Combating “Fake News” With a Smartphone “Proof Mode”

We have been working for many years with our partners at WITNESS, a leading human rights media training and advocacy organization, to figure out how best to turn smartphone cameras into tools of empowerment for activists. While it is often enough to use the visual pixels you capture to create awareness or pressure on an issue, sometimes you want those pixels to actually be treated as evidence. This means, you want people to trust what they see, to know it hasn’t been tampered with, and to believe that it came from the time, place and person you say it came from. [Read More]

F-Droid now supports APK Expansion Files aka OBB

Many games, mapping, and other apps require a large amount of data to work. The APK file of an Android app is limited to 100MB in size, yet it is common for a single country map file to be well over 100MB. Also, in order to get users running as quickly as possible, they should not have to wait for huge amounts of data to download in order to just start the app for the first time. [Read More]

Build Your Own App Store: Android Media Distribution for Everyone

Most people get their Android apps from Google Play. It is usually the simplest and most secure option for them. But there are also many people who do not have access to Google Play. This might be due to lack of a proper internet connection or simply because Google Play is blocked within their country. The F-Droid project already offers tools to create independent app distribution channels for Android apps. [Read More]

How can we learn without watching?

What kind of measurement, tracking or analytics do you use, and can you sleep at night with your decision? As part of the Berkman-Klein Assembly program at Harvard, I am working with a team to imagine a next-generation mobile and IoT analytics system that has privacy, confidentiality and anonymity at its core. The hope is we can find ways to learn what our users like and understand how our apps are performing without having to rely on proprietary cloud services, logging liability, network vulnerabilities, and invasive app permissions. [Read More]

Imagining the challenges of developers in repressive environments

The Guardian Project team spends a lot of time thinking about users. In our work we focus on easy-to-use applications for users in high-risk scenarios. Because of this we are very focused on security. In our current work with the FDroid community to make it a secure, streamlined, and verifiable app distribution channel for high-risk environments we have started to become more aware of the challenges and risks facing software developers who build software in high-risk environments. [Read More]

New Partnership with Circle of 6 mobile safety app

Circle of 6 Focuses on Security with Guardian Project Partnership Safety App Will Get End-to-End Encryption and More To Support High-Risk Communities New York, NY: Two innovative organizations have partnered to bring increased digital security and privacy capabilities to users interested in improved safety for their mobile devices. Tech 4 Good, the developer of Circle of 6, a highly regarded mobile safety app developed to promote safety and health through networks of trust, has partnered with Guardian Project, a leader in mobile security and privacy technologies. [Read More]

Orfox 1.2.1 released

We’ve released a new version of Orfox, our Tor Browser for Android, that contains an an important security update to Firefox. This update is based on the latest release of Tor Browser, which was announced with this message: The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. [Read More]

“If This, Then Panic!” Sample Code for Triggering Emergency Alerts

Earlier this year, we announced the PanicKit Library for Android and Ripple, our basic app for alerts any compatible app that you are in an emergency situation. Rather than build a solitary, enclosed “panic button” app that only can provide a specific set of functionality, we decided, as we often do, to build a framework, and encourage others to participate. Since then, we’ve had over 10 different apps implement PanicKit responder functionality, including Signal, OpenKeyChain, Umbrella app, StoryMaker and Zom. [Read More]

Orfox 1.2: An Overdue Update to Our Privacy-Focused Browser!

Primarily this release is the first in a long while after improving our ability to stay up-to-date with core Tor Browser development. In addition, as Mozilla adds more and more features to the core Firefox, we must review them for any issues related to increased permission request, access to data, and privacy and network leaks. This is a slow, tedious job, so thank you for your patience. We expect to have more frequent, regular releases moving forward. [Read More]

HOWTO: get all your Debian packages via Tor Onion Services

Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. [Read More]

OpenArchive: Free & Secure Mobile Media Sharing #DWebSummit

I am excited to share another new “mini app” effort we have joined up with, as part of work we are doing to create simple, focused tools that solve a single issue. We also are aiming to builds apps that are 1 to 3MB in size, and work on Android phones back to version 2.3, in order to maximize accessibility for a global audience. OpenArchive is one of these efforts. It is a project led by Natalie Cadranel, who received a Knight Foundation prototype grant in 2014. [Read More]

Building the most private app store

App stores can work well without any tracking at all Attackers are increasingly seeing app stores as a prime attack vector, whether it is aimed at the masses like XCodeGhost or very targeted like in FBI vs Apple. When we install software from an app store, we are placing a lot of trust in a lot of different parties involved in getting the source code from the original developer delivered to our device in a useful form. [Read More]

Data Usage and Protection Policies

At a high level, it is easy say that “we know nothing”. We do not log data or include analytics in our websites or applications. When we do operate servers to support our applications, they are configured to store as minimal data as possible, usually just a username and password, if that is required. We also only recommend third party services, such as XMPP services, VoIP services, or Proxy and VPN providers, who abide by these same policies. [Read More]

Copperhead, Guardian Project and F-Droid Partner to Build Open, Verifiably Secure Mobile Ecosystem

Three open-source projects haved joined together to announce a new partnership to create an open, verifiably secure mobile ecosystem of software, services and hardware. Led by the work of the Toronto-based CopperheadOS team on securing the core Android OS, Guardian Project and F-Droid have joined in to partner on envisioning and developing a full mobile ecosystem. The goal is to create a solution that can be verifiably trusted from the operating system, through the network and network services, all the way up to the app stores and apps themselves. [Read More]

PanicKit: making your whole phone respond to a panic button

Our mobile devices do so many things for us, making it easy to communicate with people in all manners while giving us access to all sorts of information wherever we are. But in times of anxiety and panic, it is difficult to quickly use them. Will you be too shaky to type in your PIN or lock pattern? Will you have enough time to find your trusted contacts and send them a message? [Read More]

How to Migrate Your Android App’s Signing Key

It is time to update to a stronger signing key for your Android app! The old default RSA 1024-bit key is weak and officially deprecated. What? The Android OS requires that every application installed be signed by a digital key. The purpose behind this signature is to identify the author of the application, allow this author and this author alone to make updates to the app, as well as provide a mechanism to establish inter-application trust. [Read More]

Good translations are essential to usability

All too often, translation of an app are treated as an afterthought. It is not something that the app developers see, since they create the software in languages that work best for them. So the software looks complete to the developers. But for anyone using the software in a different language, translation is essential in order for the app to be useful. If you can’t understand the words that you see in the app’s interface, it is going to be difficult or impossible to use that app. [Read More]

First Reproducible Builds Summit

I was just in Athens for the “Reproducible Builds Summit“, an Aspiration-run meeting focused on the issues of getting all software builds to be reproducible. This means that anyone starting with the same source code can build the exact same binary, bit-for-bit. At first glance, it sounds like this horrible, arcane detail, which it is really. But it provides tons on real benefits that can save lots of time. And in terms of programming, it can actually be quite fun, like doing a puzzle or sudoku, since there is a very clear point where you have “won”. [Read More]

CipherKit reproducible builds

We have been on a kick recently with making our build process support “reproducible builds” aka “deterministic builds”. What is this reproducible thing? Basically, what that means is that you can run a script and end up with the exact same binary file as our official releases, be it a APK, JAR, AAR, whatever. That lets anyone verify that our releases are produced only from the source in git, without including anything else, whether deliberately or accidentally (like malware). [Read More]

Orfox: Aspiring to bring Tor Browser to Android

Update 24 September, 2015: Orfox BETA is now on Google Play: https://play.google.com/store/apps/details?id=info.guardianproject.orfox  In the summer of 2014 (https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html{.external}), we announced that the results of work by Amogh Pradeep (https://github.com/amoghbl1{.external}), our 2014 Google Summer of Code student, has proven we could build Firefox for Android with some of the settings and configurations from the Tor Browser desktop software. We called this app Orfox, in homage to Orbot and our current Orweb browser. [Read More]