Source code

[Morphlin]

Hi,
I've been using the app with a test ID and I now feel that it's ready for the creation of the actual ID I will be using in the future. Before I do so, I'd like to take a look at the source code and also know that it's available for review by people that know crypto.
Is it available on github or somewhere similar?

Thanks!

 

[kalaspuffar]

Hi Morphlin.

Yes, everything is available on Github.
Go ahead and check out the source code there.

If you have any questions please ask and I'll try to answer them. The project is open for all to translate, discuss or contribute if you like.

Best regards
Daniel

 

[PHolder]

Before I do so, I'd like to take a look at the source code and also know that it's available for review by people that know crypto.

It's a great idea to think this way, except it only matters if you're planning to install the app after YOU compile it from source... otherwise you're trusting that the source you see is what was used to create the app you install. I don't think Daniel is scamming anyone... but I just want to make sure you understand that you gain nothing but a false sense of security unless you build the source on your own. Also, odds are pretty good that Daniel is using someone else's crypto code, so even he is trusting someone else.

 

[Morphlin]

Very interesting! Thanks

 

[kalaspuffar]

Also, odds are pretty good that Daniel is using someone else's crypto code, so even he is trusting someone else.

Great point Paul.

When it comes to crypto I'm using built in functions of Android, libsodium and a piece of c++ code from Steve Gibson for aesgcm for older devices. Android Oreo and later have aesgcm built in.

I've built helper functions that encrypt multiple times and does encryption for a set amount of time. Also implemented my own Base56 functions none of them are pure crypto but if you want to check them out look at EncryptionUtils.java

Best regards
Daniel

 

[shanedk]

What the Signal people do is publish the compiler settings etc. that you'd need to do to make a standard build. You then build it that way, and make a hash of the resulting binary. It should match the distributed binary. And if enough people check that independently you can be pretty sure nothing nefarious is going on.

 

[kalaspuffar]

What the Signal people do is publish the compiler settings etc. that you'd need to do to make a standard build. You then build it that way, and make a hash of the resulting binary. It should match the distributed binary. And if enough people check that independently you can be pretty sure nothing nefarious is going on.

Hi Shane

I'm not sure if it's a problem but all builds I do is signed by my private key which can't be replicated by anyone else. So you need to actually check specific parts individually. And each part is also signed separately. So that might be a hard thing to check.

The people at F-droid build the APK and shares their settings so that might be a way to go if you want to verify?

Another way is to get to know me
People who know me know that I have enough background in the security that I really look for nefarious things and try to keep my build as secure as possible. People here trust Steve so maybe you will trust me as well in time...

Best regards
Daniel

 

[PHolder]

make a standard build

Yes, repeatable builds are a great ideal, but they can be very hard to actually achieve. You need the exact same versions of ALL the tools. (The compiler, the standard library, the linker, etc.) At a former (now defunct) employer we had to do this so we could always build patches for old software in the field. It was very time consuming... so much so we had a multiple person build team who spent time making sure it worked and stayed working.

 

[sengsational]

Up until a few weeks ago, I didn't know anything about SQRL except what I heard on SN. I'm a hobbyist Android developer and was able to get the code from Daniel's repository, pull it into Android Studio, and run the result on my device. I'm no crypto guru, but I did see what Daniel was talking about above (the sodium stuff and the jni stuff in c++). I made a cursory check for hanky-panky and of course found nothing suspicious.