Busy Coder's Guide to Android", which I have the latest version (5.1) and I'm reading, but I don't like to advance when I don't fully understand something. This time I'm stuck on the Action Bar part, more precisely this one:
Code:
private void configureActionItem(Menu menu) {
EditText add=
(EditText)menu.findItem(R.id.add).getActionView()
.findViewById(R.id.title);
add.setOnEditorActionListener(this);
}
I know this will seem very basic to many of you, but I get really confused on all this calls, returning results and more calls.
I don't have a background on OOP, except when I worked with PHP frameworks like Symfony, I work usually with direct task programming (scripting, automation, etc), as I am a Linux System Administrator, so my code is mainly scripting and web interface building (Python, Shell Script, PHP, Javascript, etc).
Can anybody explain what can I do to better understand this? It's just lack of practice and in time I'll understand better? Is it OOP lack of knowledge/practice? Or is it Java lack of knowledge/practice?
Thanks a lot for all your help.
Click to expand...
Click to collapse
Thanks a lot for your help. I also think my issue is with OOP, but I needed the opinion of people with more knowledge.
I understand very well what you said about onCreateOptionsMenu(), why and when is called, Activity class, lifecycle, etc.
Those things I understand without any problem. I also understand the basics of OOP, but I don't know almost nothing about Interfaces and I don't have almost any experience with inheritance, although I understand it.
I think I'm just confused because I haven't worked very long with OOP. I just don't know if I should invest in something like reading and testing something like Thinking in Java, or just practice more and more Android Development.
Hi,
I made a new app: NFC Safe!
With NFC Safe you will be able to encrypt your private data with a NFC Tag (e.g. NFC Key Fob). You can add unlimited custom folder and entries. You will have only access to those entries with the specific NFC Tag! This is much more secure than protecting your data only with a password!
You can use any NFC Tag for this app! Your NFC Tag will be written with some data so it can only be used for this app.
NFC Safe | Windows Phone Apps+Games Store (United States)
Would be nice, if you test my app! My app is available for free!
With one of the next releases it will be also possible to encrypt/decrypt media files (images, audio, etc.)
Best Regards,
Sascha
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Sorry for late reply!
xandros9 said:
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
Click to expand...
Click to collapse
Then you should buy an NFC Tag! They are really cheap. For example you could buy a NFC keyfob, so you will have your NFC tag always in your pocket and as said, such a NFC Tag costs ca. 1 USD at ebay
GoodDayToDie said:
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Click to expand...
Click to collapse
Hi thanks for your feedback and your questions! I think you misunderstood my app. It's not a military app, where the highest security is important! My app doesn't need to encrypt the data, because the data is stored on your Windows Phone in the application data storage. Noone has access to this. If ever any person has access to those data, you and all other Windows Phone users have a very big problem!
So, my app is an app, not a Windows Application, where virus, NSA, etc. have access to your data There are a lot of apps which protect your personal data with a password. So if someone else has your phone (stolen, or a friend while you are not watching at it), he will be able to see your data, if the know your password (this is not impossible!) or guess your password! So my app protects your data with an NFC Tag. It's very comfortable to use and faster than typing a password and also more secure, because the third-person needs your phone AND your NFC Tag.
However, my app also encrypts the whole data, so even if someone have access to the application data storage, he will be unable to read your data. Windows Phone has a built in encryption mechanism, which can be used from an API. I'm using this encryption mechanism. This mechanism uses Triple-DES. It uses the user credentials and a randomly generated password (GUID with 36 chars/numbers and "-"-sign) to encrypt the data.
Hi! Welcome to XDA-Developers, where all of your assumptions about what cannot be accessed on the phone are wrong, or will be shortly!
OK, that's half a joke. But only half... as it turns out, the claim that "... Windows Phone in the application data storage. Noone has access to this." has been untrue for months. Check the Dev&Hacking forum, especially the Interop-unlock and SamWP8 Tools threads. We have the ability to access the entire WP8 file system. Currently that access is only via MTP (USB connection), but I and other people are working on extending it to homebrew apps as well.
Moving on... 3DES (even if used with a good mode of operation and a unique initialization vector, which I am guessing you probably didn't do) is obsolete and should not be used anymore. While it is considered adequate for existing code, it should not be used in new software, and cryptographers have been recommending a move to newer ciphers (such as AES) for years. As for using a GUID as a password, GUIDs are 128 bits (the dashes don't count, because they are always the same value in the same place, and each of the other 32 digits is hexadecimal only, meaning merely 4 bits of data), which is plenty if they are generated securely; however, most GUID generators do not use cryptographically secure random number generators. GUIDs are supposed to be unique (that's what the U stands for), but are not guaranteed to be unpredictable (which is one of the key requirements for an encryption key), and the way they are generated reflects this.
Oh, and good security is important in an awful lot more places than "a military app"! In fact, there's no such thing as "military-grade" encryption, really; there's only good encryption, and encryption which shouldn't be used for any purpose. For example, modern TLS (Transport Layer Security, the replacement for SSL or Secure Sockets Layer) cipher suites are intended to be secure even against governments and megacorporations (although there is of course suspicion as to whether the NSA have broken some of those cipher suites)... but TLS isn't just used on extremely sensitive stuff like top-secret documents and such, it's also used when browsing Facebook and Twitter, or accessing Gmail, or many other things of similarly minor sensitivity.
Thank you for explaining the intended use cases of the app, though. Do please be careful when making claims such as that something is "much more secure", though; you are liable to mislead people. TrueCrypt, a PC app that performs disk encryption and is intended to stand up to very powerful adversaries, uses only a password most of the time - but I would expect that, given a well-chosen password, it is more secure than this app. There are many critical components to security, and only the weakest link in the chain matters.
For what it's worth, if you are interested, I would be happy to help secure the app (on my own time, free of charge) as it sounds like something that I would quite like to use, if I could trust its security.
What exactly is your problem?!?!
I said, that noone has access to the Application Data Storage and this is true! There is no Virus available for Windows Phone and there is no App in the Store available which has access to another app's data storage! We are not talking about some special cases where the third-person already have STOLEN your device, because nothing in this world is safe! NOTHING! Everything can be hacked! Also I didnt know that all current Lumia devices were hacked. Other devices are not relevant (Nokia has a market share of more than 90%!).
The built-in encryption mechanism in Windows Phone is the same almost ANY Windows Phone app uses! Any banking app, Facebook, eBay, PayPal. The Wallet feature of Windows Phone uses it. If you have set up accounts (E-Mail, Microsoft Account, Office365, etc.) your passwords were encrypted with the SAME API my app uses. So if you think this API is totally unsafe, WHY THE HELL are you using Windows Phone? Also Windows Vista, 7, 8 and 8.1 uses THE SAME API for a lot of thinks. So please don't use Windows anymore!
I said, my app is more secure THAN AN APP which only uses a password and that is true. Also my app additionally encrypts the data and not only block the access to the data (which a lot of other apps only do!).
Please decrypt the attached file and tell me, how you did that and how long it took Thanks!
Whoa, whoa, calm down.
First of all, don't count on that "no app in the store..." business; There's *probably* no malicious app that can do so, but OEM apps can, if they have som reason to do so, access other app's install and data folders. I've written apps (using the Samsung OEM components, which are clumsy for the purpose but *do* work) to do it myself. It's not something you're likely to see in widespread use, but it's possible.
If you aren't bothering with the case of your phone being stolen, what's the point of the encryption anyhow? I mean, prevention of data loss in the event of device theft is one of *the* key use cases for data storage encryption! It's the rationale behind things like BitLocker (which is available on WP8, but only if the user has connected their phone to a company's Exchange server that pushes a policy requiring device encryption).
If you were honestly worried about market share, you probably wouldn't target WP at all; Nokia's fraction of the WP market share is lower than WP's fraction of the smartphone market share. Nonetheless, you are correct that, at this time, Nokia WP8 devices haven't been cracked. Nor have HTC's phones. I'm confident that this will change in time, though. You might have misunderstood my little joke at the start of my last post... but breaking into smartphone operating systems, getting past the lockdown policies that say "noone[sic] has access" (it's "nobody" or "no one", by the way) and taking those decisions into our own hands.
I guarantee you that the vast majority of WP apps don't use 3DES. I *know* full well that the Microsoft code doesn't; they had already deprecated that cipher years ago, when I interned there, long before even WP7 existed; its use was prohibited for new code. Just because you used the DPAPI (Data Protection API) doesn't mean you used it correctly (and by the way, that internship involved working on encryption in Windows, writing test tools for it). Please don't take this as some kind of personal insult; in my line of work (security engineer), I see a ton of misuse of cryptography. It is, as I said in my first post, hard to get right. That's why I offered to help.
I'm not going to bother taking the time to figure out what cipher you used on that file, and what its contents are supposed to look like enough to start doing any cryptanalysis, but I guarantee you it's not very good. There are repeated patterns, including long strings of null bytes, that are phenomenally unlikely to occur in a file that short after passing it through even a half-decent cipher (we're talking 1-in-several-billion chance here, no joke). Coming to this conclusion took all of a few seconds, by the way, using no tool more sophisticated than Notepad++. If I was pulling it off of a phone, I'd have a lot more idea of what type of plaintext to expect, and I could examine the decompilation of the app to see what ciphers were used, which would make things a lot easier. I'd say "for all I know, you just took the output of CryptGenRandom and put it in a file" but if you had, it wouldn't have had obvious patterns in it... in any case, it doesn't matter. I don't have to prove anything to you. I'm *trying* to help, and offer some good advice as well, but I can't force you to take it. There's no call for getting defensive, though. I wrote a file encryption utility myself one, in fact. It sucked, so then I wrote a program to break its encryption. Both experiences (but mostly the latter) taught me things.
A new version is available now, which includes image/photo encryption, OneDrive backup, bugfixes and other small improvments!
http://www.windowsphone.com/s?appid=0a8656d4-ed32-4bb5-baac-1317827e18d8
Hi,
I have a question:
My app is available in German and English since one year now! It was downloaded over 1000 times in Germany, but only 80 times in USA, UK, etc. I got 40 reviews (4-5 stars) in Germany and only one bad review in USA. So could someone explain what's wrong with my app? Is it not visible in the US Windows Phone store? Is my app very bad translated? Are there no Windows Phone users in the USA? Or maybe no one use NFC in the USA?
Best regards,
Sascha
Sorry, I don't tried your app yet but will try to answer your questions.
First, probably it's something wrong with your marketing, not the app Le me say: 1080 downloads per year - it's too small number (even 1000 in Germany). For example, my "marketplace entry ticket", "Lunar Lander Touch" app, very unpopular and underrated (but it's still one of my favorite games on WP, and good alcohol tester ), has 4078 for the year 2013.
As for NFC: I've tried to use it but stopped because of very uncomfortable WP implementation. That service should work flawlessly, without user interaction, stupid questions and dialogs, to be useful and popular. But unfortunately it's not (for the Windows Phones). Microsoft must add an option to disable NFC warnings.
P.S. I may recommend you to use "Snowden case" for advertizing
Thanks for your feedback!
Yes, I know that the download numbers are very bad, but I don't have an idea how to improve this. Because of my app is free and my private hobby I don't have money to buy ads, etc.
Improving my app had not effect. Thanks to DVLUP I "bought" ads for 50$ with AdDuplex, but this also had no effect.
It's really hard for individuals to get their apps famous and in a higher ranking in the Windows Phone Store without investing money
I understand... AdDuplex is really bad: I've tried once ($100 from DVLUP meeting plus I've bought another $100 coupon for $40) during a week - no results at all. Complained to AdDuplex support and manager gave me additional $300 for free, to spend within one day (sic! He-he, I wish to get $300 daily from my app!) - still no visible results, just a regular download fluctuations...
What you may try: advertise on more forums, prepare good pictures/screenshots; may be, video clip "howto" will be helpful. Embed RateMyApp Nokia's control (check NuGet) to your form. If you have XP on DVLUP, spend 'em for advertising campaign (these ones are extremely effective!).
P.S. I also thought about xda-based developers club, with "rate 5 stars my apps, and I'll rate yours" rule but I don't know how to implement it properly (but good customer rating is very important for the app distribution).
Thanks!
I already added RateMyApp. This was really helpfull to get more reviews. It's a pity that I had not implemented such a thing from the very first time my app was added to the Windows Phone Store :-/
I "bought" 1 week in App Social (DVLUP). Hope this helps. But it is also only in Germany.... I have enough users and reviews in Germany, I need them in USA, UK, etc. The problem with the DVLUP campaigns is, that you need at least 50 or 100 reviews (and 4,5 stars) as a requirement for the advertising. But you don't have so many reviews and that's the reason why you need the campaign to get more reviews, but you can't buy the campaign... A vicious circle!
I will do my best to get more downloads in other countries than Germany!
Hey, thanks for this app i find it realy useful.
Danke!
And here is the idea for the ad banner
Great idea
btw: Version 2.1 with new type "User Credentials" is available now!
Ok, I stopped developing, it's not worth. Sorry!
Hi all,
I'd like to share great news. Sicher, our free secure messenger finally comes to Windows Phone.
Sicher features true end-to-end encryption of both text messages and file attachments. With anonymous push notifications and the ability to set a timer for when messages will self-destruct, Sicher also includes password protection for the app itself.
Please try Sicher and share your feedback in this post.
FairyMary
Sicher Team
App is free, store link is here: EDIT: Removed because this thing looks like a scam and its description is a lie
I haven't been able to find a lot of info about how the app works (I'm talking about at a very technical level). My general advice regarding crypto code is to open it up for review, either publicly or by a professional security assessment firm (disclaimer: I work at one of those). If the code is already open for review somewhere, that would be awesome; if not, I recommend getting in touch with some external security experts (same disclaimer, but I can provide contact info if you want). The Internet is full of things that the developer claimed (and often even sincerely believed) were secure.
Aaaand just for fun, I decided to take a look at the app and see if there was anything obviously wrong. Let's start with the presence of no fewer than *three* advertisement networks, shall we? Begun Advertising is Russian and Google-owned, Google AdMob is self-explanatory, as is Microsoft Advertising Mobile. Your store description claims you
don’t use any advertising engines
Click to expand...
Click to collapse
. Did you really think nobody would check this?
WTF are you trying to pull here?!? I can't think of any way to faster burn trust in a "secure" app than to make a claim that is trivially disprovable in a way that benefits nobody except you.
I'll come right out and say it: Sicher looks like a scam!
Oh look, a Facebook library as well. Totally expected to see that, given that you
don’t integrate social network SDKs
Click to expand...
Click to collapse
Oh, and before anybody asks about responsible disclosure, that's for when there's an unintentional bug in somebody's code. This just looks like pure exploitation of your users! (I say "looks like" because I haven't actually decompiled the code to see if those libraries are being used, but it's hard to imagine why you'd have them otherwise...). The only responsible way to disclose malware is to do it publicly, and this looks malicious.
EDIT: I'll give you 24 hours to give me a good argument why I shouldn't report my findings to the stores themselves.
Time's up. You actually got over 48 hours because I was busy yesterday. Hope not too many people got scammed and tracked by your "secure" and "private" app...
Hey @GoodDayToDie, unfortunately I don't know where else to ask this, since you seem to be really interested (and skilled) in this topic, what messengers do you consider secure? WhatsApp is obvious, the only ones on Windows Phone I know of that come to my mind are Telegram and (soon) Threema.
What do you think about the two? I have basically no knowledge, but what seems odd to me about Threema is their faqs answer to "what about MITM?" they just say they use certs, hardcoded in the app. Aren't they with their servers in control then? How I understand this, the Threema servers could perfectly perform a MITM attack.
And Telegram has a completely confusing protocol.. So please share your thoughts!
I have no personal knowledge of one, sadly. Take anything I say here with a huge grain of salt (including the fact that Sicher looks like a scam; I haven't actually verified that it *uses* all those ad networks + Facebook that it integrates, just that it has them) as I'm not spending the time & effort for a full security review of these apps at this time.
Threema actually looks quite good.
Pros:
They don't try to implement the crypto themselves (they use NaCl, which is both written by people who know what they're doing, and well-reviewed).
The design of their end-to-end solution makes sense (it connects through the server since phone networks won't allow incoming/direct connections, but the messages are encrypted to only the recipient and doesn't require that the recipient be online to receive the message).
They are relatively open about how things work (although those *could* be lies; I haven't pulled the app apart).
It is possible for the user to verify the key of another user.
Cons:
They don't have Perfect Forward Secrecy on messages. PFS would require that the intended recipient be online at the start of any given conversation (to negotiate the ephemeral keys) so this isn't terribly surprising, but it is disappointing. An attacker (including a government agency) who gets access to your private key could decrypt historical traffic to you if they'd recorded it.
The app is proprietary; there's nothing stopping them from pushing a malicious update.
The server supplies the public keys of users; until such time as the user validates the other party's key (which is difficult to do except in person) the server could have sent a public key that the server has the private key for (instead of the user's own public key) and then MitM the user's traffic. This would break down when verified though, unless the app lied about the result of the verification process (you don't actually see the key itself).
To address your concern about MitM, the app says they use certificate pinning (a standard and very smart security measure, assuming they did it right) for app-to-server communication, so nobody (including third-party security engineers) can MitM the app traffic. They also claim to use PFS. However, if the server itself is untrusted (i.e. some government thugs show up to demand access, although bear in mind that apparently the servers are all in Switzerland) then the server could give you the wrong public key for a user you try and add, allowing the server to MitM you. Also, the company could push an update that is malicious.
The only protection against the server-sends-wrong-key threat is to either require that the user manually import all keys (think PGP minus keyservers and assuming trustworthy key exchanges) or exactly verify the key (i.e. personally ensure that it matches the other user's key by actually checking the bytes or at least the hash). The only protection against the malicious update is to make the source code available and have a method by which users can either compile it themselves (though see "Reflections on Trusting Trust") and/or have a way to verify the application binaries.
I'll look at Telegram later. For the moment, though, I would loosely recommend Threema once it's available. There's also Skype, of course, but while it was decompiled once long ago (and found to use secure encryption, although some non-crypto vulns were found) that was many versions ago (and, in particular, was before Microsoft bought them).