Popular crypto app uses XOR and nothing else, hacker says
A programmer has levelled stern criticism at the designers of a super popular encryption app they say fails its core purpose: encryption.
The programmer using the alias NinjaDoge24 ran analysis of the NQ Vault app, and said it used only XOR (exclusive operator) to safeguard files.
NQ Vault has been downloaded more than 10 million times on the Google Play store alone and is also available on iOS.
The company behind the app stands by its product, calling its security “appropriate” and adding that messages, chats, calls logs, and contact information is encrypted using AES-128.
“Image and video files are stored in a format not readily readable by other applications and can only be viewed in Vault after entering the correct password on the device,” the company says.
“These standards are appropriate for the consumer use cases this application is meant for.”
The programmer’s findings have lead to critical reviews of the app on the Google Play store.
XOR is a bitwise operation common to crypto standards but can offer little when it is used in isolation.
The programmer tested an image using NQ Vault finding it only encrypted part of his image file and quickly wrote a “dumb” tool capable of brute force decrypting files encrypted through the app.
“Looks like a substitution cipher. What if it’s just XOR? Like just f**kin’ XOR?” they wrote.
“Everything after the first 128 bytes remains untouched … Best encryption method ever.”
Independent security bod Wade Alcorn (@WadeAlcorn) says the findings render the app insecure.
“The research suggests that the NQ’s Vault software attempts to only encrypt the first 128 bytes leaving the remainder of the file in the clear. If this is the case it should not be considered a mechanism to protect data,” Alcorn says.
“Encryption is hard, very hard! … This goes to re-emphasise one of the golden rules of secure development: do not create your own cryptographic functions.”
Sophos technical chief Paul Ducklin (@duckblog) says security apps should state the encryption algorithms they use on the tin.
“Any app that claims to encrypt your data ought to state openly what encryption algorithm it uses, because there’s simply no reason not to,” Ducklin says.
“If it’s not easy to find out, choose another app. If a cryptographic product relies on the encryption ‘algorithm’ being kept secret, then you should assume that it is insecure and avoid it.”
Google has been contacted for comment regarding the app’s claims. ®
Sponsored:
Today’s most dangerous security threats
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/04/07/uberpopular_crypto_app_uses_xor_and_nothing_else_hacker_says/