wifikeyboard
wifikeyboard copied to clipboard
IvanVolosyuk
Some kind of protection
Using it on Nexus One, froyo 2.2 - i'd very apreciate this app, but I'd like to
point out that portscanning a network for port "7777" would make possible for
virtually anyone to operate your android smartphone.
Would it be possible to add a password request (or at least custom port
number)? Both will be nice.
Thank you very much.
Original issue reported on code.google.com by qualsiasi on 25 Aug 2010 at 6:29
Yup, I would also really like password protection.
Combine that with HTTPS, and it's perfect!
Original comment by [email protected] on 13 Oct 2010 at 4:28
I can add password protection, just need to figure out how the interface should
look like. As for HTTPS - it is not possible, as I can't get trust SSL
certificate for arbitrary ip, thus it will void all the ssl protection. And
without HTTPS it is easy to use sniffers to hijack the session and intercept
submitted key events. Though user will see that the session is hijacked.
Original comment by Ivan.Volosyuk on 28 Nov 2010 at 5:32
- Changed state: Accepted
Another potential solution for encrypted communication: Add RSA & AES js libs
to encrypt everything. There exists js libraries for crypto. Regarding MITM
attacks - there are a Firefox addon intended for this, you enter the correct
hash for a site's js code in advance, and then it checks if it's altered or
not. If it's altered, the browser addon alerts.
You would need to generate RSA key pairs and js hash (local public RSA key will
be static in the js) on the phone.
Original comment by [email protected] on 14 Dec 2010 at 6:32
How about this at least a bit more secure possibility: the first browser
session with the phone keeps the session, no other browser can interfere.
So the first browser session is initiated by the correct user, as HE has to
start the wifikeyboard and use it.
If he closes the browser, he should close the wifikeyboard too, restarting it
when needed.
At the moment I can overtake the session with another browser, what could be
done by everyone and what is really unsecure.
You just give the first and only allowed browser a session key, without this no
actions. This can easily be sniffed, but it would be much more safe than at the
moment. Most people wouldn't know how to sniff and insert such a session key.
What do you think?
Original comment by [email protected] on 11 Nov 2011 at 12:52
@Franc Walter: My idea about asymmetric encryption with RSA would solve just
that and completely prevent MiTMs even on an open WiFi.
The JS in the browser generates a fresh keypair for every session, calculates
the hash of the public key, generates a Qr code, and then you scan that Qr code
with the phone. If the scanned hash matches the one that's connecting over the
network, it's accepted.
All other connection attempts will fail since they don't have the corresponding
private key for *your* session key and can't intercept your Qr code.
The big problem here is if they MiTM you on an open WiFI *before* connecting,
then they can mess with the JS. Again, an addon could solve this issue to make
sure that the JS the browser receives haven't been modified.
Hmm... I can't find that old addon now...
Original comment by [email protected] on 11 Nov 2011 at 1:57
Addon is too complex, in this case self-signed SSL key can be a bit easier. I
can probably implement the session key to avoid basic session hijacking.
Original comment by Ivan.Volosyuk on 12 Nov 2011 at 9:00
Ok, I made pretty simple session protection, using session id. Still no
encryption. Here is the updated apk file if you want to try. If it works fine
for you, I'll upload it to the android market.
Original comment by [email protected] on 12 Nov 2011 at 11:44
Attachments:
The session ID protection works, thank you! Please consider rolling that out to
the market.
However, I'm still very much interested in simple HTTPauth or some other form
of user/password. Encryption is a great idea, but user/pass would still need to
be implemented and I'd like to see that first.
Original comment by [email protected] on 16 Apr 2012 at 9:44
I spoke too soon. With the session ID protection and Firefox 11, the session ID
seems to drop after just a few minutes. I have to regularly reset the session.
Again, I'd be very happy with HTTPauth user/pass.
Original comment by [email protected] on 16 Apr 2012 at 9:57
One of my users uses SSH tunnelling for extra security. Using an which provides
an ssh server, such as QuickSSHd it is possible to forward a port from phone to
computer:
ssh phone_address -L 7777:localhost:7777
After that open browser on computer:
http::/localhost:7777
Two things missing is: ability to disallow connections to WiFiKeyboard from
external IPs, using fixed port. I can do that.
Let me know if the solution seems appropriate to you guys.
Original comment by [email protected] on 5 Jul 2012 at 5:23
As the anonymous user referenced in post #11, I just want to caution that the
SSH solution alone does not provide any added security since the WiFi keyboard
is still available unencrypted on the external IP port.
To achieve security one either needs to add a firewall to the Droid to prevent
access from external IPs or ideally the developer will add an option to the app
to block access from external IPs (which would be my preferred solution).
Another feature request I have would be to allow the user to choose a fixed IP
port since currently the app seems to first look on port 7777 and if that is
not free then it goes to 1111. It might be nice to allow the user to select an
arbitrary fixed port so that one can always rely on the app listening on that
port.
Original comment by [email protected] on 15 Jul 2012 at 1:48
first of all, i LOVE this app! But i also miss the password option.. I always
have my phone in a dock during my workday, using your app to use
whatsapp/sms/etc. As it's on wifi, everyone in my office can type to it, if
they know the ip+port.
A random generated password (like bluetooth pairing or android hotspot) will
suffice!
Besides that, great app! love it! thanks so much :D (especially the fact that
it's web-based, as i work on different operating systems all the time ;))
Original comment by [email protected] on 10 May 2013 at 7:32
To add to this, what I found useful about the security of "signals" a secure instant messenger/VOIP, was the passphrase. During a VOIP call both phone during an active secure session would display a common pass phrase after a successful key exchange. So if you kept in a keyboard stub like in Remote Keyboard app, you could display a passphrase that must match the passphrase on the remote keyboard webpage.
So assuming that the javascript in your html page you received is not compromised, a matching passphrase indicates that you can trust what you type is secure. (If you are paranoid of malicious javascript, one way to deal with it, would be to have a browser addons that fingerprints the page and displays the current fingerprint)
- https://github.com/onyxbits/remotekeyboard
JavaScript can be compromised. The secure way would be ssh port forwarding. From my side it should be an option to listen on local connections only.
On Tue, Apr 19, 2016, 1:51 AM mofosyne [email protected] wrote:
To add to this, what I found useful about the security of "signals" a secure instant messenger/VOIP, was the passphrase. During a VOIP call both phone during an active secure session would display a common pass phrase after a successful key exchange. So if you kept in a keyboard stub like in Remote Keyboard app, you could display a passphrase that must match the passphrase on the remote keyboard webpage.
So assuming that the javascript in your html page you received is not compromised, a matching passphrase indicates that you can trust what you type is secure.
- https://github.com/onyxbits/remotekeyboard
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/IvanVolosyuk/wifikeyboard/issues/17#issuecomment-211441645
Good point. I do find setting up ssh to be more involved if you never regularly use the terminal. If possible I would certainly prefer a "https" option via self-signed cert, but otherwise I wouldn't mind if there is a tutorial on the app on how to setup ssh if you don't know what you are doing (e.g. A help button). (Perhaps there is a way to autoconfig a ssh server on android from the app itself as well)
This is for really advanced users. One user sorted this all out himself and asked me to add an option to use only local connections. I just made a custom version of WiFi Keyboard for him, because normal user will never do that. Https version would be secure, except it doesn't work with IP addresses without host names.
On Tue, Apr 19, 2016 at 2:14 PM mofosyne [email protected] wrote:
Good point. I do find setting up ssh to be more involved if you never regularly use the terminal. If possible I would certainly prefer a "https" option, but otherwise I wouldn't mind if there is a tutorial on the app on how to setup ssh if you don't know what you are doing (e.g. A help button). (Perhaps there is a way to autoconfig a ssh server on android from the app itself as well)
— You are receiving this because you commented.
Reply to this email directly or view it on GitHub https://github.com/IvanVolosyuk/wifikeyboard/issues/17#issuecomment-211722422
I just made a custom version of WiFi Keyboard for him, because normal user will never do that.
Do you still have this version? I'm very interested in being able to bind to localhost.
As an aside, Termux has two SSH implementations (dropbear and openssh) and an openssl-tool package. People that want to use password based auth could use ssh with a sshd_config file containing PasswordAuthentication yes, while people that want keys/certs could follow one of the countless tutorials available online.
