WhatsApp Security Woes; Hardcoded AES Key Used For Message Storage

It seems security is still an issue with WhatsApp. Previously, it was a vulnerability that allowed users to remotely change status names on other accounts simply by entering the mobile phone number tied to their account.

The newest issue has to do with the message storage database that WhatsApp uses to keep a log of incoming and outgoing messages. While the SQLite database is stored in a directory that is only accessible through jailbreaking or rooting a device, and the database is encrypted using AES-192, it’s unfortunately crypted with a hard-coded and static key.

The entire contents of the database can be decrypted using the known key. The database, which is stored in /com.whatsapp/databases/msgstore.db on Android phones and ~/Documents/ChatStorage.sqlite on iOS devices, can be decrypted by supplying the key and requesting that openssl revert the database to plaintext;

openssl enc -d  -aes-192-ecb -in msgstore-1.db.crypt -out msgstore.db.sqlite -K346a23652a46392b4d73257c67317e352e3372482177652c

In order to make it easier for decryption, an online portal was created for doing the deed. Of course you’ll need a jailbroken or rooted device in order to get the crypted database, then you can simply upload the file to http://www2.unsec.net/whatsapp/ and it will be decrypted.

Last time, it took WhatsApp just under a week to patch the hole. In order for them to fix this issue, an update to the client will be required, in order to add a new key – hopefully one that is generated using device-specific information or something the user can input to create a strong key, and then encrypt the database again.

UPDATE: As pointed out by a reader, the original research and analysis conducted on the database can be found in a PDF and there is also a WhatsApp Xtract application posted on XDA-Developers. Thanks Martina!

HP’s Roadmap for webOS Open Source Initiative

While it’s not news that HP have begun their open sourcing efforts for webOS, the fact that they have published their official roadmap for the project, however, is. 

Back in 2011, HP decided to open source webOS. They flogged their TouchPads and made a bunch of money. They couldn’t find any buyers to sell the platform they built from the ground up. They decided their best choice was to throw open the doors and give it away for free. It’s taken just under 2 months for them to release anything, and today they have.

The HP webOS Developer Blog has posted the official announcement of their efforts in open sourcing their Javascript Application Framework – Enyo. Enyo is a completely cross-platform, open source, highly customizable and extensible application framework. Open sourcing Enyo was the first step in the roadmap, with only 5 days left before a soft deadline.

According to their press release, HP hopes to have completed open sourcing of webOS by the end of August 2012, when they release “Open WebOS 1.0″. Scratch the first entry, it’s done.

  • January: Enyo 2.0 and Enyo source code Apache License, Version 2.0 
  • February: Intended project governance model, QT WebKit extensions, JavaScript core, UI Enyo widgets
  • March: Linux standard kernel, Graphics extensions EGL, LevelDB, USB extensions
  • April: Ares 2.0, Enyo 2.1, Node services
  • July: System manager (“Luna”), System manager bus, Core applications, Enyo 2.2
  • August: Build release model, Open webOS Beta, Open webOS 1.0

Hopefully by August, HP will have completely weeded out any and all binary blobs from webOS, open sourced all the bits under the hood, and packaged it with the proper license (Enyo is licensed under Apache 2.0) that truly gives developers, enthusiasts, hobbyists, and hackers the ability to push webOS forward.

Although HP has indicated they have a good interest in using webOS in the near future, putting it all out there with a hands-off approach would likely better the chances of a bright future for webOS. Nokia did it with Maemo and there is a very strong and smart community who are still using and developing for devices that were EOL’d a long time ago. The webOS community is full of resilient, bright, and talented people who will take webOS under their wing.

All webOS needs is some new hardware. If the above image is what you have in mind and you work at HP, please walk yourself off a cliff before you ruin all the hard work Palm did.

Canadian Coder Given Death Sentence By Iranian Supreme Court

The Iranian Supreme Court has overturned a previous sentence and approved the execution of Canadian resident, Saeed Malekpour.

Malekpour was arrested and detained, in 2008 at Evin prison in Tehran, for over a year without being formally charged. His crime? He created software that allowed pictures to be uploaded. His punishment? The death sentence. His software was allegedly used to upload pornographic images to a pornographic website. A court in Tehran sentenced him to the death penalty after he confessed to “acting against national security through propaganda”. He later withdrew his confession stating he had given it under extreme duress and torture.

Image courtesy of http://www.hurriyetdailynews.com/

This is not the first time the death penalty has been handed down for ‘online expression’. While Amnesty International indicates 39 people have already been put to death since the beginning of 2012, the Iranian government has only officially avowed 17 executions.

In March of 2010, Saeed wrote an open letter while he was in prison. It details what “physical and psychological torture” he received at the hands of the “Revolutionary Guards Cyber Counterattack” team in order to extract a confession from him.

Some of the confessions they forced me to make were so ridiculous and far-fetched that they are not even possible.

For example, they asked me to falsely confess to purchasing software from the UK and then posting on my website for sale. I was forced to add that when somebody visited my website, the software would be – without the visitor’s knowledge – installed on their computer and would take control of their web cam, even when their web cam was turned off. Although I told them that what they were suggesting was impossible from a technological point of view, they responded that I should not concern myself with such things.

United For Iran has stated an initiative to raise awareness of Saeed’s case. It is truly frightening that a person can be held in a prison for over a year, receive the death penalty from a Supreme Court, and be executed for creating completely benign and legal software.

 

Via Sophos

Nokia Breaks Their Billion S40 Mark

Break out the bubbly, Nokia has officially broken a billion sales of their Series 40 handsets. 1.5 billion to be exact.

In their effort to bring Series 40 to the emerging masses, Nokia promised to reach the “next billion”. Today Nokia announced they have broken 1.5 billion S40 handsets sold. The Nokia Asha 303 was the lucky handset to be handed off to the lucky purchaser, 21 year old Mayara Rodrigues. With a celeb-like fanfare, Mayara met with Vice President of Nokia Brazil Almir Narcizo, and Retail Network President, Luiza Helena Trajano for their inaugural moment (pictured above).

It was Mary McDowell who promised Nokia would help “connect the next billion”. She was referring to emerging markets, new smartphone owners and people who are using their first internet connection from a mobile phone. As the Executive Vice President for Nokia, McDowell is incredibly proud to reach this milestone.

“Having 1.5 billion Series 40 devices sold is a hard-to-reach mark, let alone one attainable in a single line of products. At a time when we are maintaining our commitment to connecting the next billion customers around the world – it is gratifying to consider how Series 40 devices have made mobile technology accessible and help continue to change people’s lives for the better.”

It’s fitting that the 303 was the device Mayara chose, as the name Asha is sanskrit for ‘hope’. Announced at Nokia World 2011, the Nokia Asha 303 is a Touch and Type Series 40 handset. It features a full hardware QWERTY keyboard and a touchscreen, for dual functionality. The milestone mobile was purchased from a Magazine Luiza store in São Paulo. Mayara purchased it as she “loves staying in touch with friends and family through social networks.”

Hey Nokia, what’s cooler than a million billion? The next billion.

iPhone 4S & iPad 2 Untethered iOS 5.0.1 Jailbreak Available

Jailbreakers rejoice, the long awaited and highly anticipated untethered jailbreak for iOS 5.0.1 on the iPhone 4S and iPad 2 is finally available.

It was only a few days ago that the first untethered iOS 5.0.1 jailbreak was shown off on video. It was functional, but declared to still be in testing. Fast forward just 4 days later, and a public release is available for all to download. The Chronic Dev team have announced they have packaged the exploits that allow execution of unsigned code (code named Absinthe A5) into a working untethered jailbreak. Both the iPhone 4S (GSM and CDMA variants), as well as the iPad 2 (GSM, CDMA and Wi-Fi only variants) are targeted and supported in this release.

It took a mass of crash reports, over 10 million, and almost 10 months of work for the team to find an entry point and exploit the new A5 chip. The exploit consists of a series of both userland and kernel level exploits that were dubbed ‘corona’.  The name comes from a vulnerability that was in Apple’s IPSec IKE daemon, named ‘racoon’. Although the app released today, for jailbreaking current iPhone 4S and iPad 2 devices, is only available for Mac OS X users, there is a placeholder for Windows and Linux users. Their respective applications will likely be available soon and will be as simple as a point and click.

In addition to the tools being released, the “iOS Hacking Dream Team” has spawned. It consists of members from the Chronic Dev team (posixninja, pod2g and nikias) and the iPhone-dev team (planetbeing). Both teams have donation pages to thank them for their work and provide funds for hardware upgrades to ensure future devices can be jailbroken.

Microsoft Announces ‘Visual Studio Achievements’ for Developers

Need bragging rights as a developer? Don’t have enough points and badges from Xbox Live? Well, Microsoft has the answer for you, Visual Studio Achievements!

In what seems to be an effort to rile developers up through ‘gamification’, Microsoft has announced a beta campaign called “Visual Studio Achievements”. By installing the Visual Studio Achievements Extension, you can unlock badges and earn points by simply writing code that you were already going to write! Analysis is done in the background each time you compile your project to test it. When you hit a certain objective, you unlock an achievement.

Next comes the leaderboard. All the points and badges you earn are tallied into a score and you’re stuck up onto an online leaderboard with all other registered developers who are taking part in the campaign. You can view challenging developer points, avatars and maybe eventually see what they are working on. It would be a great way to get developers to collaborate on ideas and projects.

If sharing your achievements with alike developers wasn’t enough, you can share badges through Twitter and Facebook. This can help you raise awareness for your application, and get recognition from your peers.

There are over 32 different badges you can unlock, from as easy as loading more extensions into Visual Studio, to as hard as having 50 different projects tied to a single solution.

There are fun badges, like the “Potty Mouth” achievements which rewards you for using 5 different curse words in a project, or the “Time for an Upgrade” badge that is unlocked if your project takes over 10 minutes to compile. It’s a simple way to add a level of fun to programming and give developers a way to show off their skills.

Nokia Still Showing Love to the N9 – PR1.2 Right Around the Corner

Even though Nokia has gone full tilt to Windows Phone 7, and in the process, taken the design of the recently announced Lumia 800/900 from the N9, they are adamant in providing updates to the dead-on-arrival handset.

Just shy of 2 months from the PR1.1 update, Nokia Developer has announced that PR1.2 will become available for registered developers and participants in the N950 Developer Program. It will be in a beta stage for testing and provided to ensure application compatibility before full public launch on the N9.

Among the 3,500 expected changes, the ability to create folders on the homescreen, copy and paste in the browser, and face recognition within the camera, are the top additions. Although no official changelog has been released, likely due to the fact that the OneClickFlashers for the N950 have not been released, screenshots from an N9 already running PR1.2 have been shared online.

While Nokia does have a fairly strong track record of providing updates and fixing serious bugs on released devices, some have indicated that PR1.2 will be the last update for the N9, as the company moves forward headstrong with Windows Phone 7. Hopefully the update also brings with it, the much requested (and promised) ‘open-mode’, giving developers more low level system access — which will also allow the community to continue updating their devices when Nokia stamps it as EOL.

If you’re a lucky (or unlucky) user of an N9, you’ll likely be waiting anywhere from a few week or a few months until PR1.2 is officially released for your N9. Hang in there, this might be the last hurrah for you and your coveted MeeGo device.

iPhone 4S iOS 5.0.1 Untethered Jailbreak Shown Off

If you’ve been waiting for your precious iPhone 4S to receive a jailbreak, you’ll need to keep waiting just a bit longer.

Affiliate and member of the Chronic Dev Team, pod2g and DHowitt, have posted a video showing the successful jailbreak of iOS 5.0.1 on the newest iPhone 4S hardware. While owners of previous generation devices such as the iPad, iPod Touch and iPhone 4 and 3GS have had a jailbreak for 5.0.1 for a few weeks now, the newer A5 chip proved to be a bit more difficult.

The video shows off an iPhone 4S running iOS 5.0.1, complete with Siri, powered on and off after having been jailbroken. With full access to Cydia and an untethered restart, it’s a fully functional and end-user ready jailbreak. Hopefully the exploit can be packaged into the currently available tools and released once it’s been fully tested.

Be sure to watch the official page for a release by the Chronic Dev Team. It’s also highly likely that the iPhone-dev team will also have their tools updated with the new exploit for eager jailbreakers soon.

Google Chrome Vulnerable to Secure Address Bar Spoofing

If you thought the site you were browsing was secure simply due to the little s  at the end of HTTP, you may want to re-evaluate.

Security researchers at ACROS  have posted details concerning a vulnerability in versions 14 and 15 of Google’s Chrome browser. The issue comes from an inconsistency that Chrome has when following and rendering redirections to other web pages. This means that an attacker can redirect a visitor to a page that looks identical to a legitimate page, with a real looking HTTPS URL, when infact they are not on the expected page. This can lead to theft of credentials, credit cards and other personal information.

The crux of the issue comes down to Chrome being very quick to update the address bar, even before any of the page content has actually loaded. This allows the researchers to change the destination without it being reflected to the address bar. Most users will “confirm” they are on the correct page simply by reading the address page and matching it with what they are looking at, especially when the majority only visit a handful of specific websites.

While the newest releases of Chrome (16, beta and above) have had this issue resolved, Google’s browser holds a relatively large marketshare of approximately 20% world wide. That’s more than 70 million. If over 75% of those users have updated version, one can speculate that roughly 1.7 million users are susceptible to this attack. With Google’s auto-update mechanism, it’s highly unlikely that there are so many old installations.

At Techie-Buzz alone, more than 1 million of the 3.5+ million visitors use Chrome. Google Chrome has been growing at a very rapid rate, pushing Microsoft’s Internet Explorer and Mozilla’s Firefox lower and lower. Chances are, you’re using Chrome because it’s fast, so if you want to stay as safe as possible, keep Chrome updated and take a look at some of the popular security/privacy extensions.

Nokia’s Qt on RIM’s PlayBook

Nokia’s defunct Qt software stack is headed to RIM’s dead PlayBook tablet. Will 2 wrongs make a right?

In an email to the Qt Project mailing list, Nokia’s Strategic Account Manager, Adam Weinrich has voiced his plans to coordinate a Qt keynote at RIM’s BlackBerry DevCon in Amsterdam, as well as developer outreach at Mobile World Congress in February 2012.

There is a Qt port for QNX/BBX/RIM devices.

Lets get this ecosystem involved in the Qt-Project!

Yes, I know, the code is not yet in the Qt-Project repository but it should be forthcoming. The QNX/BBX/RIM ecosystem are very open to engaging with the Qt community and the Qt Project.

I am coordinating a Qt keynote and training at the Blackberry DevCon in Amsterdam in February http://www.blackberrydevcon.com/ as well as doing outreach to their developers at Mobile World Congress. They are offering discounts to these events to Qt-Project community.

The Qt Developer Experience team will also be showing off Qt on the current playbook at the Qt booth at CES and MWC. Those who already owns a playbook, develops for Blackberry devices or are interested in becoming involved are encouraged to get involved with this new Qt port.

Let me know if you have any insight or interests in making this a win-win for Qt and this new community.

Cheers, Adam

Qt is a cross-platform application and UI framework. It’s available for Nokia’s past platforms – Symbian and MeeGo, with unofficial ports for iOS, webOS and Android, as well as solid support for Linux, Mac and Windows on the desktop. While this is a good way to increase the footprint of Qt on embedded and mobile devices, the PlayBook has seen less than enthusiastic sales.

With RIM rumoured to be releasing new  BBX BlackBerry 10  devices in late 2012, there is a very good chance that Qt on QNX will be polished and highly functional; with apps and games in tow, hopefully. Although the PlayBook has hit an all-time low of $199, the BlackBerry development team are said to be providing hardware at a discounted rate for developers who are interested in the platform.

Is this a move from Nokia to make Qt relevant? Is this a push from RIM to make the PlayBook relevant, while selling devices to bolster sales numbers? Either way, it’s an effort from both companies and it’s sure to make Qt enthusiasts rejoice.