The app also crowdsources login credentials, so when one user logs into a 
    hotspot, his or her credentials are added to the database so that everyone 
    else on the app can also use that hotspot. Users cannot actually view these 
    credentials so as to protect user data.

Holy shit, that sounds insecure.

As a small-time reverser I can tell you, even without having heard of this program before now, that it is insecure.

The rule of thumb: If it runs on the client's device or if the client can read it then it can be cracked, inspected, seen, analyzed and decoded. There is nothing you can do to protect code/data you send to the client's device (for long).

The client isn't the problem, since you could push custom code to read the wifi key yourself. The problem is that the server will have everyone's Wifi keys.

The problem isn't in reading, but using the wifi key. The app promises to keep the wifi keys secret from other users:

> "... credentials are added to the database so that everyone else on the app can also use that hotspot. Users cannot actually view these credentials so as to protect user data."

But if a client app can download the wifi key from the server and use it to log in, then a modified client app could also download all wifi keys and show them to the user.

There is no practical way for the server to distinguish the original client app from a modified one as long as the user is in control of the hardware and OS it runs on.

Oh, I see what you mean now, I thought they meant secret on the server. Yeah, obviously they can be read if they go to the device, and verroq on the other thread looks like he found out how to decrypt the keys in the local cache.

inside their dmg file: -rw-r--r-- 1 buddha staff 163840 Jul 21 2014 password_pro.sqlite

sqlite> .tables pwd sqlite> .schema pwd CREATE TABLE "pwd" ("password" TEXT NOT NULL ); sqlite> SELECT * FROM pwd; a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...

i don't know how they are using this pwd, but seems like a good starting point.

Fun stuff. classes.dex in the apk has some interesting strings:

    select * from js_injection where name=?
    select * from pwd where hid>=? and hid<? order by hid

    CREATE TABLE IF NOT EXISTS local_ap_info ( hid integer primary key autoincrement, ssid text, bssid text, security_level text,
     pwd text, x_user text, x_pwd text, stat text, lati text, longi text, type text, html text, create_dt text, last_update_dt text)
	
    CREATE TABLE IF NOT EXISTS private_ap_info(ID integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,hid text,create_dt text,last_update_dt text,last_update_opr text,wkflg char(8))
	
    CREATE TABLE IF NOT EXISTS unlock_ap(id integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,uploaded integer(1))

Cleaned up your sqlite commands:

    sqlite> .tables
    pwd
    sqlite> .schema pwd
    CREATE TABLE "pwd" ("password" TEXT NOT NULL );
    sqlite> SELECT * FROM pwd;
    a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...
	

Looks like it may not be fully seeded on install?

Edit:

Getting a different result for the database in the apk:

    $ sqlite3 ap8.db 
    SQLite version 3.8.10.1 2015-05-09 12:14:55
    Enter ".help" for usage hints.
    sqlite> .tables
    android_metadata  ap_info           js_injection      pwd             
    sqlite> .schema pwd
    CREATE TABLE pwd(hid integer primary key autoincrement,pwd text);
    sqlite> select * from pwd;
    1|df5b74fb19b8b150bcf07bbb4e43456d
    2|a1b574f8cf46c461f1e15fa52e3b2110
    3|c8c28c03de3e02d7814d86b14dfcf1f5
    4|7635726149e6d0f0e8f3e9224b8109dc

Most "pwd" are 32 chars long, some are 64 chars, and a few are 96 chars for some odd reason.

ap_info, and js_injection tables are empty so you'd have to get at it after syncing to their servers.

Dumped - http://pastebin.com/YnKkA4DA

This from the ap8.db from the Android download. I didn't want to install this piece of shit on a real phone, the source does update and get a newer version.

This was an easy CTF.

They change depending on the auth type (WEP vs WPA vs WPA2-PSK vs WPA2-Enterprise). It'll be a day or two before someone manages to decrypt the DB. I'd have a crack at it if I had more time.

My money's on AES256 ECB mode.

    aload 0    // this
    LDC "AES/CBC/NoPadding"
    invokestatic javax/crypto/Cipher.getInstance(java/lang/String) : javax/crypto/Cipher
    putfield com/snda/wifilocating/support/c.c : javax/crypto/Cipher

Nope.

CBC sizes would go 32, 48, 64

Lol, I signed up for a QQ account to get those sweet 10TB free cloud storage space (Weiyun).

Well, their Android app started uploading all my stuff to the cloud storage and now I can't even access it.

Not gonna trust Chinese apps for a while. Plus most of them suck, with weird bugs, sluggishness and shit.

Insecure, and I assume that sharing user-specific login credentials is usually against the Wifi-provider's TOS and grounds for termination

Sustained abuse (or sharing) should be simple to detect for a service provider with a network that has multiple, widely-distributed hotspots. In other cases, seeing many different MAC addresses use the same login credentials might be a way to detect abuse, though the MAC might not be sent to the ISP by standard access point firmware.

While it seems (based on other comments) that the product mentioned here doesn't do that, if the phone has an alternative link (e.g. GPRS / 3G / 4G) data link to the server that stores the credentials, it would be possible to make this more secure.

For example, suppose Alice wants to connect to Bob's 802.11g wifi hotspot using 802.11i-2004 (WPA2) authentication in PSK mode. Charlie and Bob have the password; neither want to give it to Alice, but Charlie wants to facilitate Alice to access Bob's system. The first step of the normal WPA2-PSK process is to take the password and generate the Pairwise Master Key (PMK) by putting the password through a key derivation function (PBKDF2-SHA1). However, the PMK is essentially just a stretched version of the password - so we will assume Charlie also doesn't want to share that. To continue with the connection, Alice needs to compute the same Pairwise Transient Key (PTK) as Bob. The PTK is a hash function computed from the PMK, Alice's random nonce, Bob's random nonce, Alice's MAC address, and Bob's MAC address. Alice could send the latter four pieces of information to Charlie over the existing link, then Charlie could send the computed PTK back to Alice, allowing Alice to make the 802.11g connection without revealing the PMK or password to Alice.

A similar way of transferring enough information to allow the connection to continue is likely possible for other authentication modes like the various 802.11X options.

Of course, implementing this would probably require, at least, a rooted phone (for example, to replace the stock wpa_supplicant on Android).

Also, the server would need to store the password or PMK itself (either in plaintext or encrypted with a key that is kept available at all times to process incoming requests), so it would have a huge database of credentials that could be compromised.

> Wifi Skeleton Key responded in February, calling the rumors slander and stating that the company collaborated with Baidu on a number of security measures.

ohh, this baidu https://citizenlab.org/2015/04/chinas-great-cannon/

edit: > Users cannot actually view these credentials so as to protect user data.

this is technically impossible; you need the creds on the device so you can pass authentication; that's the whole point of... any auth protocol. while you could in theory have a remote oracle that signs/encrypts packets without giving the device the key, I don't think WPA-PSK allows this without sending the entire packet. along those lines, if you can send off the packet to be encrypted for wifi, then you can just do the whole connection over that.

1. The company's stats backend was pwnd http://www.wooyun.org/bugs/wooyun-2015-099350 It has far less MAU than 270M. In fact it has only less than 10k DAU.

2. The way it works is by uploading everything under /data/misc/wifi/wpa_supplicant.conf to its server. See analysis here http://www.zhihu.com/question/23865652

3. It's totally scamware & spyware.

Assuming this thing runs in the background on your device. What if it captures your login to your company's wifi? Are hackers going to use it to access corporate networks? Is there a way to opt out for certain networks that you access?

If your corporate networks security is dependent on wifi passwords remaining confidential you're doing it wrong.

Password re-use by employees who use this app is the real risk IMO.

1) Set up "secure" hotspot in high-traffic area that hoovers everyone's data, attempts to hack any file shares, etc.

2) Put credentials in Wifi Skeleton Key.

3) ...

4) Profit!

You shouldn't be trusting hotspots anyway. No real change from the status quo.

All Windows Phones already come with this: it's called Wifi Sense. Technically it only shares logins with your outlook contacts but in the end it's effectively the same, except Microsoft-Sponsored.

edit: I guess it's only secure until someone jailbreaks WP8.1

I think a WiFi sharing social network would be awesome and if it was integrated with Facebook it would be even better. Obviously you can't trust your WiFi to everyone but it's something you already do with friends and family so why not make it as smooth as possible.

I imagine it would be something like this:

The server will not store the key for long, some minutes max and transmission of any data will be encrypted. The owner of the WiFi hot spot will have to approve every request to share his key (individually or all at once). Then the key of the WiFi hot spot will be sent to those that requested it, after that it will be deleted from the server, it won't even get out of the RAM. The people that request the key will be able to do so with just the push of a button (in the ideal case). All this exchange of data, might happen through 3G so it will be as compact as possible (no adds if on 3G, etc).

If in the same physical space this all will be done locally without sending anything to the server. A smartphone app (at most a few megabytes) will be at the center of this. There will also be a desktop client, that allows you to connect less easily but still better than typing. Connect your smartphone to the computer push a button (depending on setting even without this) and connect to the desired WiFi hot spot.

I am one of those persons that feels that everything is invented, but this is something that I feel is lacking.

Windows (Phone) has this feature called "Wi-Fi Sense". It shares wifi passwords with your Facebook/Skype/etc friends. I've never used it to share with other people, because not many people have Windows Phone, but it's nice that it syncs passwords between my own stuff.

Looks like this: http://imgur.com/ShQvqAU

Proof, yet again, that end users give zero shits about security.

Just give me my free stuff!

More along the lines of that joke about "wifi" being added at the bottom of Maslow's hierarchy. [0]

The sooner we stop this nonsense about access to the network being restricted geographically by anything other than a complete lack of infrastructure the better off we'll all be.

People won't want to do stupid things like layering a separate network onto their customers access points ( hi xfinity ) or having open networks ( too many small businesses ) or having wifi passwords on a sign by the barista ( please tip the barista ).

0. http://www.daisydowntown.com/blog/2014/2/19/maslows-hierarch...

It's not about free, it's about getting online at all as described in the linked article.

Why are people investing in this? Everything about it sounds illegal.

You think this is illegal in China? I can't think of anything the government would approve of more than a giant database of creds at their disposal...

Are you talking about the Chinese or the US government here?

Doesn't Google already have this information? Android certainly used to 'sync' your WIFI passwords with Google, in a format that they could decrypt.

It does indeed.

Just bear in mind that from what we know the German and British governments were all in with the NSA and do even more surveillance on their own citizens than the U.S. does (both, by the way, also using terrorism as the pretext - IRA and Bahder Meinhoff respectively). The U.S. is by far not the worst actor in this arena.

Illegal-sounding + extremely popular + not actually illegal = Often great investments.

Until the law changes

Grow big enough fast enough and well liked enough, you become the law.

Much like YouTube was originally or Uber is now?

In a communist country? I very much doubt it.

Why would anyone be dumb enough to invest in this? Even assuming that it isn't shut down by authorities and even assuming that they can stay in the app store when they're so obviously a spammy spyware app, China Mobile controls their oxygen supply. All they have to do is start messing with their radius servers to make life difficult for password sharers. Why would anyone invest in a company that can by shut down by another company on a whim?

> so when one user logs into a hotspot, his or her credentials are added to the database so that everyone else on the app can also use that hotspot

Can it do this without root privileges on Android? Or does it ask the user to enter the password for the hotspot?

Security issues aside, how is this an investable business? How is it going to generate 10x+ returns legally?

Wow, I have an app that also does this on Google Play. Maybe I should rebrand it and try again...

do yours save me from typing my name and room in a hotel? that one seems to also do that.

not that it's something I'd like (as I assume when i type it it goes to their servers so the next person doesn't) but that's what makes it tick from the article

Yes. It sounds like that was the linchpin. It was an indie app so we didn't have much of a marketing budget other than producing a basic video. Nice execution. Hats off to them.

This sounds like 90% of the world. Not just China.

For a similar US company that is more focused on the B2B side, check out Devicescape.