Topic: Crosspass - a simple way to share passwords, encryption keys, banking info (Read 406 times)

Frankly this is a welcome development in the tech space, particularly the Bitcoin space as it has tremendous impart in the way it is niched. I have heard of a network that is used to transact or transfer Bitcoin without the need for internet and this technology was used a few years back when there was a long protest somewhere in Asia, I can't remember the exaact country though. BUt I have not seen it mainstream yet but if it can be a regular tech, available to everyone, that will be great.

Yes, I have added alerts to handle the case when Google Play services are either not installed, or Play Integrity returns an error.  Even if you install Play Services in the emulator, it won't pass the further checks, since Play Services verifies whether you have a real device (this is called Play Integrity API).



I found a Python package that works on the Desktop which is similar to Crosspass in concept.  It is called Magic Wormhole and it was created in 2016.

https://github.com/magic-wormhole/magic-wormhole

The fact that it is not widely used is saying something, namely that it is too technical and too real-time.


This is a summary of advantages of Crosspass stated earlier, and they apply to images as much as text. The difference is that Crosspass enforces key verification as part of the natural flow, via the PIN which looks just like an OTP familiar to users. All other services rely on public keys being managed by an untrusted party (a server).  This allows the third party to MITM you at will.   The other issue is JavaScript backdoors which become a problem with webmail (ProtonMail), or anything inside a web browser.

Furthermore, if you are sending a driving licence or a passport, most likely the recipient is some clerk in some company. He will not jump through hoops to receive your encrypted image. He will not signup with ProtonMail. And he will not give you his private phone number for Signal or WhatsApp.

I can no longer install and/or update Crosspass on android emulator so you probably fixed that as well.
However, I still think you need to have usable option for desktop users...

EDIT: wait a minute, I just installed Crosspass on emulator again.

I don't have g00gle play store installed, so I am getting this error when I try to create password and note:



What's the difference from sending image with encrypted email or other encrypted chatting app?

Update: I have released a new version of Crosspass for Android that fixes many stability issues it had.

# Oct 9, 2023
- Auto-correction of text when composing notes
- Improved handling of Play Integrity verification
- Fix right-to-left language locale
- Improved handling of no Internet connection
- Bug fixes related to navigation within the app

I have also released an updated version for iOS, which primarily improved the Paste functionality.

I am now handling the case when the sending side has a bad cellular data connection or the sender is offline (e.g. on an airplane flight).

I also began planning to add a feature to send images, not just text. This is useful if you need to send someone your driving license or a passport photo.

If you want to see this take off, you can help by following me on social media:

https://twitter.com/entelecheia_inc
https://www.linkedin.com/company/entelecheia-inc
https://www.facebook.com/crosspassapp
https://www.instagram.com/crosspass.app


A sender does not want to use encryption if it puts an out-of-proportion burden on the recipient to learn how to decrypt.  I tried to make Crosspass easy on the recipient. It's on the App Store and Play Store, it's free, and as soon as the app opens the user is asked to type the access code to receive a shared note.

There are already services for sharing passwords and text notes. Most of them are web-based and therefore insecure. But the fact that they exist, shows that there is demand.

privnote.com
onetimesecret.com

Found these guys recently: sharepass.com

If you can send a password, you can send anything, because you can Zip files with AES encryption using 7-zip. No special software is needed on the receiving end to unzip.

Do I understand correctly that you want to send your paper wallet key to someone else? Further, is it the case that you don't want you or him to use the clipboard?
Does his wallet software have an ability to import a key from a text file?

I can add to Crosspass an ability to save text into a file, or read from file, instead of relying on the clipboard.  Does that help you? You can work with files and your phone without Internet or LAN, by USB cable or NFC.

That's called BIP38 encryption.

That's a huge gamble! Chances are "the hacker" is just a piece of automated malware, and chances are it's a lot faster than you are. That is of course what you should assume, and take measures to prevent it. So instead of risking everything by decrypting your private key on an online computer, it's much better to sign the transaction offline and never expose your private key to an online machine.

You seem to think hacks happen when someone is manually monitoring your computer.

It might be nice if you can create a Offline App that can be used to import private keys for paper wallets. Imagine if you can encrypt the private key offline, before you use it and when you go online to import it.. then it quickly decrypt it before you import it. (It does not give the hacker the time to capture and use it, before you use it)  

Many people have malware / Clipboard hacks etc... that collect private keys, when you paste it in text ... and if the hacker is fast enough, he or she can exploit that.... but if the private key are encrypted "offline" and then decrypted just before you use it online to import, it will help you to prevent that exploit.

Good luck with "Crosspass"... once you can get the source code independently verified and you received a "green" light for the trust aspect, then things will change for you.  

The problem is that people do not want to use the encryption. And they also do not need to share passwords, encryption keys and banking info. In the market you can sale only if you have customers.

I can make it that if the device does not pass the Play Integrity check, the server will request a CAPTCHA. However, the sender's device still needs to receive Push Notifications and to be online. For an emulator on a desktop this will not be reliable since people shut off their laptops, or laptops go to sleep.

My idea for desktop use of Crosspass is to make a Blitz mode. The whole exchange must take within a few minutes and both the sender and recipient need to be online at the same time.  This will remove the need for Push Notifications and allow to anonymize both sides via VPN.  The same kind of Blitz mode can be made on the phone too. (It is possible to hold an open socket for a brief time, without relying on Push notifications.)

Although the number is very small, people who use custom Android ROM is likely unable to pass such check.

The Crosspass app requires a real device, not an emulator. Here is an excerpt from the white paper that explains the reason,

Am I getting any special reward for catching the first bug?
I already replied to message you sent me, so you know situation about no-code review, but I will try to test Crosspass app again on different device when I have more free time.
Cheers.

Crosspass discussed on Reddit:

https://www.reddit.com/r/crypto/comments/16fntuc/crosspass_a_mobile_app_to_exchange_passwords_and/

Re bugs, I have now hired a QA. Hopefully we will reproduce this bug and will catch new bugs before users do.  I plan to release an update by Oct 15.

I am glad I was the first one to publicly find a bug without actually doing a code review  

Maybe, but result is that app is currently not usable for me.
Security implications is secondary if you don't have any usability.

Please note that Apple is using the same 4 digit code system to end-to-end encrypt your iCloud data, when it is synched with your phone. It is not using OPAQUE, it is using Secure Remote Password (SRP) protocol which is conceptually just like OPAQUE but has an extra leg of communication and does not have a security proof. I could have used SRP too, but I chose to use the newer OPAQUE which is still in an RFC draft, now in 11th iteration.

See page 35,36 of this document, which describes Apple security in 2014:
https://www.apple.com/mx/privacy/docs/iOS_Security_Guide_Oct_2014.pdf


- Crosspass is still Beta.
- The iOS version is more stable than the Android version.  
- We are working on the bug found by @dkbit98 to improve error message, so that we can see what actually happened (I suspect it was related to app permissions).
- Known bugs are likely UI only and have no security implications. The protocol encryption itself is implemented in Go and is plugged into both iOS and Android apps as a library.  Doing it this way allows to test the encryption by unit tests, offline and outside the app.

Here's a list of public dependencies from go.mod:

For testing purposes I installed Crosspass app and I was contacted by frisco2 for testing.
He sent me codes but I could not receive anything and all I got was some error message, that was later confirmed by developer.
I wanted to hire my developer friend for doing a review of Crosspass, but he is not so good with Swift and Kotlin.

One thing I know that Crosspass has bugs currently:

what your application offers is actually simple, namely offering an easy and secure way to share passwords, but in line with what other users have said, most people are more interested in using popular applications such as protonmail or whatsapp which use an encryption system and have trusted for a long time to send their sensitive texts.

moreover, the id system that you use is actually not very convincing for people because someone could guess a random id and log into someone's account (even if the attempt fails up to 3 times, this is still vulnerable) and this application is paid which for some people is quite annoying .

but even so, what you build needs to be appreciated. starting from the design, whitepaper, and faq, you explained it well. maybe if you improve the quality of the system there will be more people who trust to use your application.

If you want an open source tool, then you can use this free Diffie-Hellman exchange tool I made three years ago. It is a webpage that can be run locally as `file://`,  thereby protecting from Javascript backdoors. Simply use "Save As (Webpage, Complete)" in the browser and save it. It's designed to be run locally.  The code is simple to review fully, since it merely wraps browser's native libraries.

https://borisreitman.com/privacy.html

I have made Crosspass because as simple as that tool is, it is still too difficult for non-techies.

I am going to agree with LoyceV that there are too many potential issues to consider using it.

Most notably the fact that it is a black box for the user what happens under the hood. Too much trust required. For me to ever consider something like this, it would have to be open source.

If I wanted to share private information, I would likely use OnionShare which is open source and rather easy to use.

Your service does seem simple to use. The requirement to download an app is slightly annoying. Having the secret expire after 3 incorrect attempts seems like enough for sharing secrets that are not super sensitive. Expiring the secret after it has been viewed is another good thing. Setting asides problems that I have with it personally, someone might find it useful although I would still warn anyone to trust their secrets with a third-party.

By "public" I meant an insecure channel, i.e. a private exchange which someone determined enough could eavesdrop on. However, I am not suggesting tweeting the lookup ID on Twitter. If it were tweeted, then some jerk could try to access it with 3 invalid PINs and lock the note.

The Crosspass server knows the lookup ID, since it issued it. From the cryptographic theoretical perspective it is not private because there is at least one third party which knows it.

LoyceV, thank you for raising this. I now have updated the website with a clearer explanation to the question "Do I need to send the PIN by another channel?"  This is the new copy,

That's different than what you said on your website:
This makes it look like you can post the Lookup ID on social media, while it's something to be kept a secret.