The Curious Case of the Crypto App that Couldn’t Encrypt
Are you using the NQ Vault app to encrypt and protect files on your smartphone or mobile device? Well, you might want to think twice before you use it because it doesn’t do a good job of protecting your data.
With over 10 million downloads it must be a legit app, right? Not so fast. A hacker known as NinjaDoge24 has discovered that it’s relatively trivial to crack the “encryption” used by the app.
Encryption is hard, very hard!
Well, it’s difficult when you’re doing it correctly. For some unknown reason, a well known file encryption app simplified the process by only encrypting the first 128 bytes. Even worse, they used XOR (exclusive or) with a single-byte key (input by the user) to encrypt those first 128 bytes.
Someone going by the online moniker NinjaDoge24 was able to crack the encryption in just three days with some simple programming skills. He set out to crack the “encryption” used by NQ Vault App and was able to do it without any major problems.
Where NQ Vault App Went Wrong
The makers of NQ Vault App obviously didn’t want to announce they were using such weak encryption because no one would have downloaded, installed and used the application. But by not revealing the weak security, they’re going to face a public relations nightmare.
Here’s a look at some of the accolades the app has garnered…
★ The most popular app with over 30 million users worldwide
★ CTIA – “The Best App of CTIA by the Techlicious 2012 Best of CTIA Awards”
★ PC Magazine – “PC Magazine Best Apps”
★ TRUSTe – Received “TRUSTe Privacy Seal”
★ Global Mobile Internet Conference App Space – “A top 50 app”
While NQ Mobile is at fault for using such a weak encryption method to secure data, it really makes you stop and think when they received rave reviews from PC Magazin, TRUSTe, and others. It is super simple to crack XOR encryption with an 8-bit key, especially if only the first 128 bytes are scrambled.
According to El Reg:
The company behind the app stands by its product, calling its security “appropriate,” and claiming that messages, chats, call logs and contact information is encrypted using AES with a 128-bit key – but that list doesn’t include pics and vids.
“Image and video files are stored in a format not readily readable by other applications and can only be viewed in Vault after entering the correct password on the device,” the company said in a statement.
“These standards are appropriate for the consumer use cases this application is meant for.”
The NinjaDoge24’s findings have led to critical reviews of the app on the Google Play store.
Indeed. If you go to the Google Play store, you can see a flood of one-star reviews from people who are upset – and rightfully so.
What Are Your Alternatives?
As pointed out in the article from The Register, before you download and install any app, you should look to make sure the developers are open and honest about what encryption techniques are used. Here’s a short list of some other mobile apps for encrypting files.
- Kaspersky Security for Mobile – The fine folks at Kaspersky Security have patented a method for encrypting files. We’re pretty sure they’re not using XOR and 8-bit keys. According to a press release from 2013, “In order to recover passwords and keys for encrypted data, the Kaspersky Lab patented technology uses three independent factors: user ID, a mobile device ID and a random number.”
- Norton Mobile Security – According to the Norton Mobile Security User’s Guide, “Norton Mobile Security uses AES-256 FIPS 140-2-validated encryption algorithms to encrypt your data.” Yes, that’s a lot more secure than the NQ Vault method. Another cool feature is the ability to wipe data from the phone remotely in the event the phone or mobile device is stolen. The mobile security app also has some other features.
- F-Secure Mobile Security – While only available for Android OS smartphones and mobile devices, this is another alternative for securing files on your mobile devices. The app uses basic AES-256 encryption, which is better than that found in NQ Vault. The app even has a cool anti-theft features which came in handy for at least one person.
Know of others? Leave a comment below and let us know.
The SSL Takeaway
As always, you want to keep your eyes open and be aware. In the case of the NQ Vault app, it would have been easy to miss the warning signs with accolades and praise from PC Magazine and others. This is why it’s so important to do a little digging and research on your own before you blindly trust a piece of software – especially one that says it’s going to protect your data.
Another thing to think about is the safety and security of data flowing to and from your web server. From the slight SEO boost when using HTTPS to the many other benefits of SSL, it’s a good idea to encrypt any and all public websites you have online. Luckily, SSL.com makes that easy and affordable. To start with, you can check out the basic SSL certificates we have for sale.