Some kind of protection

[GoogleCodeExporter]

Using it on Nexus One, froyo 2.2 - i'd very apreciate this app, but I'd like to 
point out that portscanning a network for port "7777" would make possible for 
virtually anyone to operate your android smartphone.

Would it be possible to add a password request (or at least custom port 
number)? Both will be nice.

Thank you very much.

Original issue reported on code.google.com by qualsiasi on 25 Aug 2010 at 6:29

[GoogleCodeExporter]

second that

Original comment by stavh...@gmail.com on 4 Oct 2010 at 12:24

[GoogleCodeExporter]

Yup, I would also really like password protection.
Combine that with HTTPS, and it's perfect!

Original comment by natanae...@gmail.com on 13 Oct 2010 at 4:28

[GoogleCodeExporter]

I can add password protection, just need to figure out how the interface should 
look like. As for HTTPS - it is not possible, as I can't get trust SSL 
certificate for arbitrary ip, thus it will void all the ssl protection. And 
without HTTPS it is easy to use sniffers to hijack the session and intercept 
submitted key events. Though user will see that the session is hijacked.

Original comment by Ivan.Volosyuk on 28 Nov 2010 at 5:32

• Changed state: Accepted

[GoogleCodeExporter]

Another potential solution for encrypted communication: Add RSA & AES js libs 
to encrypt everything. There exists js libraries for crypto. Regarding MITM 
attacks - there are a Firefox addon intended for this, you enter the correct 
hash for a site's js code in advance, and then it checks if it's altered or 
not. If it's altered, the browser addon alerts.
You would need to generate RSA key pairs and js hash (local public RSA key will 
be static in the js) on the phone.

Original comment by natanae...@gmail.com on 14 Dec 2010 at 6:32

[GoogleCodeExporter]

How about this at least a bit more secure possibility: the first browser 
session with the phone keeps the session, no other browser can interfere.
So the first browser session is initiated by the correct user, as HE has to 
start the wifikeyboard and use it.
If he closes the browser, he should close the wifikeyboard too, restarting it 
when needed.
At the moment I can overtake the session with another browser, what could be 
done by everyone and what is really unsecure.
You just give the first and only allowed browser a session key, without this no 
actions. This can easily be sniffed, but it would be much more safe than at the 
moment. Most people wouldn't know how to sniff and insert such a session key.
What do you think?

Original comment by francwal...@gmail.com on 11 Nov 2011 at 12:52

[GoogleCodeExporter]

@Franc Walter: My idea about asymmetric encryption with RSA would solve just 
that and completely prevent MiTMs even on an open WiFi.
The JS in the browser generates a fresh keypair for every session, calculates 
the hash of the public key, generates a Qr code, and then you scan that Qr code 
with the phone. If the scanned hash matches the one that's connecting over the 
network, it's accepted.
All other connection attempts will fail since they don't have the corresponding 
private key for *your* session key and can't intercept your Qr code.
The big problem here is if they MiTM you on an open WiFI *before* connecting, 
then they can mess with the JS. Again, an addon could solve this issue to make 
sure that the JS the browser receives haven't been modified.
Hmm... I can't find that old addon now...

Original comment by natanae...@gmail.com on 11 Nov 2011 at 1:57

[GoogleCodeExporter]

Addon is too complex, in this case self-signed SSL key can be a bit easier. I 
can probably implement the session key to avoid basic session hijacking.

Original comment by Ivan.Volosyuk on 12 Nov 2011 at 9:00

[GoogleCodeExporter]

Ok, I made pretty simple session protection, using session id. Still no 
encryption. Here is the updated apk file if you want to try. If it works fine 
for you, I'll upload it to the android market.

Original comment by v...@google.com on 12 Nov 2011 at 11:44

Attachments:

• WiFiKeyboard.apk

[GoogleCodeExporter]

The session ID protection works, thank you! Please consider rolling that out to 
the market.

However, I'm still very much interested in simple HTTPauth or some other form 
of user/password. Encryption is a great idea, but user/pass would still need to 
be implemented and I'd like to see that first.

Original comment by TylerTol...@gmail.com on 16 Apr 2012 at 9:44

[GoogleCodeExporter]

I spoke too soon. With the session ID protection and Firefox 11, the session ID 
seems to drop after just a few minutes. I have to regularly reset the session. 
Again, I'd be very happy with HTTPauth user/pass.

Original comment by TylerTol...@gmail.com on 16 Apr 2012 at 9:57

[GoogleCodeExporter]

One of my users uses SSH tunnelling for extra security. Using an which provides 
an ssh server, such as QuickSSHd it is possible to forward a port from phone to 
computer:
ssh phone_address -L 7777:localhost:7777

After that open browser on computer:
http::/localhost:7777

Two things missing is: ability to disallow connections to WiFiKeyboard from 
external IPs, using fixed port. I can do that.

Let me know if the solution seems appropriate to you guys.

Original comment by v...@google.com on 5 Jul 2012 at 5:23

[GoogleCodeExporter]

As the anonymous user referenced in post #11, I just want to caution that the 
SSH solution alone does not provide any added security since the WiFi keyboard 
is still available unencrypted on the external IP port.

To achieve security one either needs to add a firewall to the Droid to prevent 
access from external IPs or ideally the developer will add an option to the app 
to block access from external IPs (which would be my preferred solution).

Another feature request I have would be to allow the user to choose a fixed IP 
port since currently the app seems to first look on port 7777 and if that is 
not free then it goes to 1111. It might be nice to allow the user to select an 
arbitrary fixed port so that one can always rely on the app listening on that 
port.

Original comment by kosows...@gmail.com on 15 Jul 2012 at 1:48

[GoogleCodeExporter]

first of all, i LOVE this app! But i also miss the password option.. I always 
have my phone in a dock during my workday, using your app to use 
whatsapp/sms/etc. As it's on wifi, everyone in my office can type to it, if 
they know the ip+port.

A random generated password (like bluetooth pairing or android hotspot) will 
suffice!

Besides that, great app! love it! thanks so much :D (especially the fact that 
it's web-based, as i work on different operating systems all the time ;))

Original comment by sanderst...@gmail.com on 10 May 2013 at 7:32

[mofosyne]

To add to this, what I found useful about the security of "signals" a secure instant messenger/VOIP, was the passphrase. During a VOIP call both phone during an active secure session would display a common pass phrase after a successful key exchange. So if you kept in a keyboard stub like in Remote Keyboard app, you could display a passphrase that must match the passphrase on the remote keyboard webpage.

So assuming that the javascript in your html page you received is not compromised, a matching passphrase indicates that you can trust what you type is secure. (If you are paranoid of malicious javascript, one way to deal with it, would be to have a browser addons that fingerprints the page and displays the current fingerprint)

• https://github.com/onyxbits/remotekeyboard

[IvanVolosyuk]

JavaScript can be compromised. The secure way would be ssh port forwarding. From my side it should be an option to listen on local connections only.

On Tue, Apr 19, 2016, 1:51 AM mofosyne notifications@github.com wrote:

To add to this, what I found useful about the security of "signals" a secure instant messenger/VOIP, was the passphrase. During a VOIP call both phone during an active secure session would display a common pass phrase after a successful key exchange. So if you kept in a keyboard stub like in Remote Keyboard app, you could display a passphrase that must match the passphrase on the remote keyboard webpage.

So assuming that the javascript in your html page you received is not compromised, a matching passphrase indicates that you can trust what you type is secure.

• https://github.com/onyxbits/remotekeyboard

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/IvanVolosyuk/wifikeyboard/issues/17#issuecomment-211441645

[mofosyne]

Good point. I do find setting up ssh to be more involved if you never regularly use the terminal. If possible I would certainly prefer a "https" option via self-signed cert, but otherwise I wouldn't mind if there is a tutorial on the app on how to setup ssh if you don't know what you are doing (e.g. A help button). (Perhaps there is a way to autoconfig a ssh server on android from the app itself as well)

[IvanVolosyuk]

This is for really advanced users. One user sorted this all out himself and asked me to add an option to use only local connections. I just made a custom version of WiFi Keyboard for him, because normal user will never do that. Https version would be secure, except it doesn't work with IP addresses without host names.

On Tue, Apr 19, 2016 at 2:14 PM mofosyne notifications@github.com wrote:

Good point. I do find setting up ssh to be more involved if you never regularly use the terminal. If possible I would certainly prefer a "https" option, but otherwise I wouldn't mind if there is a tutorial on the app on how to setup ssh if you don't know what you are doing (e.g. A help button). (Perhaps there is a way to autoconfig a ssh server on android from the app itself as well)

— You are receiving this because you commented.

Reply to this email directly or view it on GitHub https://github.com/IvanVolosyuk/wifikeyboard/issues/17#issuecomment-211722422

[sudomain]

I just made a custom version of WiFi Keyboard for him, because normal user will never do that.

Do you still have this version? I'm very interested in being able to bind to localhost.

As an aside, Termux has two SSH implementations (dropbear and openssh) and an openssl-tool package. People that want to use password based auth could use ssh with a sshd_config file containing PasswordAuthentication yes, while people that want keys/certs could follow one of the countless tutorials available online.