
Wifi Skeleton Key has 270M active users, now valued at $1B - malditojavi
https://www.techinasia.com/chinese-app-stealing-free-wifi-270m-monthly-active-users-worth-1b/
======
timdorr

        The app also crowdsources login credentials, so when one user logs into a 
        hotspot, his or her credentials are added to the database so that everyone 
        else on the app can also use that hotspot. Users cannot actually view these 
        credentials so as to protect user data.
    

Holy shit, that sounds insecure.

~~~
SCHiM
As a small-time reverser I can tell you, even without having heard of this
program before now, that it is insecure.

The rule of thumb: If it runs on the client's device or if the client can read
it then it can be cracked, inspected, seen, analyzed and decoded. There is
nothing you can do to protect code/data you send to the client's device (for
long).

~~~
StavrosK
The client isn't the problem, since you could push custom code to read the
wifi key yourself. The problem is that the server will have everyone's Wifi
keys.

~~~
ProblemFactory
The problem isn't in reading, but using the wifi key. The app promises to keep
the wifi keys secret from other users:

> "... credentials are added to the database so that everyone else on the app
> can also use that hotspot. Users cannot actually view these credentials so
> as to protect user data."

But if a client app can download the wifi key from the server and use it to
log in, then a _modified_ client app could also download all wifi keys and
show them to the user.

There is no practical way for the server to distinguish the original client
app from a modified one as long as the user is in control of the hardware and
OS it runs on.

~~~
StavrosK
Oh, I see what you mean now, I thought they meant secret on the server. Yeah,
obviously they can be read if they go to the device, and verroq on the other
thread looks like he found out how to decrypt the keys in the local cache.

------
Hello71
> Wifi Skeleton Key responded in February, calling the rumors slander and
> stating that the company collaborated with Baidu on a number of security
> measures.

ohh, this baidu [https://citizenlab.org/2015/04/chinas-great-
cannon/](https://citizenlab.org/2015/04/chinas-great-cannon/)

edit: > Users cannot actually view these credentials so as to protect user
data.

this is technically impossible; you need the creds on the device so you can
pass authentication; that's the whole point of... _any auth protocol_. while
you could in theory have a remote oracle that signs/encrypts packets without
giving the device the key, I don't think WPA-PSK allows this without sending
the entire packet. along those lines, if you can send off the packet to be
encrypted for wifi, then you can just do the whole connection over that.

------
est
1\. The company's stats backend was pwnd
[http://www.wooyun.org/bugs/wooyun-2015-099350](http://www.wooyun.org/bugs/wooyun-2015-099350)
It has far less MAU than 270M. In fact it has only less than 10k DAU.

2\. The way it works is by uploading everything under
/data/misc/wifi/wpa_supplicant.conf to its server. See analysis here
[http://www.zhihu.com/question/23865652](http://www.zhihu.com/question/23865652)

3\. It's totally scamware & spyware.

------
rmason
Assuming this thing runs in the background on your device. What if it captures
your login to your company's wifi? Are hackers going to use it to access
corporate networks? Is there a way to opt out for certain networks that you
access?

~~~
dmix
If your corporate networks security is dependent on wifi passwords remaining
confidential you're doing it wrong.

Password re-use by employees who use this app is the real risk IMO.

------
empressplay
1) Set up "secure" hotspot in high-traffic area that hoovers everyone's data,
attempts to hack any file shares, etc.

2) Put credentials in Wifi Skeleton Key.

3) ...

4) Profit!

~~~
Dylan16807
You shouldn't be trusting hotspots anyway. No real change from the status quo.

------
lagadu
All Windows Phones already come with this: it's called Wifi Sense. Technically
it only shares logins with your outlook contacts but in the end it's
effectively the same, except Microsoft-Sponsored.

edit: I guess it's only secure until someone jailbreaks WP8.1

------
jorgecastillo
I think a WiFi sharing social network would be awesome and if it was
integrated with Facebook it would be even better. Obviously you can't trust
your WiFi to everyone but it's something you already do with friends and
family so why not make it as smooth as possible.

I imagine it would be something like this:

The server will not store the key for long, some minutes max and transmission
of any data will be encrypted. The owner of the WiFi hot spot will have to
approve every request to share his key (individually or all at once). Then the
key of the WiFi hot spot will be sent to those that requested it, after that
it will be deleted from the server, it won't even get out of the RAM. The
people that request the key will be able to do so with just the push of a
button (in the ideal case). All this exchange of data, might happen through 3G
so it will be as compact as possible (no adds if on 3G, etc).

If in the same physical space this all will be done locally without sending
anything to the server. A smartphone app (at most a few megabytes) will be at
the center of this. There will also be a desktop client, that allows you to
connect less easily but still better than typing. Connect your smartphone to
the computer push a button (depending on setting even without this) and
connect to the desired WiFi hot spot.

I am one of those persons that feels that everything is invented, but this is
something that I feel is lacking.

~~~
reubenbond
Windows (Phone) has this feature called "Wi-Fi Sense". It shares wifi
passwords with your Facebook/Skype/etc friends. I've never used it to share
with other people, because not many people have Windows Phone, but it's nice
that it syncs passwords between my own stuff.

Looks like this: [http://imgur.com/ShQvqAU](http://imgur.com/ShQvqAU)

------
bsder
Proof, yet again, that end users give zero shits about security.

Just give me my free stuff!

~~~
olefoo
More along the lines of that joke about "wifi" being added at the bottom of
Maslow's hierarchy. [0]

The sooner we stop this nonsense about access to the network being restricted
geographically by anything other than a complete lack of infrastructure the
better off we'll all be.

People won't want to do stupid things like layering a separate network onto
their customers access points ( hi xfinity ) or having open networks ( too
many small businesses ) or having wifi passwords on a sign by the barista (
please tip the barista ).

0\. [http://www.daisydowntown.com/blog/2014/2/19/maslows-
hierarch...](http://www.daisydowntown.com/blog/2014/2/19/maslows-hierarchy-of-
needs-in-the-digital-age)

------
pfisch
Why are people investing in this? Everything about it sounds illegal.

~~~
tlianza
You think this is illegal in China? I can't think of anything the government
would approve of more than a giant database of creds at their disposal...

~~~
hiamnew
Are you talking about the Chinese or the US government here?

~~~
joosters
Doesn't Google already have this information? Android certainly used to 'sync'
your WIFI passwords with Google, in a format that they could decrypt.

~~~
StavrosK
It does indeed.

------
CountSessine
Why would anyone be dumb enough to invest in this? Even assuming that it isn't
shut down by authorities and even assuming that they can stay in the app store
when they're so obviously a spammy spyware app, China Mobile controls their
oxygen supply. All they have to do is start messing with their radius servers
to make life difficult for password sharers. Why would anyone invest in a
company that can by shut down by another company on a whim?

------
aselzer
> so when one user logs into a hotspot, his or her credentials are added to
> the database so that everyone else on the app can also use that hotspot

Can it do this without root privileges on Android? Or does it ask the user to
enter the password for the hotspot?

------
neil_s
Security issues aside, how is this an investable business? How is it going to
generate 10x+ returns legally?

------
grizzles
Wow, I have an app that also does this on Google Play. Maybe I should rebrand
it and try again...

~~~
gcb0
do yours save me from typing my name and room in a hotel? that one seems to
also do that.

not that it's something I'd like (as I assume when i type it it goes to their
servers so the next person doesn't) but that's what makes it tick from the
article

~~~
grizzles
Yes. It sounds like that was the linchpin. It was an indie app so we didn't
have much of a marketing budget other than producing a basic video. Nice
execution. Hats off to them.

------
gasping
This app just facilitates short-sighted abuse of commercial infrastructure
while opening clients up to a massive security vulnerability. Doesn't surprise
me one bit that this comes from China. They have a culture of extreme self-
interest with complete disregard of the implications against other people or
even themselves long term.

~~~
prawn
This sounds like 90% of the world. Not just China.

------
henryl
For a similar US company that is more focused on the B2B side, check out
Devicescape.

------
anacrolix
If everyone has Skeleton Key, no-one has Skeleton Key.

