NSA-resistant Android App 'Burns' Sensitive Messages 183
angry tapir writes "Phil Zimmermann's Silent Circle, which halted its secure mail service shortly after Lavabit, has released a messaging application for Android devices that encrypts and securely erases messages and files. The application, called Silent Text, lets users specify a time period for which the receiver can view a message before it is erased. It also keeps the keys used to encrypt and decrypt content on the user's device, which protects the company from law enforcement requests for the keys."
Seems similar to pieces of the Guardian Project.
How to crack: (Score:4, Insightful)
1. Send order to Google saying, "give us unrestricted read/write access to the persistent storage of all android devices. Oh, and you cannot tell anybody about it."
2. Download the contents of all devices, including the keys.
3. Install keylogger to capture any necessary passwords.
4. Profit!
Didn't we just talk about this? (Score:0, Insightful)
Even below the obvious design flaws, you're still running on an untrusted, if not downright hostile, platform. The simple fact is that nothing is stopping Silent Circle from betraying you or Google from undermining their efforts.
Nothing is 3letter agencies resistent (Score:0, Insightful)
They will hang you upside down or send pictures of your family until keys are revealed. Don't be people naive. They own you and the country.
You still can't control recipient devices (Score:5, Insightful)
No, it can't. The recipient could be using a tampered application that ignores the timeout directive. Or it could modify the JVM to lie to the executable about the time or refuse to fire timers. Or modify the JVM to write all the memory transactions to disk (or host) even after the application frees (or GCs) it. Or modify the screen rendering APIs to capture the rendering. Or attach with JDB over ADB and halt the executable while the plaintext is in memory and slurp it out. And, of course, there are apps in the store that will just take a video of the screen.
FWIW, I support the app and I believe the encryption-in-transit is a very worthwhile feature. But the "Burn Notice" is, from a security point of view, useless. If you trust the recipient with the plaintext, you trust the recipient with the plaintext, end of story. Anything else is DRM-esque attempts to put restrictions on a device that you do not own.
Comment removed (Score:4, Insightful)
Just Stop.. (Score:5, Insightful)
Trust No One (Score:4, Insightful)
It is closed source right? And even if it is not, you need to be able to build the binary from a vetted copy of the source and associated libraries.
Re:Very little utility here (Score:3, Insightful)
I think this gives a false sense of security.
All senses of security are false.
The NSA screwed themselves and everyone else (Score:5, Insightful)
We need an organization whose mandate is similar to the NSA. When the FBI, for instance, lawfully obtains evidence that gives them probable cause to get a warrant to invasively follow a chain of evidence, we need this information-gathering capability.
But the NSA over-stepped their bounds, broke the law, and betrayed all Americans and their allies. As a result, people are now more motivated to produce tools to evade organizations like the NSA. Because American citizens have the right to privacy, and they now have to go out of their way to get it, criminals are now gaining more sophisticated tools they can also use to evade the NSA. Looking at the other comments, the app mentioned in particular here isn't necessarily all that effective, but give it time. Pretty soon, you'll be able to put up an impenetrable wall around your data that the NSA can't break through.
The "problem" with this is that there are only two groups who will use these tools. Innocent privacy enthusiasts and criminals. The NSA will be unable to distinguish between them, essentially making rationally paranoid people targets of criminal investigations. And the NSA will be stupid about everyone else, seeing people NOT using encryption as low-hanging fruit, criminalizing countless innocent citizens merely in an effort to show that the NSA is catching *someone*, justifying their enormous budget. (In other words, they will make up criminals to justify their existance.)
If the NSA had obeyed the law, we wouldn't be in this mess, where it is inevitable that we can no longer spy on real criminals, probable cause or not.
Re:Very little utility here (Score:5, Insightful)
It isn't useless. A careful person could remove the keys every time they finish with the application. The application is simply a way to guarantee that your communication will not be intercepted, limiting what you need to worry about to the endpoints.
Re:Very little utility here (Score:5, Insightful)
If only there were some sort of secure way of exchanging keys over an insecure medium... [wikipedia.org]
Re:Very little utility here (Score:4, Insightful)
this got modded insightful?
Hint, the more broad and absolute a statement is ("all" and "false") the less likely there is to be any truth to it.
I could see it being interpreted as "funny", but it doesn't really get past the joke stage.
Re:Very little utility here (Score:5, Insightful)
1.) This is not true. You can design a mail system to store the private key on the client (html5 local storage).
Until I have some sort of assurance that the key stored in local storage, can't be sent up to the server by javascript then this gets me no where.
The NSA asks your mail service for the keys. The mail service says we don't have them... html5 local storage. NSA says ... add this line of javascript to your site. Next time I log in they have my key, and everyone else who accessed the site during that interval.
And even if we build a whole new spec with a wall of protection around the key, so the javascript just sends the encrypted text in and gets the decrypted key out and never gets its hand on the keys only then will the key be safe.
But any messages I access still are not. Because as long as I'm relying on javascript downloaded from the service to display the messages, I am vulnerable to that javascript being updated and sending that message back up to the server.
The client cannot be provided on demand by the server to have a hope in hell of being safe. Really it needs to be 3rd party, open source, audited by more 3rd parties, and the binaries I install.. well I don't... I download the source and compile it myself after checking that the hashes match the original and the 3rd party auditors. And even then, I have to trust that the NSA didn't get to everyone and conspire to publish malicious source. So to be truly safe, I have to audit it myself.
Real security from the likes of the NSA is HARD.
3.) Not true. See 1. If you authenticate using a private key you only need the password to decrypt the key and no username anymore.
True but you underestimate how little tolerance the average person has for passwords. An awful large number of people don't have login passwords to their computers and fewer still on their phones. And their mail passwords are remembered by the software so they don't have to enter them.