Review and possibly add tools of paranoiaworks #236

New Issue

2017-06-20T15:48:37Z

haroon-ali commented

2017-06-20 15:48:37 +00:00

(Migrated from github.com)

Hi,
Could you review the encryption tools & apps of http://www.paranoiaworks.mobi/download/ ?
I can find them very useful. They have steganography, file & text encryption, password manager and support multiple platforms. It's open source and free for most of the functions and supports many ciphers/algorithms.
But I am not sure how secure/private they actually are.

Hi, Could you review the encryption tools & apps of http://www.paranoiaworks.mobi/download/ ? I can find them very useful. They have steganography, file & text encryption, password manager and support multiple platforms. It's open source and free for most of the functions and supports many ciphers/algorithms. But I am not sure how secure/private they actually are.

dnguyen01 commented

2017-06-21 14:57:42 +00:00

(Migrated from github.com)

Note, I have not used any of their applications. Anyways, from top to bottom. My opinion is that it's a side project that someone wrote in their free time but hasn't had time to keep it alive or the project isn't quite serious with it yet. The evidence is quite clear in many locations.

Website & Program:

Looks hideous and could use lots of work
Downloads for their application (not from the App Store) are served over regular HTTP; so all their "source code" files and executable can easily be changed via MITM attacks
Downloads are not signed with any GPG and use MD5 for hashing; again no idea if the files are original and haven't been tampered with
Documentation & FAQs are very sparse, doesn't explain much to the user except how to use it. You would have to jump into the code to figure this out, which I guarantee most won't do.
No real patch notes, release dates, or bug fixes; no where to report bugs
No real "About" or "Contact Us" page where we can contact them or learn who they are and why they built this or even give them feedback ...

Other:

Only mention of this program is in the App Store or Play Store where it can be downloaded (Versus, you can see a mention of Signal, Wire, etc everywhere).
Doing a quick search returns this (https://www.wilderssecurity.com/threads/how-trustworthy-are-paranoia-works-mobile.390158/) a post from Wilders Security Forums, which I consider better than Play Store/App Store reviews ... which is from 2016 and no one knows who, how, what, where, etc?
A post from (https://crypto.stackexchange.com/questions/29100/encrypt-with-one-cipher-and-decrypt-with-a-different-cipher) discusses their algorithm designs and it's questionable. If you know a bit of security on a technical level, there is a BIG alert when one of the posters said this:

"It uses a static IV but this is offset by a random header that is included into the encryption."

Why is this a mess? The IV is the initialization vector (https://en.wikipedia.org/wiki/Initialization_vector), aka a random variable that is used to achieve your security. Even from the Wikipedia page, the first 2 lines say this:

"In cryptography, an initialization vector (IV) or starting variable (SV)[1] is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. "

So in conclusion, it's very sketchy and from a security perspective, they're not serious enough and from a snippet, probably a nighmare. We don't know who they are, what their intentions or their program is for, why they built it, how they go about doing it and how we are suppose to help them improve it, when they built it and when they will get serious ...

Recommendation? No. Get me the hell away from this.
Improvements? Everything. Tell me when they're serious about security and when they have a feedback area.

Note, I have not used any of their applications. Anyways, from top to bottom. My opinion is that it's a side project that someone wrote in their free time but hasn't had time to keep it alive or the project isn't quite serious with it yet. The evidence is quite clear in many locations. Website & Program: - Looks hideous and could use lots of work - Downloads for their application (not from the App Store) are served over regular HTTP; so all their "source code" files and executable can easily be changed via MITM attacks - Downloads are not signed with any GPG and use MD5 for hashing; again no idea if the files are original and haven't been tampered with - Documentation & FAQs are very sparse, doesn't explain much to the user except how to use it. You would have to jump into the code to figure this out, which I guarantee most won't do. - No real patch notes, release dates, or bug fixes; no where to report bugs - No real "About" or "Contact Us" page where we can contact them or learn who they are and why they built this or even give them feedback ... Other: - Only mention of this program is in the App Store or Play Store where it can be downloaded (Versus, you can see a mention of Signal, Wire, etc everywhere). - Doing a quick search returns this (https://www.wilderssecurity.com/threads/how-trustworthy-are-paranoia-works-mobile.390158/) a post from Wilders Security Forums, which I consider better than Play Store/App Store reviews ... which is from 2016 and no one knows who, how, what, where, etc? - A post from (https://crypto.stackexchange.com/questions/29100/encrypt-with-one-cipher-and-decrypt-with-a-different-cipher) discusses their algorithm designs and it's questionable. If you know a bit of security on a technical level, there is a BIG alert when one of the posters said this: "It uses a **static** IV but this is offset by a random header that is included into the encryption." Why is this a mess? The IV is the initialization vector (https://en.wikipedia.org/wiki/Initialization_vector), aka a random variable that is used to achieve your security. Even from the Wikipedia page, the first 2 lines say this: "In cryptography, an initialization vector (IV) or starting variable (SV)[1] is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. " So in conclusion, it's very sketchy and from a security perspective, they're not serious enough and from a snippet, probably a nighmare. We don't know who they are, what their intentions or their program is for, why they built it, how they go about doing it and how we are suppose to help them improve it, when they built it and when they will get serious ... Recommendation? No. Get me the hell away from this. Improvements? Everything. Tell me when they're serious about security and when they have a feedback area.

👍 2

Hillside502 commented

2017-06-21 16:52:05 +00:00

(Migrated from github.com)

@dnguyen01
Other than an email address at the foot of:-
http://www.paranoiaworks.mobi/download/
I fully agree!

@dnguyen01 Other than an email address at the foot of:- http://www.paranoiaworks.mobi/download/ I fully agree!

kewde commented

2017-07-05 16:15:52 +00:00

(Migrated from github.com)

The IV is offset by a random header which may give it enough randomness, but I don't know the full extent of the application. Everyone else uses a CSPRNG to generate the IV, I think we'll close this issue.

Thank you @dnguyen01

The IV is offset by a random header which may give it enough randomness, but I don't know the full extent of the application. Everyone else uses a CSPRNG to generate the IV, I think we'll close this issue. Thank you @dnguyen01

This repo is archived. You cannot comment on issues.