Comments on: Breaking into an Android password manager – Practice http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice by Gustavo Niemeyer Mon, 12 Jul 2010 15:09:58 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Rik Hemsley http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-75412 Rik Hemsley Mon, 22 Feb 2010 15:00:21 +0000 http://blog.labix.org/?p=230#comment-75412 I'd like to see your analysis of keepassdroid. I’d like to see your analysis of keepassdroid.

]]> By: gbrors http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72554 gbrors Mon, 07 Dec 2009 19:52:01 +0000 http://blog.labix.org/?p=230#comment-72554 By the way I own and have read parts of the books "Practical cryptography" and "Applied Cryptography" by Bruce Schneier. Even with open source solutions you are forced to enter a long and cryptic master key if you want to defeat brute force attacks.I guess that 99.5% of the users would not do it, but use a weak master key that can be broken with brute force attacks. My solution with the "unlock key" was wrong, but right now I see no real solution to the problem, because the Java cryptography API implemented in the Android system helps brute force attacks by throwing an exception when trying to decode with a wrong master key. If it did not, but just gave back some randomly decoded bytes, I could develop a much more clever solution similar to one that was developed by a German research institute: http://www.mobilesitter.de/en/result.htm By the way I own and have read parts of the books “Practical cryptography” and “Applied Cryptography” by Bruce Schneier. Even with open source solutions you are forced to enter a long and cryptic master key if you want to defeat brute force attacks.I guess that 99.5% of the users would not do it, but use a weak master key that can be broken with brute force attacks. My solution with the “unlock key” was wrong, but right now I see no real solution to the problem, because the Java cryptography API implemented in the Android system helps brute force attacks by throwing an exception when trying to decode with a wrong master key. If it did not, but just gave back some randomly decoded bytes, I could develop a much more clever solution similar to one that was developed by a German research institute: http://www.mobilesitter.de/en/result.htm

]]> By: Gustavo Niemeyer http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72524 Gustavo Niemeyer Mon, 07 Dec 2009 02:08:12 +0000 http://blog.labix.org/?p=230#comment-72524 Thanks David. Unfortunately, given the comments right above, it looks like he didn't read it yet. Gunter, you seem to blame Android for a problem that actually lies in the application itself. No matter how hard it is to disassemble an application (and trust me, other platforms aren't much harder than this), if the application security depends on not having the source code, the application is badly engineered. Using an obfuscator will just serve to prove that its security is not to be trusted. Following David's suggestion and reading some papers and articles by people like Bruce Schneier might be enlightening. Thanks David. Unfortunately, given the comments right above, it looks like he didn’t read it yet.

Gunter, you seem to blame Android for a problem that actually lies in the application itself. No matter how hard it is to disassemble an application (and trust me, other platforms aren’t much harder than this), if the application security depends on not having the source code, the application is badly engineered. Using an obfuscator will just serve to prove that its security is not to be trusted.

Following David’s suggestion and reading some papers and articles by people like Bruce Schneier might be enlightening.

]]> By: David Allouche http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72511 David Allouche Sun, 06 Dec 2009 14:02:15 +0000 http://blog.labix.org/?p=230#comment-72511 Nice job Gustavo. I hope the author of this app will read some Bruce Schneier before making bold security claims the next time. Nice job Gustavo.

I hope the author of this app will read some Bruce Schneier before making bold security claims the next time.

]]> By: gbrors http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72506 gbrors Sun, 06 Dec 2009 12:59:17 +0000 http://blog.labix.org/?p=230#comment-72506 Thank you for your good work. It shows how easy it is to manipulate and change the Java apps of Android, so it is useless trying to implement a copy protection or registration solution. I'm looking for a good obfuscator, as it might make it more difficult for hackers. I released version 1.2.0 of gbaSafe where the problem with the weak key is solved. Thank you for your good work. It shows how easy it is to manipulate and change the Java apps of Android, so it is useless trying to implement a copy protection or registration solution. I’m looking for a good obfuscator, as it might make it more difficult for hackers.
I released version 1.2.0 of gbaSafe where the problem with the weak key is solved.

]]>