Official Cryptnos for Android End-Of-Life and Support

Greetings, everyone. I apologize for the long, empty silence. Due to many factors outside of my control, I’ve had very little time to devote to Cryptnos development or this site in recent years. Some of those reasons are personal, some professional, but all have reduced any “recreational” software development time I’ve had to virtually non-existent. Life is frequently filled with the need to set priorities, and while work on this project has always been entertaining and rewarding, my family, professional career, and commitments to pre-existing projects have always come first.

In light of this, I’m afraid I must formally announce the end-of-life and end of support for Cryptnos for Android. Recent changes in the Google Play store now require Android apps to target Android 9 (API level 28) or higher. Previously, this requirement was set for all new apps and updates to existing apps, but Google is now pressing for all apps, both old and new, to upgrade by November 1, 2019 or face delisting. The reasons behind this decision are actually very sound: API level 28 and above have a number of important security enhancements to protect Android users, and apps targeted at lower versions lack these protections and thus pose a potential security risk.

Cryptnos was intentionally targeted at a lower API level (currently 11) for compatibility reasons, to make it available to the widest possible audience. At the time, the Android ecosystem was heavily fragmented, with many older devices still in use with no suitable upgrade path besides buying a new device (an option that was not always available in certain locations). While we’ve occasionally pushed out an update here and there to deal with earlier minimum API requirements, this time it just won’t be feasible for us to upgrade within the specified time frame. The Android development chain has changed vastly since the last time I opened the source: the IDE has migrated from Eclipse to Android Studio, the API has been revamped numerous times, and how devices deal with physical factors such as screen size and orientation have changed dramatically. For me to upgrade Cryptnos to meet this requirement will require a major migration process and thorough code review, if not a significant rewrite, none of which I have time to address before the deadline.

So what does this mean for you? Here are few options for you to consider:

  • If you currently have Cryptnos installed on your Android device, it should continue to work. Google has not said anything about removing existing installs that do not meet the new API requirements. Recent versions of Android (9 (Pie) or higher) may issue a warning the first time you open the app, informing you that Cryptnos is not optimized for your version of Android. This warning is a good precaution but can be safely ignored, at least with Cryptnos; the app should still work just fine. That said, we will not be issuing any further updates via the Play store, and if you upgrade to a new device, Google Play is not obligated to reinstall it during the automatic migration process. You may want to consider migrating to a new Android-based password management tool now before Cryptnos disappears.
  • If you wish to continue using Cryptnos after it is removed from the Play store, such as reinstalling it on a new device, you should be able to “side load” the APK by downloading it from this site and installing the app manually. There are notes on the main Cryptnos for Android page on how to do this. Note that “side loading” apps is generally not recommended as it introduces possible security risks. There is also the possibility that Android may, in the future, prevent the manual installation of apps that don’t meet a minimum API requirement. Google hasn’t threatened this (yet), but it remains a possibility.
  • If you are not a current Cryptnos user but have been considering giving it a try, we sadly suggest you look elsewhere. Check out our recommendations below for alternatives.

As always, we strongly recommend that you use Cryptnos’ export feature to back up your password list no matter what. Export files generated by Cryptnos for Android are 100% compatible with Cryptnos for Windows, so you should have a means for accessing those passwords later so long as you (1) back up your password parameters regularly and (2) have access to a Windows computer with the .NET Framework installed. (Cryptnos may work on other platforms such as Mac or Linux using third-party .NET Framework clones such as Mono, but this is not officially supported at this time.)

As for an alternative, my main recommendation would be LastPass. While I still use Cryptnos personally, LastPass is highly recommended by a number of sources I trust, and my wife uses it regularly herself, so I have some familiarity with it. (I tried to turn her into a Cryptnos convert, but alas I wasn’t able to convince her.) LastPass has a powerful Web-based interface, as well as plugins for most browsers and apps on both Android and iOS. Migrating from Cryptnos to LastPass should be fairly simple, although we recommend you do so on a computer rather than on your mobile device, just to make things easier:

  1. First and foremost, back up your Cryptnos password parameters by exporting them to a file.
  2. If you haven’t installed Cryptnos for Windows, do so now and import your exported parameters into it.
  3. Set up your LastPass account and log into it using your favorite Web browser.
  4. For each Cryptnos password, use Cryptnos and your master password to generate your final password, and either manually copy it to the system clipboard or turn on the Copy password to clipboard option to do so automatically. Then use the LastPass interface to set up a new entry for that password, copying it into the password field.
  5. Install the LastPass app on your mobile device. Since your passwords are encrypted and stored in “the cloud”, they should sync to your device and be readily available.

If you chose not to use LastPass, make sure to thoroughly and careful vet any other password manager before committing to it. There are a lot of “password managers” in the Google Play store, but not all of them are trustworthy. Stick to an app with a high rating from a large number of users, or one that has been recommended by a reliable third-party source.

As another alternative, you can always use Cryptnos Online in your favorite mobile browser. Note, however, that you will lose the ability to save your parameters and will have to re-enter them each time you need to regenerate a password. (I know how annoying this can be, as I’ve had to do this periodically when needing one of my passwords on the occasional iOS device.)

For the time being, I will be keeping the Cryptnos for Android APK available here on the site for anyone to download. There is also the Cryptnos for Android GitHub source repository, where the source code will remain available for anyone who wishes to look at it or even fork it. If you are an aspiring Android developer (and a masochistic glutton for punishment), I wouldn’t mind if you want to fork it, update it, and republish the app yourself. That said, bear in mind that you cannot publish it as an “upgrade” to the existing app, as all Play Store APKs are signed and we will not be sharing our signing key. I also ask any forks be released under a different name (i.e., do not call your app “Cryptnos” or any variation thereof) and that you be upfront and honest that your version is an unofficial, unendorsed fork. (I will not “bless” any derivative versions, especially if I cannot review the code.)

Cryptnos for Windows and Cryptnos Online are, for now, staying right where they are. Unfortunately, I can’t speak to any future updates to either one (see the first paragraph above), but unlike the Android app, I don’t have any external requirements forcing my hand.

To everyone who has ever installed my little app—especially those who have stuck with it all this time, despite my silence—I sincerely thank you for your support. Whatever you chose to do, please continue to use a powerful, trusted password manager, as well as promote the use of such tools to your friends, family, and peers. Until true passwordless alternatives for authentication become mainstream (and some are on their way), a good password manager (plus two-factor authentication) is your best defense against hacking and identity theft.

Think smart and stay safe, everyone.

Cryptnos for Android 1.3.4 Released

I’m dusting off the digital cobwebs to announce the release of Cryptnos for Android 1.3.4. This is a minor point release, and only adds official recognized support for two “new” file manager applications: ES File Explorer Pro and Total Commander. Cryptnos has had support for the free version of ES File Explorer for some time, and while the Pro version functions identically with respect to picking files and directories, Cryptnos wasn’t looking for its specific package name. As for Total Commander (my current favorite Android file manager app), it supports the same OpenIntents intent structure as OI File Manager, making adding support for it incredibly easy. A special thanks to Denis Dimick for pointing out the disconnect with the ES File Explorer versions, and thus sparking this release.

As usual, you can find the latest version in the usual places. The preferred method of installing the Android version is via Google Play, where we can update everyone’s version automagically. If Google Play is unavailable to you for some reason, you can download the APK from our site or GitHub, whichever is convenient. All changes are Open Source, as usual.

I realize it’s been very quiet here for some time, and for that I must apologize. I don’t have much time for “recreational coding” these days, and I’m afraid that Cryptnos falls into that category. I do have plans for version 2.0 and I hope to move forward with those in the coming year, but I’m afraid it’s not very high on my priority list. The good news is that, in its current state, Cryptnos tends to be very robust. Despite the fact that it still targets Android 1.1 as a bare minimum, it works just as well on Android Oreo (8.0) as it did way back when. While new feature development has been slow, I am keeping up on bug fixes and getting those out as soon as they appear.

As always, thanks for using Cryptnos. I hope you find it as useful as I have.

Cryptnos for Android Version 1.3.3 Released

I am happy to announce the extremely long overdue release of version 1.3.3 of Cryptnos for Android. This is primarily a bug fix, fixing Issue #19 in our issue tracker that prevented site parameters from being imported via QRCode if the site token contained a colon (“:”), such as if use used a URL that includes the protocol as part of the name (i.e., “http://www.cryptnos.com/”).

Internally, our QRCode code uses the pipe character (“|”) to separate different parameters, then uses a colon to separate a small “header” for each parameter from the actual value. Unfortunately, if the site token field contained a colon itself, splitting the header/value pair on colons resulted in more items than expected. Using pipes to separate parameters wasn’t an issue because the pipe character is forbidden in the site token field for other reasons. (We use it as a delimiter in other places as well.) However, colons aren’t forbidden, so we have to accommodate their presence. This update should now correctly split the “header” from the value and then reassemble the value with colons intact if they’re found.

The .NET (Windows) client is unaffected by this problem because it only exports parameters via QRCode; it doesn’t import them.

The update should now be available in all the usual places. It is preferred that you install it from the Google Play Store, but folks who don’t have access to Google Play can side-load the APK after downloading it. See the official Cryptnos for Android page for the appropriate links.

I apologize for the extremely long hiatus for updates and bug fixes. I could probably write a lengthy update on what’s kept me away from Cryptnos for so long, but that’s a topic for a separate post. Cryptnos isn’t dead, I promise. It’s just extremely difficult for me to devote time to it at the moment, and there’s a lot that needs to be done to update it.

Source repositories have moved to GitHub

Just making a quick news post to make two quick announcements:

#1: No, Cryptnos as a project is NOT dead. I know it may seem like it is since there hasn’t been any active development visible anywhere for quite some time, but I promise you it hasn’t been abandoned. I won’t bore you with the minutia, but suffice it to say that the past year has been extremely hectic for me, having changed jobs and moved to a new city. It took us about a year of constant searching just to find a house we were happy with, and now we’re slowly unpacking and trying to resume some semblance of normalcy again. Once that happens, I’m hoping that some of my “free time” will become truly free again and I’ll be able to address some of the long outstanding bugs and improvements I’ve been working on.

#2: Due to Google’s decision to shut down its Google Code service, all of our source repositories have been moved to GitHub. GitHub is a very well know and well respected repository service in the Open Source community, hosting some very well known repositories like the Linux kernel. I’ve gone through and updated many of the links here on the site that previously pointed to Google Code, but there might be a few links straggling, especially in older news posts. The Google Code sites will redirect you to the new GitHub sites, but deep links (like links to individual issue tracker items) might not redirect fully.

Thanks again for using Cryptnos!

KitKat changes and Import/Export in Cryptnos for Android

For those who aren’t aware, Google has made a number of changes to Android in version 4.4, also known as KitKat. A full list of changes (from the developer’s perspective) can be found here. As yet, most of these don’t affect Cryptnos for Android all that much, but one change in particular is going to mean a shift in functionality.

Starting with KitKat, regular applications are no longer permitted to write just anywhere to “external storage”, which includes SD cards. While reading is still allowed with the proper permissions, apps are now restricted to writing to a single location allocated to them by the operating system. What this likely means is that the functionality we added in Version 1.1.0 of Cryptnos for Android to allow users to select the import/export location (if you have a recognized file manager app installed) is probably going to get ripped out, forcing you to save your exports to a specific folder.

Yeah, I’m not happy about that either.

I’ve created Issue #18 in the issue tracker to track this change. If you’re interested in the gory technical details, you can follow the progress there. I’m not sure how long it’s going to take me to find time to address this, but I’ll try my best to get rolling on it.

In the meantime, KitKat Cryptnos users should be able to save exports to their device’s internal storage, then manually move the file to the SD card with a file manager utility. This seems to work for me. It’s not ideal by any means, but at least it’s a functional workaround.

Cryptnos for Mac OS? Linux? BSD? Yes, please!

Ever since I started working on Cryptnos nearly four years ago, it was always my hope that it would be useful to as many people as possible. Even if only a handful of people were interested in using it, I still wanted to give those people a chance. I started programming in C# for Microsoft .NET mostly as a creative, exploratory exercise; I was required to learn C# by my day job, and Cryptnos and its sibling projects were ways of teaching the language to myself without the benefit of formal classes. I never intended or wanted to exclude anyone from using it, but I eventually had to admit that .NET wasn’t the best framework for making the app as cross-platform as possible.

Thankfully, the Mono Project is here to save my bacon.

I happy to announce that we’re getting dangerously close to releasing Cryptnos for Windows 1.3.4, although there won’t be anything new for Windows folks to really see. In fact, calling it “for Windows” will soon be a bit of a misnomer, because beginning with version 1.3.4, we are officially adding Mono support to the app, meaning it will rapidly become Cryptnos for Windows, Mac OS X, Linux, various BSDs, and maybe eventually more.

While I can’t give a definitive ETA on the release just yet, I can say it will be “soonish”. I want to perform a lot more testing before leasing this into the wild. That said, my initial testing has been very promising, so I’m hoping the release will happen sometime in the next week or two.

While we’re excited to see Cryptnos open up onto other platforms, I’m sad to say it won’t come without a few caveats. Here’s a few early warning notes to share for the moment:

  • Running Cryptnos on non-Windows platforms will require Mono, which is an excellent “port” of .NET to other platforms. That said, we are limited to the platforms they currently support. If you’re not on one of those platforms, unfortunately you’re still out of luck. Please note that although Apple’s iOS is in the list on Mono’s site, there are still no immediate plans for getting Cryptnos on to iPhones, iPods, or iPads any time soon.
  • Cryptnos may not behave quite the same as native apps would on any give platform. Remember, Cryptnos was originally written with Windows in mind, so it’s going to look pretty foreign if you’re not familiar with that platform. That said, if you have a little bit of experience with Windows, perhaps just enough that you won’t get lost, you should be OK. There will be idiosyncrasies, but you should grow accustom to them eventually.
  • Installation of Cryptnos on non-Windows platforms will end up being a bit more manual, I’m afraid. In addition to the full-featured Windows installer, we’re going to start releasing a binaries-only archive that contains just the EXE and DLLs necessary to run the program. If you’re running on any system other than Windows, you’ll need to extract that archive into a directory/folder and execute Mono directly to launch the app. After that, it should function pretty much the same.
  • Upgrading will similarly being a manual process. While Cryptnos will continue to notify non-Windows users of new updates, the update notice will instead open a new browser window to the Cryptnos site where you can download the new binaries-only archive. Upgrading will then be the same process as installing the app as before, only overwriting the old files with the new ones.
  • Due to some poor UI planning our part (oops), we’re going to temporarily disable “daily use” mode whenever Cryptnos is run under Mono. We apologize for that inconvenience. Once we work out those kinks, we should be able to re-enable it in a future version. Note that this doesn’t affect Cryptnos’ functionality in any way; it just means you’ll have to use the clunkier full UI all the time, rather than “collapsing” it down to a smaller size for the day-to-day use.
  • Linux users: The feature to copy generated passwords to the clipboard technically works, but may be a bit clunky. Linux boxes with GUIs actually have two separate clipboards that don’t talk to each other, and Cryptnos only talks to one of them. Which clipboard that is may take some experimentation. I was able to paste generated passwords into GUI apps like gEdit and Firefox using a Control + V keyboard shortcut, but not using mouse-initiated context menus or into terminal windows. You may need a bit of trial and error to see what works best for you.
  • Technically, we have only been able to test Cryptnos under Windows and Linux. While it should work just fine on other platforms, be forewarned that it is officially untested on Mac OS X, the BSDs, or any other Mono-supported platform.
  • While Mono does support MS Windows, we still recommend that Windows users continue to use Microsoft’s own .NET implementation. Most of our non-Windows workarounds are based on the question of “Are we running under .NET or Mono?” without really testing to see if we’re still running on Windows. Thus, if you run Cryptnos under Mono on Windows, you may be artificially restricting yourself. Again, we hope to work around this eventually in a future version, but for now, just stick with .NET.

We’ll be posting more detailed notes on each platform later as we’re able to perform additional tests. Until then, thanks again for using Cryptnos!

Crypntos Unaffected by Android SecureRandom Flaw

Some of you may have heard about the recent massive Bitcoin theft caused primarily by a flaw in Android’s Java Cryptography Architecture. After reviewing Google’s blog post about the flaw, I can confirm that Cryptnos for Android should be unaffected by it. Although the JCA is referenced by some third-party code in a library we use, Cryptnos doesn’t use any random numbers generated by this library or by the JCA directly. All of our cryptographic hashes and generated passwords rely on user-provided inputs, so the PRNGs are never called.

Cryptnos Online Version 1.3 Released

After a long, frustrating bout of testing and tweaking, we’re exhausted but happy to announce that Cryptnos Online version 1.3 has been released. If you have the production alias URL bookmarked, you should be seeing the new version immediately. Note that due to some aggressive client-side caching rules here on our site, you may need to force a refresh or clear your browser cache in order to see the change.

This is essentially a bug fix, but it did require a fundamental back-end change to our implementation. I’m not entirely sure why this occurred, but our previous implementation, based on some great scripts by Paul Johnston and other contributors, seemed to break in Safari under iOS 6.1.3. We managed to narrow down the problem to just the SHA-512 implementation, but we couldn’t find a way to work within that implementation to fix it. After some experimentation, we found that the great CryptoJS library worked without a hitch and could be used almost as a drop-in replacement for our adaptation of Johnston’s scripts.

We’re going ahead and releasing this as our new current production version, but we could use some testing contributions from folks who use non-Latin character sets. In theory, the CryptoJS library uses UTF-8 internally, which is what we here at Cryptnos use as well. However, we haven’t had a chance to thoroughly test it with non-Latin characters yet. If you regularly use non-Latin characters in Cryptnos and can compare the results generated by Cryptnos Online against the results from the Windows or Android clients, that would be greatly appreciated.

Update on Cryptnos Online and iOS 6.x

I wanted to post a quick update regarding the previously reported problem with Cryptnos Online on iOS 6.x devices. After doing some debugging, I’ve narrowed the problem down to the SHA-512 implementation. All of the other hash algorithms seem to be working correctly. It just so happens that a password I needed on my iPod Touch used SHA-512, so it’s a wonder that I stumbled upon it when I did.

Apparently, the problem occurs only on subsequent hash iterations after the first one. In other words, passwords generated on iOS devices that use SHA-512 with only one iteration should be fine, but anything that uses two or more iterations will be off. I would strongly suspect that the problem lies in the routines that convert the input strings into binary are to blame, but the other SHA methods use the same routines and don’t seem to cause any problems.

Unfortunately, I don’t have much else to report on this issue, aside from reassuring our iOS users that if they use any hash algorithms besides SHA-512, they should be OK. If you use SHA-512 with only one iteration (which I normally wouldn’t recommend), you should also be fine. As a reminder, all other platforms currently appear to be unaffected.

I’ll try to keep everyone posted on this issue. I apologize for the slow progress.

Cryptnos 1.3.2 for Android Released

Cryptnos for Android version 1.3.2 has been unleashed upon an unsuspecting world.

Before anyone gets too excited, this is a minor bug release that may only affect a subset of users. If you have a very high-resolution smartphone like the new Samsung Galaxy S4, you have may noticed that the main menu icons were rather large. This was unintended, and unfortunately an artifact of our extreme backward compatibility. In a nutshell, Android uses a number of methods to pick which icons and graphics to use based on screen size, resolution, and other factors. While there are methods to specifically target tablets and other large screen devices in recent versions of Android, our decision to target older devices limits our ability to use them. The older methods are a little less particular and inaccurately made high-res devices like the S4 choose the wrong icons.

I’m not 100% sure this will affect all devices that may be affected, but it seems to work well enough on the devices I have to test with. I hope that if anyone discovers otherwise, they’ll let me know.

All the update links here on the site have been updated. The new version should be visible in the Google Play store within a few hours.

We’re still planning on releasing a 2.0 version sometime in the not too distant future, but our time to work on these updates has been pretty limited lately. I’ll try and post updates on our progress when I can. Thanks for your patience and understanding.