The screenshots below are what you see the first time you install and run Orbot, and also whenever you open the “Help” menu. One important thing to point out is that Orbot can run with or without root, and our setup UI responds to having the capability or not accordingly.

Ultimately our goal is to provide a useful bootstrap experience for novice and advanced users alike. We welcome your feedback.

While it may give some of us a certain satisfaction to manually cobble together a suite of secure applications that suites our needs, this is by no means a long-term, wider-market solution. The tech community often forget (willfully or otherwise) that there is a huge group of non tech-savvy users for whom security and privacy are top level priorities. The ability to secure ones mobile communications should be accessible to all, through a solution that is beautiful, engaging and idiot-proof in its design. As we try to build that solution, we’re looking for your help in making sure that it meets each of those criteria.

As an alpha tester, your job will be to help us shape the product. We’ll want to know everything about your mobile device(s), how you use them to communicate,  what concerns you have about privacy, and how you interact with the products we’re building. In turn we’ll provide you with expert assistance and knowledge about mobile privacy. You’ll get the latest glimpses at our designs and beta versions of our component applications. You will live and breathe mobile anonymity (if you so choose), and you’ll play a key role in defining the future of Guardian.

Prerequisites:

• Has Android mobile device(s)
• Highly invested in mobile privacy
• Willing to regularly engage with the Guardian team through phone calls, online forums & surveys, etc. (at least once per week)
• Preferably a part of an organization >3 people also matching the above criteria

If this sounds like you, we want to hear from you. Fill out a quick contact form here.

Unfortunately, many of the protocols involved in sending and receiving e-mail are not considered secure – in the sense that they are vulnerable to eavesdropping. Simple Mail Transport Protocol (SMTP) – the Internet standard for e-mail transmission across IP networks  most commonly used by client applications for sending messages to a mail server for relaying – is typically implemented without any type of transport encryption. Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) suffer from the same eavesdropping issues as SMTP when implemented without transport encryption. Even when SMTP is implemented with transport encryption it does not, by default, require the authentication of e-mail message senders. As a result, mail servers cannot be sure that the senders of messages are really who they claim to be. And even though POP and IMAP require users to authenticate, messages are sent and delivered using SMTP.

The result is a situation where the recipient of an e-mail message can be positively identified but the sender cannot. Along with the eavesdropping concerns mentioned at the top of the paragraph, this is an alarming state of affairs. Imagine if the same were true of snail mail – there would be rioting in the streets! Fortunately there has been a lot of great work done to combat these fears – the main issue being that the problem itself is  still one  that is often ignored or not fully understood by the layperson. As secure solutions for mobile platforms gain momentum, we’re hoping to change things.

Enter OpenPGP, an IETF standard for encryption and decryption of data. The version of OpenPGP that exists today is the evolution of PGP, which was created in 1991 as a means for secure BBSs communication and message storage (it ironically also stands for “Pretty Good Privacy”). Why do you need PGP? In the words of its inventory, Phil Zimmerman: “It empowers people to take their privacy into their own hands.” How it works is a whole other story – one too complex for the purposes of this posting – but we’ll do our  best to scrape the surface quickly. Disclaimer: The following is meant solely as an introduction. There are many people out there who are experts in these topics, and we welcome any and all comments – especially if we misstate or misrepresent anything!

PGP uses a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography. From the user’s perspective, it creates two cryptographic keys to encrypt and decrypt data. The first of these two is called the Public Key – which can be freely shared with anyone the user wishes and is used by others to encrypt data so that it can be decrypted by only the intended recipient. The second key is the Private Key, which should be kept as private and safe as possible. It is used to decrypt data that has been encrypted using a specific Public Key. As long as the Private Key is kept secret, only the owner is  able to decrypt data that has been encrypted with a Public Key. One problem with older methods of encryption was the relative ease with which codes could be broken. With increasingly powerful computers that are able to crack codes via pure ‘brute force,’ encoding methods must be incredibly complex to stand up. To combat this, PGP uses a key that is astronomically large,  meaning that the security of PGP encryption lies entirely with the key as opposed to keeping the method for key generation a secret. In fact, the methods that PGP encryption uses are known and widely documented. In addition, the size of keys can be increased whenever necessary to stay one step ahead of technological advances. And for the time being, each of the algorithms in current use by PGP is not known to have cryptanalytic weaknesses.

So how secure does this make your information? Italian Police, the FBI, and British police have been unable to crack its security and have resorted to demanding private keys. It’s been likened as “the closest you’re likely to get to military-grade encryption” by cryptographer Bruce Schneier. Short answer: pretty darn good, as long as you guard your private key wisely.

You’ve probably guessed by now that the reason for this posting is to show you how to effectively use OpenPGP to secure your mobile email. And while we would’ve loved to just jump right into the tutorial, there are a few more things you should know first. Android Privacy Guard (or APG for short), is a first step at bringing OpenPGP to the Android platform, letting you manage OpenPGP keys directly from your Android phone – and use them to encrypt, sign and decrypt emails and files. Very recently the teams behind APG and the popular, open-source Android email client K-9 Mail have joined forces in a limited edition team-up to create a beta version of K-9 that plays nice with APG quite seamlessly. We’ve been using it as our default email solution at Guardian for weeks now and want to share it with you!

Note: Currently APG only supports importing and deleting keys – not generating them – so you’ve got to use a desktop implementation of OpenPGP (such as GNU Privacy Guard) to actually generate your keypair if you don’t already have one. A number of front-end applications and libraries are available to perform this task. If you already have a keypair set up, you should skip the first step.

1. Download and Install GnuPG Generate an OpenPGP keypair

Install GnuPG  here. There are binaries available for whatever OS flavor you prefer, and since they do a great job of making documentation and How-To Guides available, we’ll skip the part where we reinvent the wheel.

2. Generate and export your keypair

Follow the instructions here to create a new keypair. Export your public and private keys (re-direct from stdout to a file) and stick that file on your Android device’s SD card. Usually it’s best to create a new folder /APG to keep things organized, especially if your SD card is a mess like ours

3. Download APG and import your keys

If you don’t already have it, download Android Privacy Guard from its repository here or point your barcode scanner to the QR code below. You can also find it on the Market if you prefer.

Fire up APG and select ‘Manage Public Keys’ from the menu:

From the ‘Manage Public Keys’ screen, select ‘Import Keys’:

From the popup dialog, select the public key that you’ve transferred to your SD card. It’s helpful to use a file browser program like Astro File Manager if you don’t already have it installed:

Once your public key(s) are successfully imported, return to the main APG menu, select ‘Manage Secret Keys’ and repeat the steps above for your Private Key.

4. Download and Configure K-9 Mail

Download the latest version of K-9 mail featuring APG integration. You can find it on the Downloads page here or, again, point your barcode scanner to the QR Code below. Whatever floats your boat.

Set up your email account by entering your email address and password, then give it a name.

For more popular accounts such as gmail, Yahoo!, etc., K-9 will automatically detect the correct configuration. For more complex accounts such as Exchange, please check out the K-9 wiki page here.

5. Send and Receive Encrypted Email!

Thanks to the integration effort by the teams at APG and K-9, actually using secure mobile email becomes easy. The compose screen features a prominent checkbox and button that allow you to sign and encrypt your outbound messages, respectively.

Decrypting messages with your private key is even easier and is literally a 1-touch experience:

Enjoy! As always, please post all questions, concerns, and jokes (only good ones please) in the Comments section. We’re very excited about the powerful combination that these two apps bring and we’d love to hear from you!

If you find any issues with APG, please report them here:

Likewise, report issues with K-9 here.

You can find the full product overview on the Hiapad site. I have also pasted in the basic specs below.

See the Slatedroid forums for more tear down and custom rom news: slatedroid.com/index.php?board=18.0

p.s. – the older, distinguished gentleman in the photos is my father, who at age 75, is still fascinated, engaged, and into hacking with all things digital.

Summary of hardware specifications for our Rockchip Apad iRobot Android Tablet, Batch 2:
CPU: RK2808 Chipset (ARM9 @ 600 MHz + DSP @ 550 MHz dual-core)
Operating System: Android 1.5
Supported Languages: English, Chinese, others
Display: 800×480 7″ LCD
Input: Resistive single point touchscreen
Sensors: Accelerometer
Camera: 3 Megapixel camera
Audio input: built-in microphone
Audio output: 3.5 mm jack, integrated speakers
Networking: 802.11 Wireless b/g
Peripheral Support: USB HOST (mouse, keyboard, memory stick, more untested)
Battery: 3000 mAH, 2 hours continuous use wifi on, 4 hours reading time wifi off
RAM: 128 MB
ROM: 2 GB
Expansion memory: Transflash (microSD) up to 16 GB
Supported video formats: MKV (H.264 HP)/RMVB/MPEG-4/FLV/MPEG-1/MPEG-2 up to 720p
Supported audio formats: MP3, WMA. FLAC, AAC, AC3, OGG, WAV
Supported picture formats: JPEG, PNG, BMP, GIF
The Rockchip Apad is a MID based on the Rockchip electronics RK2808 platform.

Sipdroid is an open-source SIP client that adds native SIP/VOIP to Android’s default dialer / contacts applications. You can find Sipdroid in the Android Market or alternatively can download it here. SIP (Session Initiation Protocol) is the Internet standard for real-time voice and video communications. It’s a fundamental building block for many popular consumer VOIP products that you may have used – Vonage or MagicJack are two examples. Once installed and configured properly, sipdroid allows you to make & receive calls over Wifi and 3G / EDGE data connections – which is a really powerful thing! A similar solution from Gizmo5 allowed many Android users to completely untangle themselves from mobile minutes and rely on a purely VOIP solution. Alas, new Gizmo signups were suspended after Google announced their acquisition – but we should all be excited to see what they can cook up as part of the official Google Voice team.

While it’s expected that SIP providers will become more interoperable, the simplest and most powerful solution currently available to get sipdroid running involves registering to the virtual PBX service from PBXes.com. For the uninitiated, a PBX (Private Branch Exchange) is what establishes and manages the connections between the telephony products of a private organization (telephones, fax machines, etc.) – each of which is labeled with an ‘extension’. It also is the system through which these extensions are able to access the public telephone network (PSTN). Since the 1990s, traditional PBX solutions – usually out of reach for small businesses or individuals due to cost and complexity – have evolved to IP-based and virtual or hosted PBXes, which greatly simplify the processes of building and scaling telephony services. PBXes.com is one such ‘virtual PBX.’ Once a PBXes account is established, the account owner can create multiple extensions beneath it and easily dial between those extensions. You get 5 extensions for a free account, more for paid account types.

Why is this solution so interesting? If you have a relatively small group of colleagues (NGO, humanitarian workers, activists, journalists, etc.), it allows you to easily establish a private internal phone system that can be used over a data connection in lieu of the regular phone system. In our experience, the call quality is also quite good. And while the following step-by-step guide will lead you through the process of setting up this simple solution, first a word of caution: this is not a secure solution yet. It is a first step, however, down that road. To achieve a more secure solution, we need to enable more features, include tunneling and encrypting traffic through a Virtual Private Network (VPN) as well as integrating to a privately maintained Asterisk phone server running with custom security settings.

We are also investigating solutions that uses a public key exchange model, such as Philip Zimmermann’s ZFone, such as the new RedPhone app just announced by WhisperSystems.

1. Configure extensions to a PBXes.com account

If you don’t already have a PBXes.com account, head over to http://www.pbxes.com and fill out the straightforward account registration form for a free account.

Next, select ‘Extensions’ from the left-hand navigation menu, then choose ‘SIP’ under ‘Add an Extension.’

Last, configure your new extension with a few critical elements. Make sure you fill out the following fields, at a minimum:

• • Extension number (e.g. 100, 101, 402, etc.)
  • Display name (e.g. johndoe-100)
  • Password

2. Configure extensions on sipdroid

If you don’t already have sipdroid, you can find the latest version here, or point your barcode scanner to the following QR code:

· Authorization Username and Password

· Server: pbxes.com

· Port: 5060

· Protocol: TCP

You should see a green dot appear in your notifications tray on successful registration like so:

3. Trial Run – dial between extensions

Once you’ve set up a number of extensions within your PBX, you can easily dial between them. Simply input their extension number (e.g. 100).

4. (Optional) Configure VPN

As mentioned above, the solution so far isn’t a secure one. A first step in the right direction is connecting to PBXes’ PPTP VPN. For those quicker on their feet, configuration instructions can be found here. If you’d prefer to stick with us, follow these steps:

4a. On your Android phone, access the ‘VPN settings’ section of Wireless & network settings.

4b. Select ‘Add VPN,’ then ‘Add PPTP VPN’

4c. On your Android phone, access the ‘VPN settings’ section of Wireless & network settings.

• VPN Name – your choice
• VPN server – www#.pbxes.com [for # see URL line after logging into PBXes on your browser]
• Enable encryption – We haven’t had success with enabling encryption on PBXes yet. This might be due to a sipdroid issue or it might not. If you have success on Android 2.0 / Éclair please let us know in the comments! Nathan reported issues with encryption using PBXes PPTP VPN as well.  -Derek Halliday 5/12/10 4:33 PM
• DNS search domain – leave empty
• Username – <account name>-<extension no.> (e.g. guardianproj-401)
• Password – <extension password>

That’s it! If you come across any issues or have any questions along the way, please let us know in the “Comments” below and we’ll do our best to help you out or clarify. And if you’re itching for more, here are a couple next steps. We’re not presenting a deep tutorial on these (yet), so we’d love to hear from you if you have pursued either – or even better – if you’ve used sipdroid and/or PBXes in any other creative ways!

1. Hook your PBXes account into an external DID / VOIP number to dial out to standard phone. Think of it as the equivalent of ‘Skype Out’ for sipdroid. You can use a service such as CallCentric (http://www.callcentric.com/) for this.
2. You can also integrate desktop VOIP programs or other mobile device client into the same PBXes accounts. Here’s a great list of free, open-source SIP clients. We personally like Blink for Mac OS.
3. If you have a privately maintained Asterisk or other SIP compatible-server, you can use this same approach with that box, and integrate with your own VPN server. We will be covering this in more detail with a future post, as this is a more secure solution that using a provide such as PBXes.

The reason we purchased one of these was to be able to tangibly have Orbot (aka Tor on Android) running on a tablet “MID” style device. Since it is running Android 1.5, we were able to easily do this using Orbot and Orweb together without requiring the device to be rooted.

So here you have it – Tor on a Tablet, the AnonaPad, GuardianSlate, OrTab, OnionBook, or whatever other clever name you may want to come up with!

BEEM – Android XMPP happens to be one of these. You can find BEEM in the Android Market or you can download it here. The goal of BEEM is to provide a full featured and easy to use Jabber client on Android. Jabber is another name for XMPP, the Extensible Messaging and Presence Protocol, which is another name for Instant Messaging and Status Updates. XMPP is the open-protocol that grew out of the AIM vs. Yahoo vs. MSN vs. ICQ protocol wars of a few years ago. It is now managed by a standards foundation, and is supported by an amazing number of client and server apps.

Beem, available as source code and in the Android Market, is a great looking, highly functional IM application that supports a number of advanced options including SSL/TLS support and SOCKS Proxying. These two features make it ideal for use with running over the Tor anonymity network and Orbot. By combining Beem with Orbot, mobile instant messaging can be more private (even anonymous if one chooses), usable without fear of eavesdropping by network operators, and made accessible in places where filtering technologies blocks access to popular instant messaging services.

1) Connect to the Tor network using the Orbot app

First, if you do not have Orbot installed, first download it from the Tor Project or scan the barcode below:

The Orbot app contains an HTTP and SOCKS proxy server which allows any Android app to proxy its network traffic through Tor. By installing and activating Orbot (tap on the big power button!), this proxy server is activated and runs in the background as long as you are connected to the Tor network.

2) Configure your XMPP-compatible account using Beem settings

If you don’t have BEEM installed, you can download it here or scan the barcode below:

You can use any XMPP service, but we recommend one that supports TLS or SSL security. You can use your Gmail / Google Talk account or you can find a list of public services here: http://xmpp.org/services/

3) Check the SSL/TLS option in the Advanced Menu

You must enable this option to protect your password and chat communications when they exit the Tor network. You can learn more about exit node eavesdropping on the TorFAQ.

4) Enable the SOCKS Proxy Setting in the Proxy Menu

The “Use a proxy server” should be checked, the Protocol set to “SOCKS5″. The Server is “localhost” and the Port is “9050″. You must use the SOCKS5 protocol, as it ensures that domain name resolution is also routed through Tor, stopping from someone snooping on which chat service you are using.

5) Connect to the XMPP Service

If Orbot is connected, and you have configured the proxy settings correctly, you should be able to connect and see your contacts or buddy list. From here, you can use Beem as you normally would (download user documentation here).

IMPORTANT: To ensure Beem is routing through Tor, you should deactivate Orbot, and then try connecting to your XMPP service with Beem again. This SHOULD fail, else you haven’t setup the proxying correctly.

6) Chat away!

At this point, you should be happily chatting away with your buddies. It is important to note that this solution DOES NOT provide end-to-end encryption, so once your chat reaches the server, it is not secure, both because the service provide can view it if they choose, and the other members of your chat may not be secured themselves.

We do plan to implement and end-to-end extension to Beem using the Pidgin+Off The Record approach that has provided effective on desktop systems. If anyone wishes to contribute development cycles to this effort, please let us know!

If you find issues with Beem, please report them: http://www.beem-project.com/projects/beem/issues/new

If you find issues with Orbot, please report them: https://trac.torproject.org/projects/tor/newticket

I’ve always been a supporter of net privacy and Tor in particular, and a friend of mine got me interested in the guardian project, so I grabbed the beta version of Orbot just to try it out.. sweet, tor from my phone.

Unfortunately the Smoked Glass Rom I was using didn’t support the Iptables modules necessary for the transparent proxy method orbot used for tunnelling apps through privoxy/tor. So, I was forced to try out some other Roms and their respective kernels.. okay, forced is a bad way to put it, it was a lot of fun.

Read on…

This is a fork of the Ushahidi on Android app, done as a way to prototype the implementation of increased security, anonymity and privacy for users viewing and submitting reports through Ushahidi.

Ushahidi is a platform that crowdsources crisis information, allowing anyone to submit crisis information through text messaging using a mobile phone, email or web form.

The network code for the Ushahidi app has been tied into Orbot (Tor on Android) using a SOCKS5 client. This does NOT require a rooted device to work – both it and Orbot can be run on stock, off the shelf Android devices on any mobile operator that offers at least a GPRS connection. This version of the app will ONLY work if Orbot is activated and connected to the Tor Network. Otherwise, network connections will fail.

We plan/hope to work with the Ushahidi team to integrate this functionality into the main branch of code, and offer a clear, easy way for users to activate/deactivate use of the anonymity/anti-surveillence features.

You can access the complete source code for Ushahidi-Linda on Android via our Git repository and also download test builds as they are available. PLEASE NOTE: Until further notice and formal announcements, these builds should be considered ALPHA and are for testing, proof of concept use only.

Specifically you can see how we have provided a new SocksHTTPClient package that proxies all GET and POST connections through SOCKS.

From here, the plan is to implement a security pin on startup, local data encryption for storage of data both in the database and on the sdcard, as well as quick “delete all” features.

Learn more about the Tor Project and how network anonymity works at http://torproject.org

The Tor Project has been working very closely with Nathan Freitas and The Guardian Project to create an Android release. This is an early beta release and is not yet suitable for high security needs. The Android web browser is not protected by Torbutton and we have not yet developed an anonymous browser on the Android platform. Please be cautious with this release, it’s probably pretty fragile and it’s certainly not ready for serious use.

We just want to emphasize the word “fragile”. While we are proud of this work, it is a first release, and with all security, anti-censorship, anti-surveillance software, you must take each step slowly, deliberately, and seriously. So please, download the Orbot APK build, test the frack out of it, report bugs and feedback here.

There are some really cool features in Orbot, specifically “Per App Torification” if you have a modified/rooted device, running CyanogenMOD or another alternative firmware. However, even if you have a stock Android device straight from a T-Mobile, Verizon or China Mobile store, this is for you!

If you’d like to do the QRCode scan install thing, point your Android camera at this: