welcome to cryptochat. when you put in your password and confirm, you will be redirected to your channel.
INFO:
the app can avoid that people who don't own the password, can't read your messages.
it can avoid classical keyloggers inserted into the keyboard or the browser/webview.
however
it cant avoid.
metadata - when and with who you are talking(size of requests, time of requests)
[this can be avoided by using i2p, a vpn or tor](todo, always same packet size)
keylogging - by, camera(reflection and degree), gyrosensor
[this is achieved easy by apps wich run in the background ang have access to one of the cameras or gyrosensor]
getting passwords - by, dma attack(reading from ram or cpu).
[this is hard to achieve, the mobil must be rooted or the attacker knows an other exploid to gain root access]
getting password - manipulating webview of the system to read variables and send them out.
[this is possible if the attacker owns your mobil anyway or if he installs a custom browser and set it as systemwebview
you can see a changed webview by going to settings and type web, the third one is webview-implementing(it is a developerfunction and should be deactivated)]
1.your channel is found by the ability to decrypt a random string, crypted at the creation of the channel.
2.the times you see are the times when the message was printed to your screen.
the sendtime of messages is not saved.
3.the messages are saved as crypted jsonfiles on the server.
they are encypted, anonymous, without date, nic or id.
they can be accessed, may they can be decrypted, but you can't proof who wrote them.
the server don't logs the messagebody(the crypted part).
the datatransfer is also encrypted (TLS1.2)
4.the app uses a build in keyboard to avoid keylogger to catch the messages before beeing encrypted.
5.for ease of use, channels can be set and named. this happens cause the password is saved local and is named.
like this you can access different channels faster, without entering a password.
the local storage of your app is not a good place to stor your passwords. delete unused channel.
(pw manger with masterpw planed, may save masterpw local to barrierfree use)
6.hashing keys: the passwords are (hashed 20k + passwordlength) times with sha512.
this is done, to prevent brutforching the the original password.
in order to produce a problem wich is harder to solve then to produce,
it takes some seconds to hash the key wich is used for the encryption,
but when a decrypter trys to brudforce the original password he has to do this step every time,
this slows down the brutforce attempt massivly, so it gets very hard to even brutforce short passwords.
the keylength variates, it is around 80.
pls still avoid passwords wich could be candidats in wordlists.
7.xss attack: since there are no other downloadlocations possible by contentsecurity. injection of scripts is not possible.
(Content-Security-Policy: default-src 'self';)
8.minimal systemspecs
informationtransfer with json, wich is not processed on the server in most cases.
no db needed
actualisation only looks for date of the file but does not open it.
use basic get requests for actualisation, to be used on low sec webspaces.
all searching an decryption is done on the userside, so the server can be quiet weak.
chats with more then 50 messages get trimmed down to the last 20 messages.
chats wich are not used for 7 days are deleted.
so less space is needed. and the messages are not on the server for to long
and the files don't get too big.
this software can also be used on freehosts wich support php.
TODO:
pw manger - done
more keyboardfunctions - done
ability to copy in key -done
barrierles use - done
del more then 100 messages per chat - done
last bug not actualisating lists.
channels are saved passwords that can be named,
this is saved to the local storage.
with channels a direct access to conversations without typing the password each time is possible.
Clear localStorage
show localStorage
clear cached files
press + in the upper left to put in your password.
verschlüsselt: AES
Put in your shared password.
✘
super geheimes passwort
add channel to list
enter channel
Put in your master-password.
✘
your master-password is used
to encrypty the channel-passwords.
it is needed to save channels.