Popular Android security app uses worthless encryption method

[Reefa]

New information has shown that one of the more popular security suites available for Android and iOS is so fundamentally compromised, its claims constitute false advertising. That software suite, NQ Vault, promises, “All files will be encrypted into a private place and can only be viewed in Vault after entering the correct password (iOS version).” The Android version, available in the Google Play Store, states, “Vault hides and encrypts all incoming message alerts and text messages from those contacts for maximum privacy.”

Programmer and blogger NinjaDoge24 decided to test NQ Vault’s claims and discovered that the utility only encrypts data using a simple XOR substitution. Even worse, it doesn’t even bother to encrypt the entire file — only the first 128 bytes are encrypted. In some cases, encrypting the first 128 bytes of a file might break a utility’s ability to display the content. But many media container standards and playback software are sophisticated enough to skip over damaged blocks, or reconstitute the missing information by parsing the rest of the data.

Understanding XOR

XOR is defined as a bitwise operation, meaning it is performed on individual bits of information. XOR is a simple operation that compares two sets of values. If both values are the same (two zeroes or two ones, in binary code), then the output is a 0. If the two values are different (0 and 1), then the output is 1. The table below shows how the XOR operation can be used to generate a new set of values.

Malwarebytes has published a blog entry that walks through how to perform a XOR encryption. It’s a straightforward process — every letter to be encrypted is XOR’d against a preselected cryptographic key. The problem with NQ Vault’s software isn’t that it uses XOR; XOR is actually an important component of multiple cryptographic standards. The problem with NQ Vault is, it’s only using XOR, and it’s using it in a manner that’s trivial to crack.

Choosing longer encryption keys, as NQ Vault allows, does not help. Choose “000” for a password, and the first 128 bytes are secured with a key value of “30.” Choose a password of 4815162342, and the code value returned is “cc.” This indicates there are just 255 potential XOR values that NQ Vault is using to “encrypt” its data.

The upshot of all this is that breaking NQ Vault’s security is trivial. Really, really trivial. A group of people could do it given some time, while a modern computer can crack it in less time than it takes to write the cracking code (NinjaDoge24 has thoughtfully contributed his efforts in this regard).

Failures at every level

There’s plenty of blame to go around here. NQ Vault is blatantly misrepresenting its product. This application isn’t secure for any sane definition of the word. Encryption methods you can break on pen and paper aren’t “encryption” — a word that NQ Vault uses in both the iOS and Android versions of its application. The fact that the company has the gall to charge for a premium application (even if it’s just $7.99 per year) only makes the situation worse.

NQ Vault has a long, storied history as a scam company and fraudulent operator. Both facts that should have required additional reviews of any software it submitted to the Google Play Store. The company has fraudulently misrepresented the capabilities and security of its products, and while Google is notoriously bad at gatekeeping compared with Apple, some degree of due diligence should be applied to products that represent themselves as security software.

Some will argue that the fact that NQ Vault provides some level of security should shield it from criticism. We reject this reasoning. NQ Vault represents itself repeatedly as offering secure encryption and data storage. It does not disclose that the level of security it provides could be broken in a manner of seconds by anyone with the most basic understanding of cryptography, or that it fails at even minimal best practices. It’s also not the first time the company has been in trouble.

Security software for mobile phones continues to be a very dubious proposition. Last year, popular antivirus application Virus Shield was proven to be completely fake, performing absolutely no antivirus scans or protection whatsoever. NQ Vault may not be quite that bad — but it’s bad enough to be worth stripping from the Google Play Store and dumping the product.

http://www.extremetech.com/computing/202718-popular-android-security-app-uses-worthless-encryption-method