Let's talk about xPal, which purports to be an encrypted messaging app.

soatok@furry.engineer

Let's talk about xPal, which purports to be an encrypted messaging app. https://xpal.com

Anyone that reads my blog probably already knows where this is going.

If this post accidentally reaches escape velocity and people that don't know me find it: Hi, I'm a furry cryptography nerd. Usually when I talk about so-called private apps, it's to disclose vulnerabilities in them.

(Today, I just don't have the damn energy to do a formal write-up.)

Let's start with how they market their app.

soatok@furry.engineer

So, right off the bat: "Military-Grade AES-256 Encryption" is a red flag. Nobody in the privacy or security space sees "military-grade" as a good thing.

If you scroll through their feature list, you'll notice a few things:

1. It's not open source.
2. Decoy PINs that expose a second, innocuous profile
3. Optional feature: Entering your PIN backwards nukes your account
4. An unhealthy emphasis on message erasure--including on other peoples' devices

This sounds very familiar, doesn't it?

This is basically a clone of EncroChat!

soatok@furry.engineer

Earlier, when I thought I had enough motivation to blog about it, I decided to reverse engineer their APK.

It turns out, there's no actual cryptography code in the .dex files. (p5 and t5 only contained file extension metadata.)

There's a lot of React code, though.

soatok@furry.engineer

Since it's all React.JS, I did the lazy thing: Looked in the assets directory for JavaScript files.

Success: assets/threads/Threads/encrypt.bundle and assets/threads/Threads/decrypt.bundle.

Unfortunately, this is just crypto-browserify and some other React libraries webpacked together.

It's full of side-channels and it's not clear which components are relevant.

Like, their ghash implementation (used by AES-GCM, which their decrypter uses) uses the && operation after comparing each bit of the state against 0, which short-circuits the right hand side. This introduces a timing side-channel that loudly exposes the entire GHASH state at any given point of time.

They also implemented AES with S-boxes in pure JavaScript (no bitslicing), which adds a cache-timing leak. Yay.

Their PKCS7 padding removal step for AES-CBC (which appears to be used for key-wrapping) also maximizes the timing leakage.

Suffice to say, the only cryptographic primitives I can find in their app are not recommended.

soatok@furry.engineer

None of this is particularly interesting. Lots of people ship god awful cryptography.

The really interesting thing is how they try to market this pile of shit.

soatok@furry.engineer

Their vaunted "cyber security audit" from Dekra is just a checklist exercise against the OWASP Top 10.

soatok@furry.engineer

I'm not going to bother digging further to see how keys are managed.

For all I know, the cipher mode is smoke and mirrors and everyone is using the same hard-coded AES key somewhere to encrypt their chats.

Don't use xPal.

When you consider how it's marketed, the features they emphasize, the fact that it's not open source, and the low quality review they're trying to pass off as an "audit", this thing is either a textbook example of developer hubris or it's another law enforcement sting operation.

soatok@furry.engineer

One last thing, which is kind of funny: They also claim to be "patented".

Google Patent Search doesn't yield any results for them, and they don't list any patent numbers.

I don't think they know what the word "patented" even means.

soatok@furry.engineer

Bonus: When I was originally going to blog about this (before I decided it just isn't interesting enough to document on my blog forever), I did create a header image.

Enjoy.