Other potential problems in Qlink.it

  • Antonio Castro Lechtaler Grupo de Investigación en Criptografía y Seguridad Informática (GICSI), Universidad de la Defensa Nacional (UNDEF), Ciudad Autónoma de Buenos Aires, Argentina
  • Marcelo Cipriano Grupo de Investigación en Criptografía y Seguridad Informática (GICSI), Universidad de la Defensa Nacional (UNDEF), Ciudad Autónoma de Buenos Aires, Argentina
  • Edith García Grupo de Investigación en Criptografía y Seguridad Informática (GICSI), Universidad de la Defensa Nacional (UNDEF), Ciudad Autónoma de Buenos Aires, Argentina
  • Pablo Lázaro Dirección de Gestión Tecnológica (DGT), Policía de Seguridad Aeroportuaria (PSA), Argentina
  • Julio Liporace Grupo de Investigación en Criptografía y Seguridad Informática (GICSI), Universidad de la Defensa Nacional (UNDEF), Ciudad Autónoma de Buenos Aires, Argentina
  • Eduardo Malvacio Grupo de Investigación en Criptografía y Seguridad Informática (GICSI), Universidad de la Defensa Nacional (UNDEF), Ciudad Autónoma de Buenos Aires, Argentina
  • Ariel Maiorano Grupo de Investigación en Criptografía y Seguridad Informática (GICSI), Universidad de la Defensa Nacional (UNDEF), Ciudad Autónoma de Buenos Aires, Argentina
Keywords: Information security, application security, source code review, cryptography, random number generation

Abstract

In previous work we presented preliminary results obtained by reviewing the source code of Qlink.it web application. In this article, after summarizing previous findings, results of the source code review of Qlink.it Android application will be described. This analysis focused on the implementation of cryptographic functionalities. The aim of this publication is also to invite other researchers to analyze the application in order to determine if Qlink.it could be considered secure.

Downloads

Download data is not yet available.

References

[1] A. Castro Lechtaler, M. Cipriano, E. García, P. Lázaro, J. Liporace, E. Malvacio and A. Maiorano. “Posibles problemas en Qlink.it y librería CryptoJS,” in XXIII Congreso Argentino de Ciencias de la Computación, pp. 1289-1298, 2017. Available at: http://sedici.unlp.edu.ar/bitstream/handle/10915
/63936/Documento_completo.pdf?sequence=1. Accessed on 2018-01-05.
[2] “Android app project,” Qlink.it Github repository. Available at: https://github.com/qlinkit/androidapp. Accessed on 2018-01-05.
[3] “Qlink Android application.” Google Play. Available at: https://play.google.com/store/apps/details?id=com.qlink.easytech.ar. Accessed on 2018-01-05.
[4] “El físico argentino que creó un sistema de seguridad para e-mails.” Revista Noticias. Available at: http://noticias.perfil.com/2017/04/09/el-fisicoargentino-que-creo-un-sistema-de-seguridadpara-e-mails/. Accessed on 2017-05-16.
[5] “El acceso a mensajes encriptados por agentes de inteligencia vuelve al foco de debate.” Agencia Télam. Available at: http://www.telam.com.ar/notas/201703/183809-el-acceso-a-mensajes-encriptados-por-agentesde-inteligencia-vuelve-al-foco-de-debate.html. Accessed on 2017-05-16.
[6] “Qlink.it repository on Github.” Available at: https://github.com/qlinkit. Accessed on 2017-05-16.
[7] A. Castro Lechtaler, J. Liporace, M. Cipriano, E. García, A. Maiorano, E. Malvacio and N. Tapia.“Automated Analysis of Source Code Patches using Machine Learning Algorithms,” in XXI Congreso Argentino de Ciencias de la Computación, pp. 1016-1022, 2015. Available at: http://sedici.unlp.edu.ar/bitstream/handle/10915/50585/Documento_completo.pdf-PDFA.pdf?sequence=1. Accessed on 2017-05-16.
[8] “AAP project, GICSI repository on Github.” Available at: https://github.com/gicsi/aap. Accessed on 2017-05-16.
[9] “Webapp project,” Qlink.it repository on Github. Available at: https://github.com/qlinkit/webapp. Accessed on 2017-05-16.
[10] “Posibles vulnerabilidades en Qlink.it (análisis web),” Segu-Info. Available at: http://blog.seguinfo.com.ar/2017/05/posibles-vulnerabilidadesen-qlinkit.html. Accessed on 2017-05-16.
[11] “Qlink.it Advanced Frequently Asked Questions.” Available at: https://qlink.it/corp/docs/advanced-faq.pdf . Accessed on 2018-01-05.
[12] “mt_rand() reference,” PHP manual. Available at: http://php.net/manual/es/function.mtrand.php. Accessed on 2017-05-16.
[13] “Math.Random(),” Mozilla Developer Network. Available at: https://developer.mozilla.org/en-US/docs/Web/Javascript/Reference/Global_Objects/Math/random. Accessed on 2017-05-16.
[14] “Random() implementation in CryptoJS.” Available at: https://github.com/jakubzapletal/cryptojs/blob/master/src/core.js. Accessed on 2017-05-16.
[15] “XorShift128+ generator implementation,” Mozilla. Available at: https://hg.mozilla.org/mozillacentral/file/tip/mfbt/XorShift128PlusRNG.h. Accessed on 2017-05-16.
[16] “XorShift128+ generator implementation, Chrome Github repository.” Available at: https://github.com/v8/v8/blob/master/src/base/utils/random-number-generator.h. Accessed on 2017-05-16.
[17] “mt_rand() and mt_srand() functions for bruteforce and speed.” Available at: https://github.com/Gifts/pyphp_rand. Accessed on 2017-05-16.
[18] “Symbolic execution for the XorShift128+algorithm.” Available at: https://github.com/douggard/XorShift128Plus. Accessed on 2017-05-16.
[19] “The Z3 Theorem Prover” Available at: https://github.com/Z3Prover. Accessed on 2017-05-16.
[20] “Android platform versions,” Android Developers. Available at: https://developer.android.com/about/dashboards/index.html. Accessed on 2018-01-05.
[21] “Security Enhancements in Android 4.2,” Android Source site. Available at: https://source.android.com/security/enhancements/enhancements42. Accessed on 2018-01-05.
[22] “Using Cryptography to Store Credentials Safely,” Android Developers Blog. Available
Published
2018-10-09
How to Cite
Castro Lechtaler, A., Cipriano, M., García, E., Lázaro, P., Liporace, J., Malvacio, E., & Maiorano, A. (2018). Other potential problems in Qlink.it. Journal of Computer Science and Technology, 18(02), e18. https://doi.org/10.24215/16666038.18.e18
Section
Original Articles