[guardian-dev] PGP supported in Android Email app

Tom Ritter tom at ritter.vg
Fri May 2 16:24:13 EDT 2014 

On 2 May 2014 13:15, Hans-Christoph Steiner <hans at guardianproject.info> wrote:
>
> I couldn't get that APK to download, anyone else?  Can it be posted elsewhere?
> You might be able to see some interesting links by uploading it to
> https://androidobservatory.org/

I was - you may need to use a 'fancy' browser, like a non-Tor-ed
Chrome to get MEGA to work. Not sure though, I'd think it'd work for
others.

Thanks for this, and for saving me from having to JAD it myself. :)

This is my 5-minute hit-list
 - Manifest File is... binary?  Pain in the butt, here it is:
https://gist.github.com/tomrittervg/52095aad83b06f2c6dd4
   That, is a lot of stuff.  Lot of attack surface.
 - BouncyCastle Java library for PGP
 - Looks like it's using the sdcard for a lot of stuff, which is scary:
   public static final String DOWN_FILEPATH =
Environment.getExternalStorageDirectory() + "/Download";
   public static final String PGPHOMEPATH =
Environment.getExternalStorageDirectory() + "/openpgp";
 - Looks like they keep KeyIDs in some sort of database, and while
they haveparameterized queries in one place, I'm not sure about
everywhere...[0]
 - I'm not certain at all, but signs point towards them support
PGP/MIME, and not inline...? [1]

Anyway, I couldn't spend a lot of time looking at it, so nothing here
is definitive, except that there's definitely a lot of PGP 'stuff'
happening.

I don't suppose Samsung makes their apps open source?  This might be
an interesting base to audit and build on....

-tom



[0]:
if (this.mFlag == 268439825)
    {
      Vector localVector = (Vector)paramObject;
      String[] arrayOfString = { "c_key_id", "c_email_id",
"c_user_name", "c_expiry", "c_is_default" };
      String str = "( c_expiry > '" + l + "' OR " + "c_expiry" + "=
'0')" + " AND ( " + "c_creation" + " < " + "'" + l + "' OR " +
"c_creation" + "= '0') ";
      int i = 0;
      if (i < localVector.size())
      {
        if (i == 0)
          str = str + " AND ( c_key_id in ('" + localVector.elementAt(i) + "'";
        while (true)
        {
          i++;
          break;
          if (i == -1 + localVector.size())
            str = str + " ,'" + localVector.elementAt(i) + "' ))";
          else
            str = str + " ,'" + localVector.elementAt(i) + "'";
        }
      }

[1] if ((!str5.contains("multipart/encrypted")) ||
(!str5.contains("application/pgp-encrypted")))

More information about the Guardian-dev mailing list