Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[APP] Raccoon v3.3 - A google play desktop client

OP onyxbits

27th January 2015, 04:54 PM   |  #211  
vikraminside's Avatar
Senior Member
Thanks Meter: 168
 
651 posts
Join Date:Joined: Jul 2013
Quote:
Originally Posted by onyxbits

I really like having this (idiot) discussion over and over again (especially with people who don't bother reading the FAQ) and obviously don't even understand what they are talking about): Yes, credentials.cfg is a security concern, but no, there is no possible fix for it.

Think about it: Google Play requires you to present credentials ("no shoes, no service!"). That means, Raccoon must be able to present them. Encrypting the file provides no additional security as Raccoon would need to be able to decrypt it. A hypothetical malware that it able to grab credentials.cfg will also be able to copy keystore.dat right next to it.
The whole idea behind encryption is the ability to keep the key secret from any potential attacker. If you cannot do this, you might as well not bother at all.

Should you find that your computer is running malware of any kind (or has otherwise been broken into), you should always consider it to be completely compromised. That means you should reinstall the entire operation system from scratch, using an external installation medium (not your recovery partition) and change every password you have stored on it. Including those under control of a Password manager (since you never know if that malware had a keylogger component).
Your goal is to keep your computer malware free, not putting pseudo obstacles everywhere and hope that they work as unexpected problems. If you don't take the threat serious enough to prevent malicious code from running in the first place, then randomly encrypting files won't save you either.

I am a fan of your app. You are a Genious as appreciated in my previous post. It should not stop us to have healthy discussions. To err is Human.

I can provide you 2 options as helping hand:
1. Virtualization
2. Encrypting java code

I have written several java apps where credentials are read from properties file, Keystore JKS yes. Keystore jks is encrypted by the way right?

The java app can decrypt and send it as plain text to google servers if need be.

We shall not provide very easy way to hack, that is the point. If it can be read from notepad there is no need for intelligent malware to read it.

I respect your view but its unethical to call it IDIOTIC. Please edit your post to remove offensive words else this thread will be reported.

If you cannot fix please let users know it will be "as is" and do not say discussion is idiotic. Users are not fools.

Sent from my XT1033 using XDA Free mobile app
27th January 2015, 06:14 PM   |  #212  
OP Senior Member
Thanks Meter: 185
 
162 posts
Join Date:Joined: Dec 2012
Donate to Me
Quote:
Originally Posted by vikraminside

I am a fan of your app. You are a Genious as appreciated in my previous post. It should not stop us to have healthy discussions. To err is Human.

I'm sorry for the harsh words, but the last time I had this discussion with someone else, it was an utterly frustrating experience (I probably got trolled), which makes me quite a bit allergic to the topic.

Quote:
Originally Posted by vikraminside

I can provide you 2 options as helping hand:
1. Virtualization
2. Encrypting java code

That won't work. Raccoon is open source. Any malware author targeting the software would have an easy time discovering the decryption routines.

Quote:
Originally Posted by vikraminside

I have written several java apps where credentials are read from properties file, Keystore JKS yes. Keystore jks is encrypted by the way right?

Keystores are encrypted, but they don't solve the problem: where would you put the password to unlock the store? You could put it in a properties file, but then the attacker would just have to copy a third file (you win nothing by this). You could prompt the user for the password to unlock the keystore, but in that case you might as well not bother with encryption/keystores at all and simply prompt for the google play password instead.
Prompting every time is not a solution either. Users would just demand a "remember password" checkbox and/or use weak passwords in the meantime.

Quote:
Originally Posted by vikraminside

We shall not provide very easy way to hack, that is the point. If it can be read from notepad there is no need for intelligent malware to read it.

Malware does not magically steal passwords from your computer. It needs to know what files to go after. If it knows to go after credentials.cfg, it will also know to go after keystore.jks and appsettings.properties. The same goes for a human attacker. The answer really is: if there is sensitive information on your computer, then you have lost the moment, unauthorized code runs (no matter if it is a virus or a human with notepad).

Quote:
Originally Posted by vikraminside

I respect your view but its unethical to call it IDIOTIC. Please edit your post to remove offensive words else this thread will be reported.

You got my apology above. I will not edit my previous post because doing so would rip the context from your reply to it. On a side note: Intimidation is not a highly successful strategy if you want me to do something.

Quote:
Originally Posted by vikraminside

If you cannot fix please let users know it will be "as is" and do not say discussion is idiotic. Users are not fools.

The issue is well documented in the FAQ and in the handbook. Users are strongly encouraged to use dedicated accounts for Raccoon for exactly this reason (and to limit Google's ability to big brother you).
Last edited by onyxbits; 27th January 2015 at 06:37 PM.
The Following User Says Thank You to onyxbits For This Useful Post: [ View ]
28th January 2015, 07:12 AM   |  #213  
vikraminside's Avatar
Senior Member
Thanks Meter: 168
 
651 posts
Join Date:Joined: Jul 2013
Quote:
Originally Posted by onyxbits

I'm sorry for the harsh words, but the last time I had this discussion with someone else, it was an utterly frustrating experience (I probably got trolled), which makes me quite a bit allergic to the topic.



That won't work. Raccoon is open source. Any malware author targeting the software would have an easy time discovering the decryption routines.



Keystores are encrypted, but they don't solve the problem: where would you put the password to unlock the store? You could put it in a properties file, but then the attacker would just have to copy a third file (you win nothing by this). You could prompt the user for the password to unlock the keystore, but in that case you might as well not bother with encryption/keystores at all and simply prompt for the google play password instead.
Prompting every time is not a solution either. Users would just demand a "remember password" checkbox and/or use weak passwords in the meantime.



Malware does not magically steal passwords from your computer. It needs to know what files to go after. If it knows to go after credentials.cfg, it will also know to go after keystore.jks and appsettings.properties. The same goes for a human attacker. The answer really is: if there is sensitive information on your computer, then you have lost the moment, unauthorized code runs (no matter if it is a virus or a human with notepad).



You got my apology above. I will not edit my previous post because doing so would rip the context from your reply to it. On a side note: Intimidation is not a highly successful strategy if you want me to do something.



The issue is well documented in the FAQ and in the handbook. Users are strongly encouraged to use dedicated accounts for Raccoon for exactly this reason (and to limit Google's ability to big brother you).

Ok friend. Keep it going. No need to apology, this forum is read by millions so wished you be getting wishes from everyone. Such words will mean people stop coming to you "for and to" help just in case. :thumbup:

The report to moderate is not intimidate but to restore normalcy and sanctity of this thread.

Sent from my XT1033 using XDA Free mobile app
28th January 2015, 03:20 PM   |  #214  
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: Jan 2015
can you post an example contents of network.cfg as well as credentials.cfg?
29th January 2015, 05:04 PM   |  #215  
OP Senior Member
Thanks Meter: 185
 
162 posts
Join Date:Joined: Dec 2012
Donate to Me
Quote:
Originally Posted by shibu123

can you post an example contents of network.cfg as well as credentials.cfg?

http://www.onyxbits.de/content/networkcfg-file

Credentials.cfg is created automatically when you create an archive.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes