Security and discretion are the top priorities for us. On this page you will get an insight of how we keep your personal data protected and how the security at OmniRAT really works.

Customer data

After your purchase of OmniRAT, the computer or device id is the only thing that is saved on our servers. Nothing else, not even your email or IP address! The computer / device id is a 4 – 6 characters long hash of a few parameters of your system. Cracking that hash would take astonishing long and would not even reveal anything valuable.

Even with a court order we would and could only give out the ComputerID.

Communication

Server side

The one and only connection made from our server applications is to verify whether your computer or device id exists in our database and if an update is available. This HTTP request is secured with SSL.

Client side

The one and only connection made from the client is directly to your given hostname or IP address. We have no access to your generated client at all.

Encryption

The packages sent between server & client are encrypted with AES and use a 128 bit key. It is recommended for every user to generate a new key at the first start of OmniRAT. That can be done inside the server application. The only option to view the packages for a third party plainly – without having access to either the server or client – is to bruteforce the key.

The amount of possible combinations for a 128 bit key are around : 3.2 x 1038

It is obvious that cracking this would take ages, even with a super computer. An attacker would rather try finding the encryption key in the client application than making the effort to bruteforce it.

Important Note: The only place where the encryption key is saved in plain text is on your system.

The Client

The final client is a bundle of two single applications. One is an usual android application, the other a service. After the first application gets installed, the service is being installed afterwards. The service does not contain any valuable information. Only the application carries the name, icon, IP address, port and encryption key. Removing the application after the installation of the service is highly recommended and provides more security.

The application

Your hostname / IP address, port and encryption key are being encrypted again and hardcoded inside the application. Although it is easy to reverse engineer, an attacker would not be able to decrypt those data and find out your hostname / IP address. The encryption key for encrypting the strings is only stored inside the server & client application.

The service

After the installation of both parts the service fetches the encrypted information from the application and stores it to the internal storage of the device. Nobody is able to access those information. No other application or user, not even a IT forensic scientist.

The only two known ways of doing so are both prohibited by the OmniRAT service.

  1. The service is not debuggable, so running adb shell commands in its name is not possible.
  2. The OmniRAT service forbids a backup, therefore those encrypted information can not be accessed either.

The only exception to view these saved information is with a rooted device. With superuser permission it is possible to access the internal storage, but that will give you nothing other than encrypted strings.

Hence the only way to find out your hostname / IP address is to find out the encryption key, which is used for encrypting the strings (not encrypting the packages). That is hidden and stored deeply inside the code, which is also obfuscated and encrypted multiple times. The probability of getting the key is, as we assume, nearly impossible.

Legal Situation

OmniRAT is created by German authors and the servers are also located in Germany. Therefore the German law applies for us. OmniRAT is a remote administration tool (rat). It is not – as many believe – a trojan neither made for hacking, therefore it is not illegal and does not violate the law. The usage however is only licit on devices you own or have permission for. This is also stated inside our terms of service. By purchasing and using OmniRAT you obey the above.

For reference you can view all relatable paragraphs and its contents:

This varies from country to country.

Cover tracks

We advise to remove the connection after the remote administration has been finished. This will not leave any traces of your hostname / IP address at the clients device.

Conclusion

There is no need to worry, the app in bad hands does not reveal your personal data and all communication is encrypted.

Drop us a line