Tag Archives: Encryption

Andrognito Can Encrypt and Hide Any File on Android

Everyone has something to hide. With smartphones becoming deeply integrated with each and every facet of our life, it’s only but natural that they’d contain sensitive data. And, as the recent iCloud breaches have shown us, some times it’s better to have private stuff on your device and within your control, instead of cloud storages that can be hacked remotely.

lock

Andrognito is an Android app that can hide and secure any file on your Android smartphone. The developer — Aritra Roy from Kolkata, India – named the app as a fusion of the words Android and Incognito. The app applies a 3 step process to hide and lock your files –
i) It randomly assigns a new name to the file and appends a period (‘.’) to the beginning of the file name to prevent it from being indexed by Android media library.
ii) It places the file in a wrapper called ADG container, and encrypts it using AES-256.
iii) It applies a strong password to the container, and renames it once again.

The algorithm used by Andrognito is device specific, so simply copying the Andrognito container (.adg) to a different device won’t work. However, on the same device, Andrognito encrypted files can persist through factory resets and rom changes. The only catch is that you shouldn’t delete the ADG files and the “Andrognito/Backups” folder.

Andrognito -Setup Page
Andrognito -Setup Page

Andrognito is pretty straight forward to use. You are presented with a brief tutorial slide when you launch the app for the first time. After that you are presented with the File Explorer, which allows you to select files that you want to hide. Applying AES encryption makes the file almost impossible be crack. However, it can take a fair amount of time. Hence, Andrognito also has a Flash mode, which skips the encryption, and simple repackages your content to hide it from your file manager. However, files in this mode may be viewable in other apps. Files hidden by Andrognito can be accessed from the ‘Files’ tab in the app. If you end up hiding a lot of stuff, you will find ability to filter based on file-type and add to Favourites certain files handy. Andrognito app itself is protected by a 4-digit pin.

Andrognito - Guide
Andrognito – Guide

The app has a couple of other tricks in its sleeve. The first of them is a fake Vault. You can set a dummy pin, which when entered will open a fake vault (with 0 files). This can obviously be handy if you have a particularly nosy significant other or parents. The other neat feature is to hide Andrognito itself. If you turn on the Invisible mode, the app will be removed from the app drawer. You will be able to launch it only by dialling your pin from the phone dialler. The app also prevents brute force attacks by automatically locking itself for 15 minutes after 3 failed attempts.

Andrognito - Select Files
Andrognito – Select Files

Andrognito is currently in beta, but worked without a hitch for me. Go ahead, and take it for a spin. There are other similar apps, but Andrognito strikes a nice balance between simplicity and security, and is completely free.

[ Download Andrognito ]

[ Image courtesy Scott Schiller ]

Windows Phone Finally Becomes Enterprise-Ready

 

Windows Phone 8

At today’s Windows Phone Summit, Microsoft gave a sneak peek at the next version of their phone operating system, Windows Phone 8 (WP8). Microsoft officials made it clear that this event was a platform preview more than a rundown of all new features (especially consumer-facing features) of WP8. The biggest reveal of the event was that the WP8 OS shares the core with its big brother, Windows 8. In this way, a lot of the lower level features and capabilities of Windows 8 are automatically translated over to WP8.

What I was most interested in seeing was how WP8 would improve its enterprise feature set. I have written before how some basic features required by corporate IT are missing from Windows Phone 7.5. I am happy to report that most of the issues I had, are going to be addressed in WP8. Here’s a high-level list of business-related features being added to Windows Phone:

  • Device encryption: Perhaps the single-most important feature required by IT is that the device data is encrypted. Windows Phone 7.5 has isolated storage and sandboxed apps but it is not the same or as secure as full device encryption. WP8 adds Bitlocker encryption to secure the entire device, including operating system and data files. Not only that, this will extend to removable microSD cards as well.
  • Secure boot: WP8 will support UEFI-based secure boot and add better app sandboxing, thereby protecting the device from increasing mobile malware threats.
  • Remote administration: Corporate IT will now be able to manage Windows Phones (including apps) just like they manage Windows PCs. Again, this could happen easily because of the shared core between WP8 and Windows 8.
  • Company hub: Windows Phone 7.5 offers no way to side load apps, and all apps have to go through the Marketplace to be deployed on devices. With WP8, Microsoft makes it possible for IT to be able to deploy apps via a Company Hub. The Company Hub can of course be used to disseminate other info, since it acts like just another app on the phone. Microsoft will provide templates and development guidance so IT departments can build such a hub for their employees.

 

WP8 Company Hub

Company Hub in Windows Phone 8

There are probably more features that relate to business use of Windows Phones which were not discussed today, like VPN support. However, the features discussed are big enough to give corporate IT and idea of how compliant WP8 will be with their stringent requirements.

Do you think these are good enough for your company’s IT department to start planning full support for Windows Phones? Let me know!

WhatsApp Security Woes; Hardcoded AES Key Used For Message Storage

It seems security is still an issue with WhatsApp. Previously, it was a vulnerability that allowed users to remotely change status names on other accounts simply by entering the mobile phone number tied to their account.

The newest issue has to do with the message storage database that WhatsApp uses to keep a log of incoming and outgoing messages. While the SQLite database is stored in a directory that is only accessible through jailbreaking or rooting a device, and the database is encrypted using AES-192, it’s unfortunately crypted with a hard-coded and static key.

The entire contents of the database can be decrypted using the known key. The database, which is stored in /com.whatsapp/databases/msgstore.db on Android phones and ~/Documents/ChatStorage.sqlite on iOS devices, can be decrypted by supplying the key and requesting that openssl revert the database to plaintext;

openssl enc -d  -aes-192-ecb -in msgstore-1.db.crypt -out msgstore.db.sqlite -K346a23652a46392b4d73257c67317e352e3372482177652c

In order to make it easier for decryption, an online portal was created for doing the deed. Of course you’ll need a jailbroken or rooted device in order to get the crypted database, then you can simply upload the file to http://www2.unsec.net/whatsapp/ and it will be decrypted.

Last time, it took WhatsApp just under a week to patch the hole. In order for them to fix this issue, an update to the client will be required, in order to add a new key – hopefully one that is generated using device-specific information or something the user can input to create a strong key, and then encrypt the database again.

UPDATE: As pointed out by a reader, the original research and analysis conducted on the database can be found in a PDF and there is also a WhatsApp Xtract application posted on XDA-Developers. Thanks Martina!

Computer Coders Crack A German Secret Society’s Enigmatic Cipher

The secret of the 75,000-character “Copiale Cipher” is finally out! The manuscript is an enigmatic cryptic document, meticulously encrypted by a group of people believed to belong to a 18th century secret German society. The characters are a mix of Roman letters and abstract symbols. It was finally broken by an international team of cryptographers.

More resources:  http://stp.lingfil.uu.se/~bea/copiale/
The cover of the Cipher

The Brute Force Approach … and “Complete Failure”

The manuscript, clad in a green and gold embroidered cover (pic above), was found in East Berlin Academy after the Cold War. Leading the effort was computer scientist Kevin Knight of USC Viterbi School of Engineering. He programmed his computer to track the occurrences of different commonly-occurring set of letters, aiming to find patterns and extract the grammar. The distribution of Roman and Greek characters was also a clue to the puzzle. Or so they thought.

As Knight says, this brute force approach,

 took quite a long time and resulted in complete failure

Success!

After many such frustrating efforts, they completely eliminated the Roman characters, realizing that these were meant to mislead. The team then painstakingly tried to associate modern German consonants and vowels to different symbols or symbol groups. This finally made sense. The first clear phrase in German meant: Ceremonies of Initiation. What better could you have hoped for when translating the text of a secret society?

Try Your Hand

We present a conversion table for the symbols.

Now, we present a few pages, just to give you a glimpse of what the cryptographers were up against!

First one:

Next one:

The last one

Notice the large number of Greek letters

Concluding Words

Knight, who is a world-renowned translation expert and coder extraordinaire, has designed many translation software packages that have been adopted by companies like Apple and Intel. He says:

Translation remains a tough challenge for artificial intelligence.

As long as the Babel fish doesn’t evolve or is not intelligently designed, speaking a completely abstract language shall remain a great human fascination.

More resources here:  http://stp.lingfil.uu.se/~bea/copiale/
Image Credits: University of Southern California and Uppsala University,  http://stp.lingfil.uu.se/~bea/copiale/

Windows Phone Mango RTM: What is still missing?

wp7

 

Today came the exciting and unexpected news of Windows Phone Mango’s Release To Manufacturing (RTM). The Windows Phone team has completed the release and handed it to mobile operators and handset makers to start testing the latest update to Microsoft’s mobile operating system reboot.

Windows Phone Mango has several hundred new features which have been covered at various places across the web, including some of the v1 annoyances it has resolved for me personally. Here I want to make a few comments on what still remains to be added. Granted, these are smaller in some ways than the gap that Mango closed, it is still worth talking about what Windows Phone lacks in terms of features and functionality already available in (or announced for) iOS and/or Android.

  1. VPN functionality: Windows Phone still does not support connecting to a Virtual Private Network (VPN), typically used to connect devices to corporate networks from outside the company. iOS offers native VPN support as well as support for VPN client apps.
  2. At-rest encryption: Encryption of the storage on the device is a huge issue for corporate IT departments in being able to support a mobile device. As smartphones get more and more capable of performing computer-like tasks, and as they start storing more and more company data, they also become a huge liability in case the phones get lost or stolen. At-rest encryption protects the data on the device in such cases. Microsoft has said that the isolated storage on the device is only available to the specific app and that is how they quasi-protect the data, but I don’t think IT departments think that is enough. iOS for example, has encryption built into newer devices since iOS4.
  3. Complete backup/restore: As part of the recent NoDo update, Windows Phone introduced phone backup, but it is crippled in that only Zune desktop can execute it, and it cannot really be triggered manually (on demand). iOS (iTunes) on the other hand, does provide a way to backup and restore on demand.
  4. Multiple Windows Live ID’s per phone: Windows Phone links the device to a Windows Live ID which you enter during setup. This is the ID used to connect to the Marketplace for purchasing apps and other content, but more importantly, it is also the ID used to access other in-built platform services like Zune Pass music subscription and Windows Live-connected services like Facebook, LinkedIn, Twitter and obviously, Windows Live Messenger and Facebook chat. What if I want to share my purchased apps with my wife but we want to have our own Windows Live-connected services on our phones? It is impossible today without sharing a Live ID, but SkyDrive, IM, Facebook, Twitter, etc. are services which don’t translate well with a shared Live ID. On the other hand, iOS/iTunes allows you to use a different ID to purchase apps/content from the store, than from the one you associate with the device. So I envision that in Windows Phone you still enter a Windows Live ID at setup, which will tie the ID to all your platform services like SkyDrive, IM, Facebook, Twitter, etc., but when it comes time to purchase apps or content, you can choose which ID to use. 
  5. DLNA, Play To: When Windows Phone launched, DLNA capability was used by LG as a differentiator for their phones. Now that the initial launch dust has settled, it is about time Windows Phone included DLNA/Play To feature across the OS. This will be a good response to AirPlay which is one of the few really magical technologies that have come out of Apple. If I could beam my recently captured photos/videos from my Windows Phone to the TV via the XBOX or a TV-connected Windows 7 PC, it would be awesome. 
  6. [Updated 7/29/2011] Voice commands for Music/Zune: How could I miss this one? One feature that seems to be missing from Mango is the ability to use the excellent voice commands for Music playback (including of course podcasts), including controls like pause, play, stop and skip. I hope at least this one is a surprise feature in RTM which we have not seen in the beta builds.

Do you have anything else you would add to this list? Let me know!

Encrypt and Password Protect Your Notes in Evernote

I have come to love Evernote as a note-taking and idea collecting software. I have used it extensively for the past couple of years or more to store bits and pieces of information that has come in handy all through these years.

Evernote

I always had a problem with storing sensitive information in Evernote, because of the lack of security/password protection in the app. For example, if you login to the Evernote app and leave it open, anyone who has access to your PC or mobile device can view the notes and get access to your sensitive information.

Also Read:

In fact, anyone who has access to the local database storage file on your PC will be able to view those notes on another PC or installation. This is a scary proposition considering how much losing sensitive information could affect you.

Luckily, Evernote provides users with a very handy feature that allows them to encrypt part of their notes. Users can use it to encrypt sensitive text in their notes (It only works with text). To encrypt your notes in Evernote, follow the steps given below.

Google Brings Enterprise Control To Android

With Android being one of the leading smartphone operating systems and very rapidly climbing the charts in deployment, it’s well received news that Google is aligning their mobile offerings to include enterprise-level controls to compete in the business market.Google has updated their Device Policyapplication to include the ability for users to control their Android devices by way of tracking it via GPS, activating the ringer or resetting the PIN or password on the device. In the event that an employee or regular Apps user loses their device, they can use the online remote functionality to retrieve or secure their phone. Administrators and users can set up multiple devices in a new page that provides detailed information about each synchronized device (a tablet or smartphone) and plots the last known location. Devices must be running Android 2.2 or higher in order to use this feature.

Continuing along with the ability to remotely secure a device, Google Apps administrators now also have the option to force encryption for data stored on the device (supporting Android 3.0/Honeycomb tablets with encrypted storage). This will greatly reduce some of the risks that organizations take when employees wish to bring personal devices to work, it will allow security provisioning for any data exfiltration to ensure it is stored properly. Presumably, this can be done on a device-by-device basis allowing administrators to specifically select which devices have this set.

The last minor, yet very welcomed addition is Google Apps Lookup, which provides a much easier way for users to search their corporate address book for a contact. Similar to Microsoft’s Exchange Global Address List (GAL), mobile users can enter the name of a contact (by speech or text input) and the app will automatically search the online Apps directory for the contact and provide all the available information for the user to interact with as a regular contact in their device address book. This feature is available to Android devices running 2.1 or higher and must be enabled by the Apps administrator.

With personal devices making their way into the corporate environment, many organizations are feeling the weight of providing support for numerous devices yet retaining control and security over sensitive information. Google is taking steps in the right direction to take Blackberry head-on with some competition in the enterprise market.

Via Google Enterprise Blog

Encrypted SIM Cards Coming Soon To India For Safer Communication

India is witnessing a huge growth in mobile banking and net banking on the mobile phone. In order to make sure the consumers are protected from mis-happenings while using these modern media of transactions, the Govt. of India has allowed the use of proxy SIM cards carrying digital certificates for mobile phones. This allows secure communication over SMSes and email and these digital certificates provide another layer of authentication on mobile communication.

According to the Controller of Certifying Authority of India, Mr. N Vijayaditya the govt. is recommending the  certification  of proxy SIM cards with digital certificates. These are very easy to use and can be inserted on top of regular SIM cards. Use of these digital certificates can make mobile banking and mobile transactions secure.

via Tech2

Did the FBI Fail to Decrypt a Hard Drive Encrypted with TrueCrypt?

The Operation Satyagraha at Rio de Janeiro has hard-drives as evidence but the problem is these five hard drives are all encrypted using TrueCrypt. This is giving the FBI a hard time as it struggles to decrypt the files on these drives.

The Operation Satyagraha took place in 2008 and the investigation has been continuing ever since. Apparently, the Brazil was investigating the drives initially but they were handed over to the FBI only when they could not handle it anymore. However, the FBI has returned the drives saying it failed to decrypt the drives.

The hard drives are using an AES and TrueCrypt. The FBI has been trying a dictionary attack on the files and has failed so far. The failure to decrypt these hard drives has brought immense shame to the FBI and has exposed its weakness at dealing with the technological advancements of modern times. Funnily enough, there exists no law in Brazil to force the banker give up his passwords.

A few months ago, there was news of the FBI director missing the fact that Google earth is not real time and does not show live data. See this hilarious news  here. This proves how the security agencies in various countries are lagging behind in technology.

(Source)

Wondershare USB Drive Encryption Giveaway On May 13th

USB Drive Encryption Wondershare Software will be together with Giveawayoftheday.com to provide free Wondershare USB Drive Encryption. This would be good news to those who intend to encrypt USB drives for their confidential personal and company data in case of data leakage over lost or stolen USB flash drives.

Priced at $24.95 originally, Wondershare USB Drive Encryption is free on http://www.giveawayoftheday.com/ on May 13, 2010. Please remember the free offer is only valid for 24 hours on May 13, 2010. Giveawayoftheday.com is a new initiative in the software distribution world, which everyday offers for FREE licensed software that users have to buy otherwise.

Wondershare USB Drive Encryption can help you protect USB devices with password, preventing unauthorized users from your sensitive data. With correct password, the encrypted data is viewable for you in any computer without USB Drive Encryption installed. It also has the ability to hide your encrypted data and protect the encrypted data from viruses.
Characterized with US military-level 256-bit AES algorithm, Wondershare USB Drive Encryption allows you to get the highest level protection available now for your data. It’s a good option for you and your company to encrypt USB drives.

With Wondershare USB Drive Encryption, I no longer have to worry about leaking my private photos and business secrets when my USB flash drive is misplaced, lost or stolen.Christina, a user of the test version of USB Drive Encryption said. That is exactly what Wondershare USB Drive Encryption wants to bring to users.