I'll echo Tom: It's relatively easy and a good learning exercise to pick apart mobile apps and see what they're doing. On that note, here's some source generated from the Wickr Android app class files using jd-gui: http://saweis.net/files/wickr.src.zip
That doesn't include a native library that comes in the APK, which appears to be used for the core crypto. In that library, I see an "aes_encrypt" function that uses ECB mode and an "aes_encrypt_improved" that uses CTR. I don't see any authentication for CTR mode. I also don't see a safe padding mode used with RSA. On Tue, Jun 10, 2014 at 2:03 PM, Tom Ritter <[email protected]> wrote: > I just want to jump in and mention again that it's entirely possible to > pick apart applications written for Android, iPhone, Windows, Mac, etc and > understand how they operate. Going even deeper than just 'what they store > on disk' and 'what they send on the wire'. It requires a little bit of > technological know-how, but places one could look for that expertise are > organizations' technologists, the computer security group at one's > university, many of the people on this mailing list, groups like Citizen > Lab, and just following tutorials online and learning it yourself. > > The 'Trust but Verify' applies to open source, closed source, and that > window of 'open source but distributes binaries e.g. through the play > store'. > >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
