Hello Everyone,
I just got my 8525 in the mail yesterday and upgraded the boot loader, radio, and WM6. I had a little trouble but in the end, all that I can't get working right is the internet for Cingular. I really appreciate all the hard work everyone puts into this. Here is my thank you, this is my first app so go easy on me.
nomb
nombCrypt
nombCrypt is an encryption program I originally made for the desktop but then decide to port it over. It uses a password you provide and encrypts either a block of text or files using 256bit Rijndael (AES). This level of encryption was given the ok to encrypt Top Secret documents. It can of course decrypt as well. This is for Windows Mobile 6. Please enjoy and every developer of course likes to get back feedback.
Planned/Requested Improvements
Truecrypt like encrypted containers
Implement Encrypted Backups (P)
Get File Encrypt Status Bar Working (P/R) <-- I'm dreading writing the working class :'(
Use Device ID As Salt Option (P)
Randomize Salt More (P)
Add More Encryption Algorithms (P)
Change File Open Dialog To Open Less (R) completed - now initially looks for *.nen (nombCrypt Enc. Files)
Encryption Password Confirmation (R) completed
Clipboard Paste Button (R) completed
Clipboard Clear Button (R) completed
Take Off Start Menu Icon (R) completed
Change Icon (R) completed
Add Exit To The Menu (R) completed
Add Time Out Feature (R) completed - (see page two for details)
Integrate nombCrypt Into WM6 More (P)
I. Encrypt MS Certificate Store (R)
Other Fixes
Improved Text Encryption So The End TextBox Is Opened Less
Added file error checking to the file decryption process
Two screenshots and the cab file are attached.
I hope you guys enjoy...
nomb
Hey! I wanted to do the same thing too! Just that I use my own XOR method (One Time Pad-like) instead. Of all the thing, it works alright, except that I can't get it to do a Copy-Paste. (see here http://forum.xda-developers.com/showthread.php?t=321014)
Also, from what it seems, I would presume that (since you uses AES), the end result would be in 'relatively' binary format (right?), which may not be very program friendly.
I was going to do about the same thing, except that I'll have my end result Base64 encoded, such that I can have them pasted to Notes and have it sycned to outlook. And I have my PC based software to do the job there (if required).
Previously, I used a software called Ccrryyppttoo, which did quite alright, but it seems that my PC is doing some coding, when synced, that makes it goes funny (i.e. cannot be decrypted anymore).
I'll PM you a demo of what I did (in Java web), of which I intended to do it in PPC
With Rijnael the resulting encrypted string/file gets encoded into base64 as well because if it didn't, all the characters wouldn't be represented. You can paste this into notes just fine.
Mine is programmed in c# so there is a clipboard function which works relatively well. If you'd like to help with this your more than welcome to. Or if you want to join your project with mine that would be cool too. I plan to support all major and a lot of minor encryption algorithms that I can find. Plus people were complaining about how the encrypted backup on the ppc should use the device id to encrypt instead of the randomly generated key so I plan to implement that as well.
I'm looking forward to seeing your demo.
nomb
Hmm.. so it is b64 encoded.. niicceee. Hmmm. . I should try out C# soon.
Anyway, there is a suggestion, I'm not sure if you have the library for it. After my symmetric cipher program, I'm in thinking about a asymmetric-public-private key cipher, which people can exchange short messages in secret (e.g. via email, IM, SMS) without the need to exchange the key/password. It is relatively done now, I'll show you the web base version once it is done. It runs on the Java security class, which I'm not sure if C# has those library or not.
The idea is, Alice go to my page, generate a pair of keys. Alice then send Bob her pub key. Bob use pub key, go to my page, encrypt the message. Send it to Alice. Alice decrypt message at my page. No software to install, no secret key exchanged.
Yup c# has the ability to do that built into its cryptography namespace.
That is a cool idea, but instead of having Alice send the key to him. You should just make a db to keep track of the keys and then have him answer a question about Alice or something like that to use the pub key. that way thats even one less step they have to worry about. Or have Alice put in his email address and have your site auto email him the pub key. That would be good too.
But sweet idea, maybe I'll make my program talk to your site.
Have you tried mine yet?
nomb
I dont like the "answer a question" method, as in that case, you might as well use the answer as the password?
Anyway, the emailing the pub key is an idea
I'm not in my own PC yet, can't send it to my phone from this PC. Will try it out later tonight.
hanmin said:
I dont like the "answer a question" method, as in that case, you might as well use the answer as the password?
Click to expand...
Click to collapse
Ya I'm at work and was hungry so I wasn't thinking strait. I don't like that idea either. ^^
I think my next step in mine is to build the background worker class to update the progress bar when you encrypt/decrypt a file.
If you just point your phone to the cab above it will install it for you. You don't need a comp unless u don't have a dataplan.
nomb
I dont have data in my plan.. although O2 gives me 1MB+ a month free.. I'm not using it.
Anyway, I've tested your software, a few comments.
Slightly major problems:
[1] It is not wise to do a 'All folders' and 'All Files' upon browsing (for file to be de/encrypt). People (e.g. me) has gazillion files around and it may take ages to load the list.
[2] You may want to pop up a Window, asking the user to confirm his/her password upon encryption (one of the thing I intended to add on mine )
[3] I'm not able to paste any data onto the 'start text' area. E.g., I have encrypted my stuff, saved it into Notes. Later, I wanted to get it back, I copy the encrypted code from my Notes, and no way of pasting it into the 'Start text'
[4] You already knew this, but, good to have some kind of progress bar to indicate the progress
[5] Hmmm.. on the browsing, there doesn't seems to have a way to find files on my Storage Card's root directory
[6] For security reason, probably it is good for you to add a 'Clear Clipboard' button?
Minor:
[1] I find it annoying that once I had the software installed, it is on my Start menu
[2] You could use a better icon, I just see a black square on my not so bright screen. I can help you on this.
[3] Add an "Exit" on the menus below?
Other possible suggestions:
[1] Have a time out on your software, such that, e.g. if there is no activity on software after a certain amount of time, it will do one/some/all of these (a) close itself (b) clear the password, input, output (c) clear the clipboard
Good suggestions, I'll have those done by tomorrow. I can't play with the storage card aspect yet because I don't have one. :'( Soon though I'm hoping to get a 4gb. And ya, i can't make icons worth any.
Oh, to past it back I always did ctrl+v from the keyboard. But I'll throw a button up there to do that. And I'll make sure to take it off of the start menu.
1 good comment would have been nice. Altho criticism is good.
nomb
Haha.. sorry for the lack of good comments, I was trying to think of something to suggest. But come to think of it my post on top are good comments (e.g. niiiiccceee Base 64 encoded), and the fact that it has the simple string->string encryption.
I did googling a bit, and found these
http://www.entity.cc/ICONS/security-icons.php
http://www.hscripts.com/freeimages/icons/computer/lock-icon.php
http://icons.qarchive.org/
which you may want to use as your icons?
Ya I was just teasing you. The icon I have now I got off of your last link at somepoint I just don't remember when. But I think I will probably use one of the others. But ya, I'll work on those fixes and then attach the updated program. Then once I get those fixes done, I'll work on adding the differnt encryption algorithms and the encrypted backups.
nomb
Did you wrote any backup software before for the PPC? I'm not really sure, but it seems that backup-ing can have a lot of issues. You have the "Copy everything" backup, the PIM only backup, etc. Some backups are ROM-flashing/upgrading friendly, some are not. You can have a backup software all standalone by itself. I would recommend you to have the backup software seperated and have encryption onto it as a plugin. Take a look at PIM-backup, it is very popular here.
Hi,
This is a very interesting thread. Thanks for your efforts so far (is there a donation link anywhere?)
A basic question...I understood that to carry out really secure encryption it would be necessary to write a filter driver that worked within the core ROM Image. Is this not the case?
Can I encrypt the MS certificate store too? The crypto protection on this store could be beefed up...
Once again I am very pleased that this thread has appeared and will be testing your software with interest,
Well done for your work so far,
Sam.
Hey there PianoSam,
First I just want to make it clear I'm not doing this to make money. If anyone donates I want it to be because they like the software. I am at work so PayPal is blocked but I'll put my donation link on the front page later today.
Also, I am going to try and incorporate the encryption as much as possible. If that is a feature you'd like, then after I get all of the previously requested changes done, I'll start on that for you.
And thank you for your kind words.
nomb
***EDITED***
Sorry I didn't answer you question at first.
Question: A basic question...I understood that to carry out really secure encryption it would be necessary to write a filter driver that worked within the core ROM Image. Is this not the case?
Answer: I pondered over this for a little while and I can't think of a reason this would be necessary. However, I've only had my phone for two days. Can you find where you saw that so I can read it as well and maybe gather a little bit on information so I can do some research on the topic? If thats what needs to be done then thats what I'll do but I can't see why. Let me know!
Added another cab with all the fixes I've completed.
nombCrypt-beta.cab <-- On the front page.
I added the donate link.
I added the timeout feature and thought I would make a comment on it.
It is a two minute timeout. Whenever you fucos on a textbox the timer is stopped and when the textbox looses focus, the timer is on. The downside to this is if you were in the middle of typing and set your device down, it wont timeout. I could make it so when you start typing into the textbox it restarts the two minutes and you have two minutes to complete your message but I didn't know if that was a good idea or not.
Also, when you copy, and go to another program to paste it in, you have two minutes before the clipboard is cleared and the program shutdown.
When the encryption program is encrypting something, the timeout is not running. It starts afterwards.
I can tweak this as much as you guys would like, just let me know.
nomb
I've tested your Beta.. niiiiiccceeeeee.. it is gooood. Almost prefect. Few things (OH NO! )
- The "Clear" button doesn't seems to be working. It is suppose to clear the clipboard only? Should you clear off everything as well?
Other requests/suggestion
<rant>
- I'm not sure why I thought I need it.. but it would be good to have a copy function for the "End Text" as well. I thought I may need it one day. Not sure why. It ought to make the screen a bit crowded, I thought.
Anyway, slightly related to the suggestion above, I've just revisited the design I made on my copy-paste-failed PPC attempt, I have this idea which I thought you might want to use it. For my design, I do not have "Start Text" and "End Text", I only have ONE TextField "Message" (and another for the password). The user enter the encrypted/plain text on this "Message". Click on the button "Encrypt" or "Decrypt", the result will then overwrite whatever that is in "Message" TextField.
Example:
(1) "Message"=<plain text>. User key in password, click "Encrypt", "Message"=<encrypted text>.
(2) "Message"=<encrypted text>. User key in password, click "Dencrypt", "Message"=<plain text>.
In such cases, you only need a pair of copy-paste to perform copy-paste on both (in a way) encrypted and plain text.
</rant>
As for the time out issue, I thought the typing-sensitive time out would be a better choice. The moment that you are worried about your data being seen is when you are away from your phone. You can have focus on your TextField but you can be million miles away from your phone. But, you ought to be around to be typing stuff, right?
BTW, I'm also wondering on the working of this time out feature. I thought there ought to be a 'clock' running and when time's up, it will clear the stuff needed to be cleared, right? So, if I were to forget to switch off the application, the timer will not be another running software that drain my battery, right?
Good work.
hanmin said:
- The "Clear" button doesn't seems to be working. It is suppose to clear the clipboard only? Should you clear off everything as well?
Click to expand...
Click to collapse
The "clear" button is in the clipboard row, i think i tagged it on the left, and only clears the clipboard. If you go to menu->reset it will clear everything like your looking for.
hanmin said:
- I'm not sure why I thought I need it.. but it would be good to have a copy function for the "End Text" as well. I thought I may need it one day. Not sure why. It ought to make the screen a bit crowded, I thought.
Click to expand...
Click to collapse
The "Copy" button copies the end text to the clipboard. Not the start text.
hanmin said:
Anyway, slightly related to the suggestion above, I've just revisited the design I made on my copy-paste-failed PPC attempt, I have this idea which I thought you might want to use it. For my design, I do not have "Start Text" and "End Text", I only have ONE TextField "Message" (and another for the password). The user enter the encrypted/plain text on this "Message". Click on the button "Encrypt" or "Decrypt", the result will then overwrite whatever that is in "Message" TextField.
Click to expand...
Click to collapse
I originally had it setup this way, however there was a time when I had wrote a huge paragraph in it and encrypted it, and then found out I had forgot a line. I switched it so this wont happen.
hanmin said:
As for the time out issue, I thought the typing-sensitive time out would be a better choice. The moment that you are worried about your data being seen is when you are away from your phone. You can have focus on your TextField but you can be million miles away from your phone. But, you ought to be around to be typing stuff, right?
Click to expand...
Click to collapse
The timeout I have running in it now, (new version that isn't up yet), is completely off of the user's actions. Whenever you do anything in the program the timer resets. Except for encrypting/decrypting. The timer is off for those functions incase you encrypt a file that takes longer.
hanmin said:
BTW, I'm also wondering on the working of this time out feature. I thought there ought to be a 'clock' running and when time's up, it will clear the stuff needed to be cleared, right? So, if I were to forget to switch off the application, the timer will not be another running software that drain my battery, right?
Click to expand...
Click to collapse
The timeout feature does not clear everything in the program. I have it so it actually completely closes the program. So if you forget to close it and walk away, the program will end so it doesn't drain your battery.
hanmin said:
Good work.
Click to expand...
Click to collapse
Thanks, wait till you see the next version...
nomb
I got the progressbar working for encryption, now for decryption.
So, here is the situation:
I'm a Magic: the Gathering player and I love to design cards for fun. There is a bit of software called Magic Set Edtior that lets you make and store collections of custom made cards on the PC. My goal is to make a similar program for android. However, I'm relatively unfamiliar with how android apps are developed, and I have one major problem starting out:
Basically, the program needs to be able to open, create, edit, and save sets of cards that each have a few features. How do I store data for these sets? How would I accomplish that sort of file system? Should I just have the app create a internal database for each set the user makes? Are there limits to how many databases can be created by a single app? I'm probably not being as clear as I could be, and I realize that this project is probably (far) beyond my abilities - but I'd appreciate any help and would be happy to clarify anything that doesn't make sense. I'll post progress once I get this off the ground!
Check out the notepad demo at developer.android.com, it should be a good starting point for what you are trying to do
Sweet! I'll take a look. Thanks for your help ^_^
One more thing about databases, then: If the app has an internal database and I release an update for the app that modifies fields in the database, does the information get wiped? (for example, say that the tables in the db have three fields: name, cost, rules, and i issue an update that adds a "stats" field. Would that clear out the current cards in the database?)
Basically, I just want to be sure that using databases to store the sets of cards is the best, most efficient way to do this (So I won't end up having to re-code that entire bit of app).
So, databases are confusing... At least, how android works with them sure as hell is @[email protected]
So, what ive got now is that I need to make a database to store the individual card data... however, I also need to store general information about the set as well. So, do I make one new writeable database per set created, or is there a way to just use one database, and one table per set? (though I dont think you can store general info about a table that applies to each row, can you?)
Or apply for appinventor from googlelabs. Its fast and easy, should suite your purpose. Also has ability to communicate via web.
goodluck
I did apply. I'm hoping they get it too me soon.
Roid1 said:
Or apply for appinventor from googlelabs. Its fast and easy, should suite your purpose. Also has ability to communicate via web.
goodluck
Click to expand...
Click to collapse
I've got accepted like a week ago. Sad part is. You can't upload apps made to the market
sent from my pimp hero running Froyo CM6 and the XDA app
The Vulnerability
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:
ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats
Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.
I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.
Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?
Technical Details
In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.
Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.
Patching The Vulnerability
... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
Affected Phones
Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.
EVO 4G
EVO 3D
Thunderbolt
EVO Shift 4G? (thanks, pm)
MyTouch 4G Slide? (thanks, Michael)
the upcoming Vigor? (thanks, bjn714)
some Sensations? (thanks, Nick)
View 4G? (thanks, Pat)
the upcoming Kingdom? (thanks, Pat)
most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK
HTC's Response
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)
As far as we know, HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.
The ball is in your court.
Credit
ANDROID POLICE
Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
zzm5 said:
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
Click to expand...
Click to collapse
Is your device rooted?
I used root explorer and removed the HtcLoggers.apk and other than the forced close loop that removing it caused (requiring me to remove the battery), after rebooting all seems to be working fine.
EDIT: Actually I didn't just delete HtcLoggers.apk but moved it to a safe location on the SD Card in case there was a problem and it needed to be restored. I highly suggest you do this instead of just deleting it, or better yet, a nandroid backup.
there are a few good ROMS out there that have the ICQ loggers removed already.
Do we really need three threads on the front page about the same thing?