As a small-time reverser I can tell you, even without having heard of this program before now, that it is insecure.

The rule of thumb: If it runs on the client's device or if the client can read it then it can be cracked, inspected, seen, analyzed and decoded. There is nothing you can do to protect code/data you send to the client's device (for long).

The client isn't the problem, since you could push custom code to read the wifi key yourself. The problem is that the server will have everyone's Wifi keys.

The problem isn't in reading, but using the wifi key. The app promises to keep the wifi keys secret from other users:

> "... credentials are added to the database so that everyone else on the app can also use that hotspot. Users cannot actually view these credentials so as to protect user data."

But if a client app can download the wifi key from the server and use it to log in, then a modified client app could also download all wifi keys and show them to the user.

There is no practical way for the server to distinguish the original client app from a modified one as long as the user is in control of the hardware and OS it runs on.

Oh, I see what you mean now, I thought they meant secret on the server. Yeah, obviously they can be read if they go to the device, and verroq on the other thread looks like he found out how to decrypt the keys in the local cache.

inside their dmg file: -rw-r--r-- 1 buddha staff 163840 Jul 21 2014 password_pro.sqlite

sqlite> .tables pwd sqlite> .schema pwd CREATE TABLE "pwd" ("password" TEXT NOT NULL ); sqlite> SELECT * FROM pwd; a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...

i don't know how they are using this pwd, but seems like a good starting point.

Fun stuff. classes.dex in the apk has some interesting strings:

    select * from js_injection where name=?
    select * from pwd where hid>=? and hid<? order by hid

    CREATE TABLE IF NOT EXISTS local_ap_info ( hid integer primary key autoincrement, ssid text, bssid text, security_level text,
     pwd text, x_user text, x_pwd text, stat text, lati text, longi text, type text, html text, create_dt text, last_update_dt text)
	
    CREATE TABLE IF NOT EXISTS private_ap_info(ID integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,hid text,create_dt text,last_update_dt text,last_update_opr text,wkflg char(8))
	
    CREATE TABLE IF NOT EXISTS unlock_ap(id integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,uploaded integer(1))

Cleaned up your sqlite commands:

    sqlite> .tables
    pwd
    sqlite> .schema pwd
    CREATE TABLE "pwd" ("password" TEXT NOT NULL );
    sqlite> SELECT * FROM pwd;
    a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...
	

Looks like it may not be fully seeded on install?

Edit:

Getting a different result for the database in the apk:

    $ sqlite3 ap8.db 
    SQLite version 3.8.10.1 2015-05-09 12:14:55
    Enter ".help" for usage hints.
    sqlite> .tables
    android_metadata  ap_info           js_injection      pwd             
    sqlite> .schema pwd
    CREATE TABLE pwd(hid integer primary key autoincrement,pwd text);
    sqlite> select * from pwd;
    1|df5b74fb19b8b150bcf07bbb4e43456d
    2|a1b574f8cf46c461f1e15fa52e3b2110
    3|c8c28c03de3e02d7814d86b14dfcf1f5
    4|7635726149e6d0f0e8f3e9224b8109dc

Most "pwd" are 32 chars long, some are 64 chars, and a few are 96 chars for some odd reason.

ap_info, and js_injection tables are empty so you'd have to get at it after syncing to their servers.

Dumped - http://pastebin.com/YnKkA4DA

This from the ap8.db from the Android download. I didn't want to install this piece of shit on a real phone, the source does update and get a newer version.

This was an easy CTF.

They change depending on the auth type (WEP vs WPA vs WPA2-PSK vs WPA2-Enterprise). It'll be a day or two before someone manages to decrypt the DB. I'd have a crack at it if I had more time.

My money's on AES256 ECB mode.

    aload 0    // this
    LDC "AES/CBC/NoPadding"
    invokestatic javax/crypto/Cipher.getInstance(java/lang/String) : javax/crypto/Cipher
    putfield com/snda/wifilocating/support/c.c : javax/crypto/Cipher

Nope.

CBC sizes would go 32, 48, 64

Lol, I signed up for a QQ account to get those sweet 10TB free cloud storage space (Weiyun).

Well, their Android app started uploading all my stuff to the cloud storage and now I can't even access it.

Not gonna trust Chinese apps for a while. Plus most of them suck, with weird bugs, sluggishness and shit.

Insecure, and I assume that sharing user-specific login credentials is usually against the Wifi-provider's TOS and grounds for termination

Sustained abuse (or sharing) should be simple to detect for a service provider with a network that has multiple, widely-distributed hotspots. In other cases, seeing many different MAC addresses use the same login credentials might be a way to detect abuse, though the MAC might not be sent to the ISP by standard access point firmware.

While it seems (based on other comments) that the product mentioned here doesn't do that, if the phone has an alternative link (e.g. GPRS / 3G / 4G) data link to the server that stores the credentials, it would be possible to make this more secure.

For example, suppose Alice wants to connect to Bob's 802.11g wifi hotspot using 802.11i-2004 (WPA2) authentication in PSK mode. Charlie and Bob have the password; neither want to give it to Alice, but Charlie wants to facilitate Alice to access Bob's system. The first step of the normal WPA2-PSK process is to take the password and generate the Pairwise Master Key (PMK) by putting the password through a key derivation function (PBKDF2-SHA1). However, the PMK is essentially just a stretched version of the password - so we will assume Charlie also doesn't want to share that. To continue with the connection, Alice needs to compute the same Pairwise Transient Key (PTK) as Bob. The PTK is a hash function computed from the PMK, Alice's random nonce, Bob's random nonce, Alice's MAC address, and Bob's MAC address. Alice could send the latter four pieces of information to Charlie over the existing link, then Charlie could send the computed PTK back to Alice, allowing Alice to make the 802.11g connection without revealing the PMK or password to Alice.

A similar way of transferring enough information to allow the connection to continue is likely possible for other authentication modes like the various 802.11X options.

Of course, implementing this would probably require, at least, a rooted phone (for example, to replace the stock wpa_supplicant on Android).

Also, the server would need to store the password or PMK itself (either in plaintext or encrypted with a key that is kept available at all times to process incoming requests), so it would have a huge database of credentials that could be compromised.