Obscurity



SSHH!! Don't Tell anyone 
You just have to wait for low tide

Use secrecy of design or implementation to provide security, do people really still do this? Of course why wouldn't they.

Recently looked at an application that allows users to edit and create documents in different formats.  This application runs on a mobile platform (tablet computer).  The key feature that users liked was the password protection of created documents.  This assured users that documents were secure from prying eyes.  I wondered how secure!

Application was installed on a clean recently formatted device.  Next I created some documents inside the application and turned on the password protection features.  Using command line options on the device I generated a listing of all the files that were created or modified by the application during run-time.  The first thing that catches my eye is a SQLite database was created.  The SQLite Manager plug-in available for FireFox allows you a quick way to load databases and look at their contents.  Opening up this database we find one table with an entry called password.  Looking at this entry the password listed is not the one I set, but it looks like a hashed version.  Counting the characters the length of the value is 128 bits, my first guess is the program is using an md5 hash.

I tried using an online hash calculator to determine what hash format was being used, but no luck.  Determined that it doesn't match any of the common hash formats, Interesting.  I then thought maybe some type of salt is being used to provide extra protection.  If this is true,  I should be able create multiple passwords that are the same and the salt value would cause the resulting hashes to be different.  After creating multiple same passwords, the resulting hashes listed in the database had the same hash value.  Another dead end. 

The next clue came from a strings analysis of the application executable.  There were references to a "hash generator" header file.  This leads me to believe the author decided to write his own hash algorithm.  The OS for the platform provides API's for generating hashes and also provide data protection capabilities for encrypting and password protecting files, why would the programmer go to lengths to develop his own?  I am still trying to find the answer to that question, my only response is security through obscurity or maybe he is flexing his programming muscles.

In the end does his program protect the files?  Of course not, even though I never determined the hash algorithm used, the simple solution was to just open up the SQLite database file and delete all the password entries.  The application checks the database before a user opens a file to determine if it is password protected.  If there are no password entries in the database, then the application requires no passwords to open any of the files.  It should be noted if the programmer used the hash/password/encryption API's built-in to the OS then there would be full protection of the document files.