Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nothing instills confidence in cryptographic code like the constants "bananas" and "seems legit...". I'd have hoped that anyone dealing with AES and block cipher modes would take the task a bit more seriously, even if the whole task is, in this instance, ultimately futile due to the lack of a trust root.


> Nothing instills confidence in cryptographic code like the constants "bananas" and "seems legit...".

And a class called "SlightySecurePreferences". One gets the feeling that the programmer responsible knew exactly what he was doing, but had been told to do it anyways.


[deleted]


Well, prior - there were apps you could download that would save Snapchat images that would work on non-root devices. At least by enabling this encryption that's now only available to the relatively small amount of root users out there.


Or anyone who can use adb backup. If you view the physical possessor of a device as your adversary, you're bound to lose.


> Nothing instills confidence in cryptographic code like the constants "bananas" and "seems legit..."

Not to mention, even if the hardcoded password was somehow stored securely, using AES in ECB mode is insecure. ECB mode leaks information, particularly when applied to images: http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#...


As you point out, the task is futile; I'd be inclined to have a higher opinion of an engineer that realized this.

It's not exactly good marketing, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: