How does Signal app prevent QRLjacking when linking desktop to mobile? - security

I am trying to implement linking of the desktop app to the mobile counterpart for my project. The assumption is that the mobile app is secure and the desktop app simply needs to link the session to mobile for convenience.
In my research I came across the QRLjacking exploit. It is a social engineering exploit that isn’t much different from getting users to reveal their passwords.
The interesting thing is that Signal app does not appear to be vulnerable to QRLjacking exploit, despite the fact that they too link the desktop to mobile via QR code.
I am trying to figure out what is the secret sauce the Signal applies. Luckily, the code is here: https://github.com/signalapp/Signal-Desktop
Based on my analysis, here is what I think they do:
The user registers mobile device. The device sends signed pre-keys
to the Signal server
The user can chat with other Signal users using the end to end encrypted protocol, but what is more interesting to me is how they prevent QR vulnerability when linking to desktop.
User installs the desktop app. First thing to note is that it is a JavaScript app packaged using electron. This makes it difficult to use in social engineering techniques. The installation package can be signed and verified to be trusted.
Upon installation, the desktop app generates the pre-keys and sends them to the server.
The desktop uses its own public key to check with the server if it is linked to mobile. If not, proceed to step 6.
Send the public key to the server under a UUID key. The server stores it. The UUID is used for QR code.
The user lifts up his mobile device and scans the QR code with the signal app.
The mobile app uses the QR code to download the desktop app's public key.
The mobile app sends an encrypted confirmation message to the desktop app, which the desktop app verifies using it's private key.
The desktop app app asks the user to name this desktop app, typically this is the name of the host it is running on. The desktop app sends this message to the mobile (encrypted, of course).
On the mobile, the linked device now shows up. At any time the user can remove the linked device, which becomes immediately known to the desktop.
I do not believe the server is used to retain messages at all. I think the desktop synchronizes with mobile on-demand.
In summary, the QRLjacking exploit is mitigated by Signal in the following manner:
The app is not browser-based and is instead installed. The installation package can be signed and verified with a certificate.
The desktop app can also securely store keys locally, not on the server. That makes it difficult to pursue a social engineering attack since that would require physically taking over the machine the desktop app is running on.
Is my analysis correct?

Related

Can the user TPM be accessed through javascript in the browser?

I heard the TPM can be used for DRM purposes. But currently is there a way to access this module through the browser? or is it simply for native applications.
The only thing I came across searching was tpm-js, but this tutorial seems to be for js running outside the browser.
Has there been demonstration of TPM access to identify users through the browser?

What are the different ways you can communicate with USB port through Browser

I want to create a webpage that will access the USB port of the client. Intent is to configure the hardware connected the USB port. I can do a desktop application because the configuration option is different for different hardware. connected and I need to pull this code dynamically from the server. I am not a web programmer. It will great to find the best way to do this.
It ends up that I am attempting to write an app that performs something similar. What I am doing, instead is writing both the web server and the web page. Use something simple, like DLib for the web server, to serve the data to the end user.
This is how it works:
The web server handles the USB connection. If written in C++ or some other native language, you will have much more control over the device. The web page is then loaded from the web server that you have written. In the web page, you can have some sort of javascript worker, etc. to constantly pull new data from the server and push data from the web interface to the USB device. This also adds a layer of protection because you can ensure that the user has not made any modifications to the web page.
The main drawback to this possibility is that you will be required to install the server on the client's machine. However, this can be circumvented by writing this as a applet that can be embedded within the page!
It is possible to write a browser plugin that communicates with USB devices. An example of an app that does that is MyTrezor.com, but unfortunately I don't think you can see the source of their plugin.
Another option might be to use the chrome.usb or chrome.serial Javascript API, but this means your app would only work in Google Chrome, and it would have to be installed as a Chrome packaged app, a special thing that looks more like a native app than a web page.

How do I get the Firefox OS device id?

I want to store data on the server and keep it segmented for each phone.
How do I get a device's UID number?
Per Mozilla's Device Model Inclusion Requirements, device makers and operators are strongly discouraged from adding a device identifier to the Firefox OS User Agent.
You should generate your own UID for each device that installs and runs your app, store it on your server and locally with either the Device Storage API (for privileged or certified app) or Web Storage (for un-privileged, un-certified app), and use your UID to segment and synchronize per-device data on your server.
As per this thread, there does not seem to be an API for getting the Device ID. I am not qualified enough to state if this still holds true.
Firefox OS also provides a list of Device Settings for privileged Apps but it looks like Device Id is not one of them. Take a look at this Settings list.
It's not meant to be used this way but you can use the window.location.host when your app is running to differentiate phones. The URL is a GUID that will be generated per app install, so it's different on different phones.
Since it seems to be impossible to get UID of device with current API, you could create one yourself. Just generate unique value on the server, pass it to the client app and store it using Storage API. Then use it each time you need this UID. This way you can also implement your own security policy for preventing "stealing" UID by other clients (you can control the length of the UID, change it from time to time etc).

Windows Phone 7 Security Issues

I was looking into OWASP Top 10 Mobile Risks for security issues to be kept in mind while developing mobile applications. They have given very good information pertaining to Android and iOS platforms. Some notable ones include Client Side Injections, iOS Abusing URL Schemes, Android-Abusing Intents, Keystroke logging, Screenshots/iOS Backgrounding, Logs etc.
These were very useful and now I want to know if there are any new vulnerabilities that exist in Windows Phone 7 , which were not present in Apple iOS and Google Android.
My requirement is, I need to build somewhat like a Damn Vulnerable WP7 App to educate the WP7 developers in my project to build secure applications for our clients.
OWASP has already built iGoat (iOS application) and DroidGoat (Android application) for the sake of iOS and Android developers. I dont see any such application for Windows Phone 7.
Currently WP7 appears to be a very secure OS. Whilst I am sure it has vulnerabilities, these have not been exploited yet. Interestingly AVG released an anti-virus / malware app for WP7. This was pulled from the marketplace because it didn't actually do anything since there are no viruses for the phone yet!
http://www.winrumors.com/microsoft-pulls-avg-antivirus-windows-phone-app-from-the-marketplace/
There has been a recent SMS flaw discovered:
http://nakedsecurity.sophos.com/2011/12/14/windows-phone-7-5-susceptible-to-sms-hack/
Having said that, there is still a need to educate developers about security. You can of course build an application which has its own security vulnerabilities by failing to protect the users data for example.
if there are any new vulnerabilities that exist in Windows Phone 7
Actually, I dare say there ain't any old ones either. Most of the security issues on Android is caused by the ability to change the system 110%. Windows Phone don't have intents, don't allow process inspection, or access to the raw file-system.
As Colin said, the security issues there can occur is related to data handling. For instance, the isolated storage can be inspected by jailbreaking the device, and as such you can read out unencrypted passwords (or other personal data) from the isolated storage.
However, to jailbreak a device, you need physical access to it. And you can't remote install a application for inspecting the isolated storage, even if the device was jailbreak'd. It can only be done by USB.

How are web site passwords encrypted by browsers?

What are some platform-specific API's that web browsers use to securely save passwords with reversible encryption on local systems?
Since they must be able to reproduce the exact characters to pass up to a web site, the data can't be a one-way hash. My initial thought is there are system methods which utilize your current authentication data to perform encryption/decryption, but do not give access to applications to read it (your system login data) directly. I'm wondering what these are on different platforms (Windows, Linux, OS X) and how well they protect the information if the hard drive is accessed directly; i.e. a stolen laptop hard drive is placed into another computer or analyzed via a Live CD.
Here's how google chrome does it. Looks like they use CryptProtectData on windows.

Resources