Getting keys into your keyring with Gnu Privacy Guard for Android
Posted on December 6, 2013
| Hans-Christoph Steiner
Now that you can have a full GnuPG on your Android device with Gnu Privacy Guard for Android, the next step is getting keys you need onto your device and included in Gnu Privacy Guard. We have tried to make it as easy as possible without compromising privacy, and have implemented a few approaches, while working on others. There are a few ways to get this done right now.
Gnu Privacy Guard registered itself with Android as a handler of all the standard OpenPGP MIME types (application/pgp-keys, application/pgp-encrypted, application/pgp-signature), as well as all of the OpenPGP and GnuPG file extensions (.
[Read More]
Ostel.co secure VoIP network partners with Open Hosting
Posted on December 3, 2013
| lee
Ostel.co began as a R&D effort sponsored by The Guardian Project. The question: Is a peer-to-peer secure voice and video call network possible to build with open Internet standards and Open Source software? After two years and tens of thousands of users later, the answer is a resounding YES!
Two of the crucial components of any standards based VoIP service are infrastructure to route calls and a database to locate end users.
[Read More]
VoIP security architecture in brief
Posted on November 21, 2013
| lee
Voice over IP (VoIP) has been around for a long time. It’s ubiquitous in homes, data centers and carrier networks. Despite this ubiquity, security is rarely a priority. With the combination of a handful of important standard protocols, it is possible to make untappable end to end encryption for an established VoIP call.
TLS is the security protocol between the signaling endpoints of the session. It’s the same technology that exists for SSL web sites; ecommerce, secure webmail, Tor and many others use TLS for security.
[Read More]
A tag-team git workflow that incorporates auditing
Posted on November 21, 2013
| Hans-Christoph Steiner
Git is as wonderful as it is terrible, it is immensly flexible but also far from intuitive. So to make our lives easier, we try to use git as it was originally intended, as a toolkit for building workflows.
Integration-Manager Workflow We use a simple version of the “
Integration-Manager Workflow“. One key difference is that we often have multiple contributors acting as the integration manager. This means that there is always someone else besides the original author reviewing each commit.
[Read More]
Turn Your Device Into an App Store
Posted on November 18, 2013
| cpu
As we’ve touched upon in previous blog posts the Google Play model of application distribution has some disadvantages. Google does not make the Play store universally available, instead limiting availability to a subset of countries. Using the Play store to install apps necessitates both sharing personal information with Google and enabling Google to remotely remove apps from your device (colloquially referred to as having a ‘kill switch’). Using the Play store also requires a functional data connection (wifi or otherwise) to allow apps to be downloaded.
[Read More]
Your own private dropbox with free software
Posted on November 12, 2013
| Hans-Christoph Steiner
There are lots of file storage and sharing software packages out there that make it easy for a group of people to share files. Dropbox is perhaps the most well known of the group, it provides an easy way for a group of people to share files. The downside of Dropbox is that it is not a private service, just like any cloud-based service. Dropbox has total access to your files that you store there.
[Read More]
Setting up your own app store with F-Droid
Posted on November 5, 2013
| Hans-Christoph Steiner
(_This blog post as now been cooked into an updated HOWTO_)
The Google Play Store for Android is not available in all parts of the world, US law restricts its use in certain countries like Iran, and many countries block access to the Play Store, like China. Also, the Google Play Store tracks all user actions, reporting back to Google what apps have been installed and also run on the phone.
[Read More]
Issues when distributing software
Posted on October 31, 2013
| Hans-Christoph Steiner
There is currently a discussion underway on the Debian-security list about adding TLS and Tor functionality to the official repositories (repos) of Debian packages that is highlighting how we need to update how we think about the risks when distributing software. Mostly, we are used to thinking about making sure that the software that the user is installing is the same exact software that has been posted for distribution. This is generally handled by signing the software package, then verifying that signature on the user’s machine.
[Read More]
ChatSecure v12 Provides Comprehensive Mobile Security and a Whole New Look
Posted on October 24, 2013
| n8fr8
ChatSecure v12 Provides Comprehensive Mobile Security and a Whole New Look The Guardian Project’s award-winning open-source app “Gibberbot” for Android, has been rebranded to “ChatSecure” for its version 12 release, unifying the branding with the iPhone and iPad apps, while offering major updates in security from the device through the network. Download on Google Play or Direct Download now. October 20, New York, NY – The Guardian Project, a New York-based open-source mobile security incubator, has launched version 12 of its well-regarded secure messaging app for Android, rebranding it to “ChatSecure” to unify branding with existing open-source iPhone and iPad apps.
[Read More]
Open Office Hours Every Friday This Fall
Posted on October 16, 2013
| n8fr8
Fri, Oct 18, 1:00 PM EDT – 3:00 PM
Members of the Guardian Project will be hosting weekly public hangouts every Friday for the rest of year to answer questions about our apps (Orbot, Orweb, ChatSecure), building on our mobile security libraries (IOCipher, SQLCipher, NetCipher) and using services like OStel (including how to run your own secure phone service!).
We will also be live in IRC on Freenode at #guardianproject as always for those of you who don’t feel the need to be on camera.
[Read More]
Gibberbot’s “ChatSecure” MakeOver: Almost Done!
Posted on September 20, 2013
| n8fr8
In a previous post with the mouthful of a title “Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement”, I spoke about all of the necessary security features a modern mobile messaging app should have. These include encrypted local storage, end-to-end verifiable encryption over the network, certificate pinning for server connections and a variety of other features. I am VERY happy to report that the latest v12 beta release of the project formerly known as Gibberbot, now called ChatSecure, has all of the features described in that post implemented.
[Read More]
Keeping data private means it must be truly deletable!
Posted on August 23, 2013
| Hans-Christoph Steiner
There are lots of apps these days that promise to keep your data secure, and even some that promise to wipe away private information mere seconds or minutes after it has been received. It is one thing to keep data out of view from people you don’t want seeing it, it is also important to be able to truly delete information. Unfortunately computers make it very difficult to make data truly disappear.
[Read More]
Orweb Security Advisory: Possible IP leakage with HTML5 video/audio
Posted on August 21, 2013
| n8fr8
The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.
[Read More]
Orbot v12 now in beta
Posted on July 24, 2013
| n8fr8
After much too long, we’ve got a new build of Orbot out, and it is… a stable beta! Nothing radically new here, just many small changes to continue to improve the experience of our hundreds of thousands of active users out in the world. There will likely be one or two more “beta” releases to iron out small issues in v12, but for now, this one is good to go.
[Read More]
Jitsi, ostel.co and ISP censorship
Posted on July 22, 2013
| lee
Earlier last week n8fr8 suspected something changed on the ostel.co server, due to many users emailing support specifically about Jitsi connectivity to ostel.co. The common question was “why did it work a few weeks ago and now it doesn’t anymore?”
The tl;dr follows, skip to keyword CONCLUSION to hear only the punch line.
To support n8fr8’s hypothesis, there was a small change to the server but I wan’t convinced it effected anything since all my clients continued to work properly, including Jitsi.
[Read More]
Our Newest App: PixelKnot
Posted on July 18, 2013
| mark
Have you ever hidden in plain sight? Worn camouflage in the woods or an invisibility cloak in a narrow crooked alley? It’s really hard to do properly. We’re hoping that all changes with PixelKnot.
PixelKnot is an app for hiding secret messages in pictures. Sort of like invisible ink on the back of a painting, updated to the present. The ancient art known as steganography, now updated for the 21st century and requiring a more rigorous set of safety standards.
[Read More]
Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement
Posted on July 16, 2013
| n8fr8
The tl;dr of this lengthy (tho entertaining and immensely important!) post is this: Stopping with “We support OTR” or “We support PGP” is not enough anymore. There are at least seven, if not more, very important security features that any app claiming to provide secure messaging must implement as soon as possible, to truly safeguard a user’s communication content, metadata and identity.
Note: The names “Gibberbot” and “ChatSecure” are used interchangeabley below, as we are in the midst of an app rebrand.
[Read More]
Building, Securing, and Anonymizing Android Apps
Posted on July 5, 2013
| mark
Calling all Android devs: Tuesday, July 9, 2013 - 12:30 PM to 1:30 PM Live on the web: livestream Live in person (with RSVP) Pivotal Labs 841 Broadway, 8th Floor, New York, NY (map) Please join us for lunch and crypto-talk with Hans-Christoph Steiner of the Guardian Project. Hans will talk about the how and why of building secure mobile applications that keep the user's data encrypted and hidden from prying eyes.
[Read More]
A Weather Report On Security
Posted on June 14, 2013
| mark
How’s the weather outside? Sunny with a chance of IP blocking.
We recently launched a new initiative we’re calling: The Weather Repo. The goal of the project is for organizations to have a more accurate method of understanding whether the apps they’re using are “safe”. It’s hard to know whether apps that claim to be secure really are. Have they been vetted by a third party? Are there existing case studies?
[Read More]
Carrier Grade, Verizon and the NSA
Posted on June 12, 2013
| lee
Last week Glenn Greenwald at The Guardian broke the news that Verizon has been providing the NSA with metadata about all of the calls over a subsidiary’s network. This subsidiary is called Verizon Business Network Services. It is a privately held company that “owns, operates, monitors, and maintains data and Internet networks in North America, Europe, Asia, Latin America, Australia, Japan, and Africa. The company provides converged communication solutions, such as local and long-distance voice, messaging, and Internet access services.
[Read More]