Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsAndroidWho here uses NQ Vault for "security"?
freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#171096 6-Apr-2015 13:51
Send private message

It just happens NQ Vault encryption is an XOR operation and only of the first few bytes.

Not only that but "experts" gave praise to this crap (from the app's Google Play page):

 

  • The most popular app with over 30 million users worldwide
  • CTIA - "The Best App of CTIA by the Techlicious 2012 Best of CTIA Awards"
  • PC Magazine - "PC Magazine Best Apps"
  • TRUSTe - Received "TRUSTe Privacy Seal"
  • Global Mobile Internet Conference App Space - "A top 50 app"

Security snake oil... Not linking to the app page brecause who needs to give this any more links?




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Create new topic
nzgeek
619 posts

Ultimate Geek
+1 received by user: 52


  #1277876 6-Apr-2015 14:59
Send private message

I read the write-up by the guy who broke at the encryption (not that there was much to break). It really is quite laughable, as no matter what PIN you enter our how long it is, out will take a maximum of 256 attempts to break. And given that only the first 128 bytes are "encrypted", you may not even need to "break the encryption" to get at the good stuff.

Looking at those awards and commendations, most of them are complete bupkiss anyway. The only one that should mean anything is TRUSTe, and if they can't pick up such obvious snake oil then it casts everything beating their seal into serious doubt.



nzgeek
619 posts

Ultimate Geek
+1 received by user: 52


  #1277888 6-Apr-2015 15:36
Send private message

Just following on from what I wrote above, I've done a bit of a check to see if I can find out anything more about the app, particularly if better encryption is used when you pay for the premium version. There's absolutely no credible information out there at all. I've found a single app review that mentions 128-bit AES encryption, and the only correct bit of that is the number 128.

What I did find was quite some number of "top app list" articles that include NQ Mobile Vault, mostly dating from 2012. It looks like the entire security check in pretty much every review consists of "When I protect the file it disappears, and when I unprotect it the file comes back." No real analysis, just a few vague words from people who probably thing that Twofish is something you catch with a rod and reel.

If you want to use a file encryption app, make sure you choose one that tells you how the files are protected. Look for well-known algorithms like RSA, AES (Rijndael), Blowfish, Twofish, IDEA, or 3DES (TripleDES). Ignore anything that doesn't say what it uses, or which days that it uses a "proprietary" algorithm. The only thing that should be secret are your passphrase and the files.

Rikkitic
Awrrr
19062 posts

Uber Geek
+1 received by user: 16302

Lifetime subscriber

  #1277895 6-Apr-2015 16:06
Send private message

This is way after my time, but many many moons ago I developed some early anti-virus software, which resulted in my getting a gig doing security software reviews for a local PC mag (this was in Europe).

At that time viruses were just entering the news in a big way and there was the usual hysterical running in circles by companies like our local telecom and others with IT departments. There was also a corresponding rush by ‘security’ companies to bring out products to address these issues. This was still in the days of MS DOS and I was fairly adept with Assembly (not common even then), which gave me insight into systems-level programming tricks and the ability to see what software programmed in higher languages was actually doing at the machine level.

As a result, I produced some pretty scathing reviews of some much-hyped security software. I remember one very upset importer of a Russian product, who accused me in an angry letter to my editor of not knowing what I was talking about. Since I could see and follow the actual hex code I was able to come back with a detailed, point-by-point rebuttal that also made clear that the product’s advertising was full of outright lies. For example, the packaging loudly proclaimed that the product did not use virus signatures, but some new magical algorithm instead. Yet I could see the (unencrypted) list of signatures in the database code, and they weren’t even very good. I also demonstrated that the program was missing two-thirds of the viruses it was supposed to detect.

Yet this and other similar products received rave reviews from other publications. I soon realised that the reviewers had no understanding of code and truly no idea what they were talking about, and in desperation they were quoting each other to make it seem like there was some kind of consensus. I find it amusing to see that nothing has changed since that time.




Plesse igmore amd axxept applogies in adbance fir anu typos

 


 

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright