Skip to content
Snippets Groups Projects
Select Git revision
  • f0536dc7ea2e56d50e64fa350aee84911b8a27ad
  • main default
  • feature/android_client
  • private/mw/android-client
4 results

mobile-sec-notifier

mobile-sec-notifier

Demo

  • Two chat participants [A]lice and [B]ob.
  • Send encrypted messages indirectly via the server between A and B.
  • A and B in distinct networks.

Usage

The default mode of operation requires:

  • A server
  • One python client in receiver mode
  • One android client in sender mode
  1. Start server with python server.py
  2. Start client
    • Python: python client.py MODE, where MODE is 0 (receiver) or 1 (sender)
    • Android:
      1. Set notification permissions if necessary.
      2. Enter IP address and port of server.
      3. Click Open communication
      4. Enter generated id_code in other client.
      5. Wait on connection.
      6. Done (Click Broadcast Test Notification)

Notes to usage:

  • Requires two clients, with one in sender mode and the other in reciver mode
    • The android client is also capable of receiving. Simply use the switch in the interface.
  • The android client can be started easily with Android Studio.
  • Otherwise, there is a built APK available in the folder releases/

Implemented:

  • Protocol
  • Server (python)
  • Python-Client
  • Android-Client

Prototype 1:

  • Python-Server & Python-Test-Client
    • Exchange messages server<->client using protobuf
  • Android-Client
    • Grab notifications
    • Communicate with grpc service
  • Create protocol

Prototype 2:

  • Python-Test-Client:
    • Register to server / authenticate at the server
    • Establish ephemeral key with target client
      • Client-to-client key exchange using RSA
    • Client-to-client encryption using AES
    • Exchange messages using AES with ephemeral key
  • Android-Client
    • Client message encryption using AES
    • Key exchange implementation / server authentication

Prototype 3:

TODO:

  • grpc secure connection, need certificate
  • BAD: Freshness is only 4 Byte
  • BAD: comm_id's are predictable and public
  • BAD: sequence numbers start at 0 and don't reset on connect/disconnect
  • don't die everytime something is wrong, just ignore the request
  • Search for "TODO" in the project sources
  • BAD: AES IV is public

Notes

  • No real use for the AD in AES AEAD
  • Add a pint of salt
  • Verify protocol transcript