The FTC has punished several companies for similar security flaws, as detailed here:
https://samsclass.info/android/#OWASP
I registed a new account:
Most of the data is send completely unencrypted over the Intenet. The password is hashed with a single round of SHA-1 with no salt, which is hardly better than plaintext.
Login works the same way, using SHA-1 instead of a secure encryption process, such as HTTPS.
Local storage on the device contains a private key in plaintext, which is likely to be something that should be treated as confidential.
The encryption uses AES in ECB (Electronic Code Book) mode, which does not remove patterns from the input. To see that, I sent a message with 32 "a" characters.
The metadata (sender and receiver names) is sent with no encryption at all, compromising user privacy.
The encrypted message shows a repeating pattern, showing a block size of 128 bits or 16 bytes.
I registed an account, and found my password stored locally in unencrypted Unicode.
When logging in, the password is sent unencrypted over the Intenet.
When logging in, the password is sent unencrypted over the Intenet.
I registered an account.
The password is sent over the Intenet with SHA-1 hashing instead of secure encryption with HTTPS.
When logging in, the password is sent unencrypted over the Intenet.
The domain name no longer resolves, however, so I think this app has been abandoned and no longer works.
