The Crosspass server, unlike servers supporting Instant Messengers, does not broker public keys. Consequently, user’s devices need to be online at the time of the transfer in order to communicate peer to peer. Because mobile phones are almost always online either through Wi-Fi or Cellular Data, Crosspass is designed as a mobile app.
The Crosspass server never sees user passwords or private notes. It relays blobs of data between two phones, but it cannot decrypt them. Also, it does not hold any encryption keys of users (no public, private, symmetric, or Diffie-Hellman shares). If the Crosspass server is compromised, the perpetrator must guess an equivalent of 11 coin flips in sequence in order to MITM a single exchange. Other server-based encryption apps could MITM without difficulty by giving out spurious cryptographic keys.
Some Crosspass features:
- E2EE: One end is the sender’s mobile phone, and the other end is the recipient’s mobile phone. The encryption scheme is based on the OPAQUE protocol.
- Text Notes: When users need to send more than just a password, they can use the text note option. For instance, they can use it for sending credit cards or bank account information.
- Brute Force Attacks: The API server (a) does not keep any hashed passwords and (b) the app limits attempts to retrieve the password so that even it could not brute-force the PIN.
- Impersonation Attacks: The app does not rely on receiving a recipient’s public key from the server. Therefore, a MITM who does not know the PIN cannot impersonate the recipient.
- Free To Receive: It is always free to receive the passwords and notes which users send, so that the process has no barriers for recipients. Users can send three passwords for free. After that there is a one-time fee of $1 to continue sending.
- Anonymous: Crosspass does not ask users for their phone numbers or email addresses. On the sender’s side only, it uses Push Notifications and has in-app purchases via App Store on iOS and Google Play on Android.
Crosspass helps communicate various types of confidential data:
- Driving License numbers
- Social Security numbers
- Public keys
- API credentials
- Credit card numbers
- Bank account numbers
With Crosspass, there is no login, no email or phone numbers required. Only a 4-digit PIN to secure a note, which like OTP can be used by someone only once. After the transfer, the note is deleted on the sender’s side and remains on the recipient’s phone for one day.