IOCipherServer

From Guardian Project Wiki

A major area of inquiry for PSST was improving the ability to share and sync data securely between mobile devices and desktops or laptop computers. The data synced would be any general file, but also ideally this would server as the conduit for syncing GPG and OTR keyrings, as well.

This is the wiki page for this aspect of PSST: https://guardianproject.info/wiki/Securely_Storing_and_Syncing

Contents 1 Development 2 Existing Problem 3 Our Solution 4 User Stories

Development

You can find the source and an APK build here (under Downloads): https://github.com/guardianproject/IOCipherServer

• As a bonus, this same server can be access via Orbot/Tor hidden services, which means you can have a secure, authenticated, untrackable channel for remotely syncing data over Tor between a mobile anywhere in the world and server or desktop *

Existing Problem

Currently, syncing data to your mobile from a desktop is generally done by copying stuff to the SD Card, which usually involves a USB cable, and is generally insecure due to the open access to the SD Card partition. In addition, there is no generally available "encrypted storage" capability for any Android app looking to utilize that, and the existing encrypted storage options for an Android device involve having root and using something like LUKS or EncFS, which are quite a hassle.

Our Solution

IOCipherServer is the working name for an on-device HTTP/S web server that can support a variety of functions, primarily being providing web browser-based and WebDav remote file system access to filesystems on the Android device. The code I have up is a basic working prototype, through combining the TinyJavaWebServer and Milton WebDav APIs, to solid open-source projects to build upon. I also implemented my own mechanism for automatically generating a crypto keypair and SSL certificate, in order to power the HTTPS server. While the cert is not signed by a RootCA, the app displays the SHA-1 fingerprint of the device's cert, so that the user can quickly compare in their browser. (See the attached screenshot, to get an idea).

There are a number of commercial "access your files over wifi" apps for Android, but they are all closed-source, cost money, and very few (only one?) provide HTTPS/SSL support. In addition, they simple provide access to unencrypted, unsecure files on the sdcard external storage. IOCipherServer will link into Hans' work on IOCipher, and provide secure, authenticated access to an encrypted filesystem stored on your device... all without requiring root!

User Stories

"Alice wants to send Bob a large video from her phone to his, but sending it out via Dropbox or Gmail is taking too long. Alice activates her IOCS on the same wifi hotspot that Bob is on, tells him her IP address, and he downloads it directly in a few seconds, all over a secure channel."

"Alice is giving a presentation to a group of activists in a country where access to Google, YouTube and the general internet is blocked and filtered. She has a number of ebooks and videos on her phone about internet security safety that she wants to share. She activates her wifi hotspot and turns on IOCS. Everyone at the meeting connects their phone to her hotspot, opens their browser to connect directly to her local IP, and downloads the files they want... no internet uplink required."

"Alice wants to keep her public and private keyrings on her phone in sync with those on her laptop. Gibberbot and GPG for Android app automatically use an IOCS location to securely store their keys. On her desktop, she starts an IOCS-Sync utility, enters in a username and password, and it automatically syncs her keyrings anytime her phone is detected on the same LAN as her laptop."