Steganography is the practice of concealing a message within another message or a physical object.
In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.
This repository provides a web-based utility allowing (for now) the hiding of a text in a PNG file.
You can see it in action at https://stegano.imprologic.com . The source code is on Github: https://github.com/imprologic/steganography-js
This utility makes imperceptible changes to the least significant byte (LSB) of every base color (RGB) in some of the pixels of the original PNG file.
It does not alter the alpha channel, as this may raise suspicions.
The clear text provided by the user is encrypted and stored at a random location in your PNG. The encrypted message (ciphertext) is "wrapped" by a prefix and a suffix derived from the hash of your passphrase.
PNG is both a common file format, and a lossless algortihm.
Being a common file format, it shouldn't normally raise suspicions.
The lossless aspect of PNGs ensures that the embedded data is not lost - assuming that you do not modify the resulting file in any way once the message is embedded.
Use your own judgement. You can hide passwords, private keys, recovery phrases... as long it's a relatively short text, you can hide it using this utility.
As always, the answer is: it depends. A very determined "foe" who knows that your PNG files may include hidden messages may use heuristics to identify unexpected variations in the image's pixels.
For this reason, I strongly advise using PNGs with lots of details like landscapes (isn't nature amazing?), rather than purely geometrical shapes.
A longer, more complex password is always better.
Using PNG files you generated yourself is better than a random PNG off the internet. A determined foe can do an image search and then compare your altered PNG with the original, therefore determining that your version may contain hidden data.
Always delete the original, keep only the altered version of the PNG.
Do not embed additional messages in a PNG that already has an embedded message. There's a good chance you won't be able to recover previous messages.
Do not reuse the same original PNG for multiple messages. A determined foe may compare the altered PNGs and determine that they may contain hidden data.
Do not reuse the same password in different PNGs. A byte-level comparison of the altered PNGs may show similarities between them.
Slightly changing your strong password from one PNG to the next may be good enough in this scenario.
I sure hope so, but there are no guarantees. I strongly recommend getting a copy of this repository and running your own steganography utility.
Several reasons:
- Inspecting the code in an app is a lot more difficult - you'd have to trust that the publisher will not steal the messages you embed.
- The mainstream app stores are notorious for banning apps on a whim. A domain name I own seems a lot safer in that respect.
- The presence of a steganography app on your mobile device may be seen as a clear indication that you used this technique at some point.
However, you can install this as a PWA app by clicking the "download" icon in the top-right of you browser, or by accepting the prompt on a mobile device.
This software is provided as is, without guarantees of any kind.
By using it, you agree not to hold the developer(s) liable for any damages you may incur.
Please make sure you don't forget your passphrase (password) or lose the resulting PNGs.
In the project directory, you can run:
Runs the app in the development mode.
Open http://localhost:3000 to view it in your browser.
The page will reload when you make changes.
You may also see any lint errors in the console.
Launches the test runner in the interactive watch mode.
See the section about running tests for more information.
Builds the app for production to the build folder.
It correctly bundles React in production mode and optimizes the build for the best performance.
The build is minified and the filenames include the hashes.
Your app is ready to be deployed!