Reducing metadata leakage from software updates
Posted on October 16, 2014
| Hans-Christoph Steiner
Update: now you can do this with Tor Onion Services
Many software update systems use code signing to ensure that only the correct software is downloaded and installed, and to prevent the code from being altered. This is an effective way to prevent the code from being modified, and because of that, software update systems often use plain, unencrypted HTTP connections for downloading code updates. That means that the metadata of what packages a machine has installed is available in plain text for any network observer, from someone sitting on the same public WiFi as you, to state actors with full network observation capabilities.
[Read More]
CipherKit updates: IOCipher and CacheWord
Posted on September 26, 2014
| Hans-Christoph Steiner
We’ve been on a big kick recently, updating the newest members of our CipherKit family of frameworks: IOCipher and CacheWord. There also are is a little news about the original CipherKit framework: SQLCipher-for-Android.
IOCipher v0.2 IOCipher is a library for storing files in an encrypted virtual disk. It’s API is the exact same as java.io for working with files, and it does not need root access. That makes it the sibling of SQLCipher-for-Android, both are native Android APIs that wrap the SQLCipher database.
[Read More]
Question: central server, federated, or p2p? Answer: all!
Posted on September 18, 2014
| Hans-Christoph Steiner
There are many ideas of core architectures for providing digital services, each with their own advantages and disadvantages. I break it down along the lines of central servers, federated servers, and peer-to-peer, serverless systems.
a central service with clients connecting to it Most big internet companies operate in effect as a central server (even though they are implemented differently). There is only facebook.com, there are no other services that can inter-operate with facebook.
[Read More]
ChatSecure for Android v14 is FINALLY here!
Posted on September 10, 2014
| n8fr8
I am so happy to announce that ChatSecure for Android v14 IS FINALLY HERE!
BUT This is our first “release candidate” of v14 for public use, and while we love it dearly, you may want to wait for 14.0.1 for us to work out any hiccups.
The update should be out on Google Play shortly, and FDroid in the next few days. Otherwise, you can always download the APK direct from us:
[Read More]
ChatSecure 13.2: Important Beta!
Posted on August 5, 2014
| n8fr8
Today is the first public beta of ChatSecure v13.2, an important update of the user interface, networking code, and overall stability. We’ve spent the last six months tracking down crashes, memory leaks and performance issues, and have reached a stable, functional point which we want to share for public use. Reliability and simplicity our the goals, as we move towards v14 in the next few months.
This beta also features a new account setup wizard that we are eager for feedback on.
[Read More]
Introducing TrustedIntents for Android
Posted on July 30, 2014
| Hans-Christoph Steiner
Following up on our research on secure Intent interactions, we are now announcing the first working version of the TrustedIntents library for Android. It provides methods for checking any Intent for whether the sending and receiving app matches a specified set of trusted app providers. It does this by “pinning” to the signing certificate of the APKs. The developer includes this “pin” in the app, which includes the signing certificate to trust, then TrustedIntents checks Intents against the configured certificate pins.
[Read More]
New Official Guardian Project app repo for FDroid!
Posted on June 30, 2014
| Hans-Christoph Steiner
We now have an official FDroid app repository that is available via three separate methods, to guarantee access to a trusted distribution channel throughout the world! To start with, you must have FDroid installed. Right now, I recommend using the latest test release since it has support for Tor and .onion addresses (earlier versions should work for non-onion addresses):
https://f-droid.org/repo/org.fdroid.fdroid_710.apk
In order to add this repo to your FDroid config, you can either click directly on these links on your devices and FDroid will recognize them, or you can click on them on your desktop, and you will be presented with a QR Code to scan.
[Read More]
Recent news on Orweb flaws
Posted on June 30, 2014
| n8fr8
August 2014: New browser development news here, including Orfox, our Firefox-based browser solution: https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html
On Saturday, a new post was relased by Xordern entitled IP Leakage of Mobile Tor Browsers. As the title says, the post documents flaws in mobile browser apps, such as Orweb and Onion Browser, both which automatically route communication traffic over Tor. While we appreciate the care the author has taken, he does make the mistake of using the term “security” to lump together the need for total anonymity up with the needs of anti-censorship, anti-surveillance, circumvention and local device privacy.
[Read More]
Our first deterministic build: Lil’ Debi 0.4.7
Posted on June 9, 2014
| Hans-Christoph Steiner
We just released Lil’ Debi 0.4.7 into the Play Store and f-droid.org. It is not really different than the 0.4.6 release except in has a new, important property: the APK contents can be reproduced on other machines to the extent that the APK signature can be swapped between the official build and builds that other people have made from source, and this will still be installable. This is known as a “deterministic build” or “reproducible build”: the build process is deterministic, meaning it runs the same way each time, and that results in an APK that is reproducible by others using only the source code.
[Read More]
Orbot now at v14.0.0 build 100!
Posted on June 7, 2014
| n8fr8
The latest Orbot is out soon on Google Play, and by direct download from the link below:
Android APK: https://guardianproject.info/releases/orbot-latest.apk
(PGP Sig)
The major improvements for this release are:
Uses the latest Tor 0.2.42.22 stable version Fix for recent OpenSSL vulnerabilities Addition of Obfuscated Bridges 3 (Obfs3) support Switch from Privoxy to Polipo (semi-experimental) and much more… see the CHANGELOG link below for all the details.
The tag commit message was “updating to 14.
[Read More]
Automatic, private distribution of our test builds
Posted on June 6, 2014
| Hans-Christoph Steiner
One thing we are very lucky to have is a good community of people willing to test out unfinished builds of our software. That is a very valuable contribution to the process of developing usable, secure apps. So we want to make this process as easy as possible while keeping it as secure and private as possible. To that end, we have set up an FDroid repository of apps generated from the test builds that our build server generates automatically every time we publish new code.
[Read More]
Reset The Net!
Posted on June 4, 2014
| n8fr8
We’re making the Internet more secure, by taking part in #ResetTheNet https://resetthenet.org
Security in a thumb drive: the promise and pain of hardware security modules, take one!
Posted on March 28, 2014
| Hans-Christoph Steiner
Hardware Security Modules (aka Smartcards, chipcards, etc) provide a secure way to store and use cryptographic keys, while actually making the whole process a bit easier. In theory, one USB thumb drive like thing could manage all of the crypto keys you use in a way that makes them much harder to steal. That is the promise. The reality is that the world of Hardware Security Modules (HSMs) is a massive, scary minefield of endless technical gotchas, byzantine standards (PKCS#11!
[Read More]
Eric Schmidt Awards Guardian Project a “New Digital Age” Grant
Posted on March 10, 2014
| n8fr8
An interesting turn of events (which we are very grateful for!)
**
FOR IMMEDIATE RELEASE
Diana Del Olmo, diana@guardianproject.info
Nathan Freitas (in Austin / SXSW) +1.718.569.7272
nathan@guardianproject.info
Get press kit and more at: https://guardianproject.info/press
Permalink:
https://docs.google.com/document/d/1kI6dV6nPSd1z3MkxSTMRT8P9DcFQ9uOiNFcUlGTjjXA/edit?usp=sharing
GOOGLE EXECUTIVE CHAIRMAN ERIC SCHMIDT AWARDS GUARDIAN PROJECT A “NEW DIGITAL AGE” GRANT
The Guardian Project is amongst the 10 chosen grantee organizations to be awarded a $100,000 digital age grant due to its extensive work creating open source software to help citizens overcome government-sponsored censorship.
[Read More]
Tweaking HTTPS for Better Security
Posted on February 12, 2014
| Hans-Christoph Steiner
The HTTPS protocol is based on TLS and SSL, which are standard ways to negotiate encrypted connections. There is a lot of complexity in the protocols and lots of config options, but luckily most of the config options can be ignored since the defaults are fine. But there are some things worth tweaking to ensure that as many connections as possible are using reliable encryption ciphers while providing forward secrecy. A connection with forward secrecy provides protection to past transactions even if the server’s HTTPS private key/certificate is stolen or compromised.
[Read More]
Improving trust and flexibility in interactions between Android apps
Posted on January 21, 2014
| Hans-Christoph Steiner
Activity1 sending an Intent that either Activity2 or Activity3 can handle. Android provides a flexible system of messaging between apps in the form of `Intent`s. It also provides the framework for reusing large chunks of apps based on the `Activity` class. `Intent`s are the messages that make the requests, and `Activity`s are the basic chunk of functionality in an app, including its interface. This combination allows apps to reuse large chunks of functionality while keeping the user experience seamless and fluent.
[Read More]
Four Ways InformaCam Powers Mobile Media Verification
Posted on January 6, 2014
| n8fr8
Note: A big discussion topic of 2013 was about how hard cryptography and security is for average people, journalists and others. With that in mind, we’d like to sub-title this post “Making Mobile Crypto Easy for Eyewitnesses”, as the InformaCam software and process described below includes the full gamut of security and cryptography tools all behind a streamlined, and even attractive application user experience we are quite proud of….
[Read More]
Integrating Crypto Identities with Android
Posted on December 28, 2013
| Hans-Christoph Steiner
ver the past couple of years, Android has included a central database for managing information about people, it is known as the ContactsContract (that’s a mouthful). Android then provides the People app and reusable interface chunks to choose contacts that work with all the information in the ContactsContract database. Any time that you are adding an account in the Settings app, you are setting up this integration. You can see it with Google services, Skype, Facebook, and many more.
[Read More]
Keys, signatures, certificates, verifications, etc. What are all these for?
Posted on December 12, 2013
| Hans-Christoph Steiner
For the past two years, we have been thinking about how to make it easier for anyone to achieve private communications. One particular focus has been on the “security tokens” that are required to make private communications systems work. This research area is called internally Portable Shared Security Tokens aka PSST. All of the privacy tools that we are working on require “keys” and “signatures”, to use the language of cryptography, and these are the core of what “security tokens” are.
[Read More]
SQLCipher has 100M+ Mobile Users (Thanks to WeChat!)
Posted on December 10, 2013
| n8fr8
(Note: Originally this post had a title claiming 300 Million WeChat users… that would have included iOS and Android, and we don’t know if the WeChat iOS app also includes SQLCipher encryption or not. That said, there are 50-100M Google Play downloads of WeChat for Android, which does not include all of the users inside China)
Through some of our own recent sluething, Citizen Lab’s research into “Asia Chats” security, and now via this detailed look at WeChat security from Emaze.
[Read More]