[liberationtech] Wicker: Déjà vu all over again
Steve Weis
steveweis at gmail.com
Tue Jun 10 16:55:37 PDT 2014
I'll echo Tom: It's relatively easy and a good learning exercise to pick
apart mobile apps and see what they're doing. On that note, here's some
source generated from the Wickr Android app class files using jd-gui:
http://saweis.net/files/wickr.src.zip
That doesn't include a native library that comes in the APK, which appears
to be used for the core crypto. In that library, I see an "aes_encrypt"
function that uses ECB mode and an "aes_encrypt_improved" that uses CTR. I
don't see any authentication for CTR mode. I also don't see a safe padding
mode used with RSA.
On Tue, Jun 10, 2014 at 2:03 PM, Tom Ritter <tom at ritter.vg> wrote:
> I just want to jump in and mention again that it's entirely possible to
> pick apart applications written for Android, iPhone, Windows, Mac, etc and
> understand how they operate. Going even deeper than just 'what they store
> on disk' and 'what they send on the wire'. It requires a little bit of
> technological know-how, but places one could look for that expertise are
> organizations' technologists, the computer security group at one's
> university, many of the people on this mailing list, groups like Citizen
> Lab, and just following tutorials online and learning it yourself.
>
> The 'Trust but Verify' applies to open source, closed source, and that
> window of 'open source but distributes binaries e.g. through the play
> store'.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140610/1f6c335e/attachment.html>
More information about the liberationtech
mailing list