Main Site Documentation

Secure Messaging


#1

Here’s what’s been taking me away for NETMF; an extremely secure messaging app. Share messaging and photos with AES256 encryption, push notifications and a bunch of rule options available. Screenshots are disabled too so no one can ever forward those pix :wink:

Available now on Windows Phone 8: http://www.windowsphone.com/s?appid=22b229b2-4191-4e4a-b43b-6fc20109dae5

Releases next week for iOS, Android and and more to follow. We’re already working to add even more features like secure files with even more rule options and beefier encryption (AES256 + rules and obfuscation).

Oh, and its all currently free so check it out!

(Developed alongside Global Data Sciences)


#2

@ Skewworks - When it’s available for Android, let me know!


#3

Will do!

In the mean time, here’s a sneak peak at locking down a file with rules on Win8 (x86, x64, and ARM).


#4

Just a thought, what would happen if the config file for the locking rules gets deleted? Will the use have clean access?

Because that feature could open the door for hackers to attack…
Cheers,


#5

There is no config file. The file and the rules are both encrypted and stored together int he output. No muss, no fuss.


#6

When you are ready to release it, I’d suggest sites like “WMPower User” and “WIndows Phone Central”. They are listing new and updated apps daily on their RSS feed.


#7

Thanks, I’ll keep that in mind. :slight_smile:

We’re probably about 2 months away from releasing the Win8 version. In addition to everything the WP8/iOS app does we’re adding the new file sharing/tracking and I’m rewriting the entire backend.

The new backend (which will then be incorporated into the mobile versions as well) adds long timeout requests to other areas of the app. For instance instead of sending & receiving messages like texts you can see realtime who is typing a message, etc.


#8

What if you have no internet connectivity? Are the files stored locally?


#9

Internet connectivity is not required to send or open files.

Exception: Files that are secured with rules saying it requires internet connection (such as “Track this file”, etc) will not open without connection.


#10

@ Skewworks - How are files shared locally? Is it via Bluetooth or WiFi?


#11

If the keys are stored locally, what’s to prevent me from attaching a debugger to the software and extracting the keys?


#12

FWIW - http://wmpoweruser.com/want-secure-messaging-for-your-windows-phone-all-we-need-is-a-developer/


#13

The keys are not stored locally. Let me try to walk you through this.

  1. The file itself is encoded using AES256bit encryption. It generates a key based of a password you provide. The password is required to recreate the key.

  2. The rules are also encrypted using your password and additional data.

  3. The encrypted file and encrypted rules are joined into a single packet which also contains the salts and IV (which are also encrypted).

  4. The packet is then written to a file (local or web based on the rules you selected)

  5. In order to open this file, no matter where it is, you will need the password. Just like any other encrypted file. The difference between this and any other standard AES256 file encryption is the addition of rules (which are validated by the app) and the additional obfuscation built in.

  6. The obfuscation means that even if you new the packet format and the password a normal AES256 decryption routine would fail unless you also knew the obfuscation technique, such as variable iterations, etc.


#14

However you like. A file is a file is a file. :slight_smile:

On WP8 it’ll have to either go through our server or SkyDrive since WP8 apps can’t really share outside of themselves too well. It does have a file association though so encrypted files are easily directed to the app for unlocking.


#15

Anyone with a debugger will know those things. Said person could also bypass any rules.


#16

The obfuscation isn’t simple and is based of the password. Even knowing how it’s done I doubt you could so simply undo it without the password.

As for bypassing rules, that’s really a secondary concern since to do so you’d already have to have completely broken through the encryption.


#17

Actually, if you’re that confident…I’ve uploaded a very small encrypted file here: http://www.skewworks.com/challenge.sm

If you can crack it within 1 month there is a monetary reward (which is detailed in the text of the encrypted file).

It should be nice an easy to work with being less than 2K in size and having plain text as the decoded output. It’s encrypted using AES256 with the following password: Th1s1sth3p@ ss//0rd!


#18

I’m not sure how you can confidently say that unless you’re an educated, experienced cryptographer. Maybe you are. I don’t know. If you’re not, I wouldn’t trust your word on it. What I do know is that educated, experienced, trusted cryptographers say that AES256 is already overkill (but Bruce says don’t switch off it if you’re already using it).

Anyone with the password can bypass the rules. That’s something that potential customers should know upfront. You don’t want to be the guy whose name and picture is plastered all over the news when the internet finds out that your app doesn’t really protect people’s information.


#19

Good luck to them, and you. :slight_smile:

The reward in the encrypted file is a decent size (especially considering its my own money). Let me know if you need anything like the packet format. I’m willing to give you every chance to prove me wrong. :smiley:


#20

[quote=“godefroi”]
I’m not sure how you can confidently say that unless you’re an educated, experienced cryptographer. Maybe you are. I don’t know. If you’re not, I wouldn’t trust your word on it. [/quote]
Schneier’s Law:
https://www.schneier.com/blog/archives/2011/04/schneiers_law.html

“Anyone can invent a security system that he himself cannot break. I’ve said this so often that Cory Doctorow has named it “Schneier’s Law”: When someone hands you a security system and says, “I believe this is secure,” the first thing you have to ask is, “Who the hell are you?” Show me what you’ve broken to demonstrate that your assertion of the system’s security means something.”