Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:26:36 JST Soatok Dreamseeker

   Let's talk about xPal, which purports to be an encrypted messaging app. https://xpal.com

   Anyone that reads my blog probably already knows where this is going.

   If this post accidentally reaches escape velocity and people that don't know me find it: Hi, I'm a furry cryptography nerd. Usually when I talk about so-called private apps, it's to disclose vulnerabilities in them.

   (Today, I just don't have the damn energy to do a formal write-up.)

   Let's start with how they market their app.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:14 JST Soatok Dreamseeker

     in reply to

     Earlier, when I thought I had enough motivation to blog about it, I decided to reverse engineer their APK.

     It turns out, there's no actual cryptography code in the .dex files. (p5 and t5 only contained file extension metadata.)

     There's a lot of React code, though.

     Rich Felker repeated this.
   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:14 JST Soatok Dreamseeker

     in reply to

     Since it's all React.JS, I did the lazy thing: Looked in the assets directory for JavaScript files.

     Success: assets/threads/Threads/encrypt.bundle and assets/threads/Threads/decrypt.bundle.

     Unfortunately, this is just crypto-browserify and some other React libraries webpacked together.

     It's full of side-channels and it's not clear which components are relevant.

     Like, their ghash implementation (used by AES-GCM, which their decrypter uses) uses the && operation after comparing each bit of the state against 0, which short-circuits the right hand side. This introduces a timing side-channel that loudly exposes the entire GHASH state at any given point of time.

     They also implemented AES with S-boxes in pure JavaScript (no bitslicing), which adds a cache-timing leak. Yay.

     Their PKCS7 padding removal step for AES-CBC (which appears to be used for key-wrapping) also maximizes the timing leakage.

     Suffice to say, the only cryptographic primitives I can find in their app are not recommended.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:15 JST Soatok Dreamseeker

     in reply to

     So, right off the bat: "Military-Grade AES-256 Encryption" is a red flag. Nobody in the privacy or security space sees "military-grade" as a good thing.

     If you scroll through their feature list, you'll notice a few things:

     1. It's not open source.
     2. Decoy PINs that expose a second, innocuous profile
     3. Optional feature: Entering your PIN backwards nukes your account
     4. An unhealthy emphasis on message erasure--including on other peoples' devices

     This sounds very familiar, doesn't it?

     This is basically a clone of EncroChat!

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:32 JST Soatok Dreamseeker

     in reply to

     Their vaunted "cyber security audit" from Dekra is just a checklist exercise against the OWASP Top 10.

     Rich Felker repeated this.
   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:32 JST Soatok Dreamseeker

     in reply to

     I'm not going to bother digging further to see how keys are managed.

     For all I know, the cipher mode is smoke and mirrors and everyone is using the same hard-coded AES key somewhere to encrypt their chats.

     Don't use xPal.

     When you consider how it's marketed, the features they emphasize, the fact that it's not open source, and the low quality review they're trying to pass off as an "audit", this thing is either a textbook example of developer hubris or it's another law enforcement sting operation.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:27:33 JST Soatok Dreamseeker

     in reply to

     None of this is particularly interesting. Lots of people ship god awful cryptography.

     The really interesting thing is how they try to market this pile of shit.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 22-Apr-2025 21:28:30 JST Rich Felker

     in reply to

     @soatok Even the name is like if Thiel and Elon somehow reached a compromise. 🤣

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 22-Apr-2025 21:29:26 JST Rich Felker

     in reply to

     • Peter Bindels

     @soatok @dascandy 🤡 🍿

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:29:27 JST Soatok Dreamseeker

     in reply to

     • Peter Bindels

     @dascandy Another prospect that was raised: "developed by AI"

   • Embed this notice
     Peter Bindels (dascandy@infosec.exchange)'s status on Tuesday, 22-Apr-2025 21:29:28 JST Peter Bindels

     in reply to

     @soatok I'd be willing to put down a tenner, but I don't think I can find somebody that thinks this isn't law enforcement, and it'll likely take a few decades to be admitted publicly.

   • Embed this notice
     Peter Bindels (dascandy@infosec.exchange)'s status on Tuesday, 22-Apr-2025 21:29:29 JST Peter Bindels

     in reply to

     @soatok > this thing is either a textbook example of developer hubris or it's another law enforcement sting operation.

     I don't think I've seen developers this bad recently.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Tuesday, 22-Apr-2025 21:29:29 JST Soatok Dreamseeker

     in reply to

     • Peter Bindels

     @dascandy If I were a betting dhole, I'd put my money on "law enforcement"