on the weakness of the encryption employed in the android-notifier
25 views
Skip to first unread message
Edward Toroshchin
Oct 3, 2013, 2:41:58 PM10/3/13
to android-...@googlegroups.com
Dear users and developers of android-notifier,
It has come to my attention, that an encryption feature has been added
to android-notifier.
I hope the users understand, that the encryption currently implemented
is quite weak.
Of course, you might argue that the notifications are not the most
sensitive data out there. However, they do contain the phone numbers,
for example. So I imagine someone one day might rely on the
android-notifier encryption.
So I want to, firstly, warn the users that the encryption would protect
only from basic sniffing and data retrieving, but would not withstand
any actual attack effort.
Secondly, I want to ask the developers to state explicitly, that the
encryption is not to be relied on.
I hope I didn't offend anyone with this letter. I understand that the
developers haven't tried to create an impenetrable encryption system.
I just want to help avoid any problems that might occur from relying on
weak encryption.
Also, if developers would like to fix the encryption weakness, I'd be
glad to help.
Have a wonderful day,
--
Edward "Hades" Toroshchin
dr_lepper on irc.freenode.org
It has come to my attention, that an encryption feature has been added
to android-notifier.
I hope the users understand, that the encryption currently implemented
is quite weak.
Of course, you might argue that the notifications are not the most
sensitive data out there. However, they do contain the phone numbers,
for example. So I imagine someone one day might rely on the
android-notifier encryption.
So I want to, firstly, warn the users that the encryption would protect
only from basic sniffing and data retrieving, but would not withstand
any actual attack effort.
Secondly, I want to ask the developers to state explicitly, that the
encryption is not to be relied on.
I hope I didn't offend anyone with this letter. I understand that the
developers haven't tried to create an impenetrable encryption system.
I just want to help avoid any problems that might occur from relying on
weak encryption.
Also, if developers would like to fix the encryption weakness, I'd be
glad to help.
Have a wonderful day,
--
Edward "Hades" Toroshchin
dr_lepper on irc.freenode.org
Rodrigo Damazio
Oct 3, 2013, 3:13:53 PM10/3/13
to android-...@googlegroups.com
No offense at all.
To clarify further, someone who wanted to grab your notifications would need to:
- Know that you have this specific app installed
- Know what wifi network you're in/your bluetooth device ID
- Gain access to that wifi network (either if it's open, or by cracking its password/key) or crack your bluetooth's pairing keys (not very easy)
- Use a packet sniffer to grab the notification packets at the moment they get sent over the air
- Use a brute-force attack to find out what your encryption password is - in other words having a computer try all different possible passwords until it finds a match, which takes either a lot of time or a lot of computers, specially if you picked a good password (not a dictionary word or similar)
Also, notice that if someone does crack into your wifi, you probably have a lot more than just notifications to worry about (e.g. the person accessing your desktop computer, downloading kiddie porn over your internet connection, etc).
As for improving the encryption, in the last few years I haven't really found the time to maintain or improve this project at all, so while the help would be appreciated, I don't think I'll be making a new release anytime soon - I did start writing a new version from scratch, but never completed it.
Thanks
Rodrigo
--
You received this message because you are subscribed to the Google Groups "Android Notifier Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-notifi...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages