Development on Guardian Project

IOCipher 1.0 community reboot

Sat, 01 Feb 2025 00:00:00 +0000

IOCipher update to version 1.0

We are thrilled to announce that a community contributor has picked up maintaining a fork of IOCipher and updated to IOCipher 1.0, designed to enhance your development experience and empower you to create more secure applications with ease. Here’s what’s new and why it matters to you:

1. Enhanced Features

We introduced a few new features. Most notably IOCipher is also available on Desktop Java for Linux and Windows now. (Although not all IOCipher features are fully supported on Windows). The latest release even includes some example code for accessing IOCipher VFS using Python.

Achieve Onion Layers of Security with the Triad of Apple-tizing Apps!

Tue, 25 Jul 2023 00:00:00 +0000

Our summer intern Alfred just graduated high-school and is preparing to attend a major university to focus on a technical degree. He has a personal interest in privacy and security, and is working with us on a variety of projects this summer as part of a broad, crash-course in all things Guardian Project!

Last week, I worked with three different apps for the iPhone that, when they work together, allow for a secure and private mobile internet experience. Since they all build on the Tor Network, they also offer an untraceable way to share and download media. My task was to test the user experience in these apps and see how they interact with each other and to make sure that they’re working in the intended ways following a test plan.

Improving Usability of Tor on Smartphones in Latin America

Fri, 02 Jun 2023 00:00:00 +0000

Between 2022 and 2023 Guardian Project, with support from Okthanks and the Tor Project, organized and participated in a total of 12 workshops in Ecuador, Mexico and Brazil with the participation of 161 people. The workshops focused both on the broad topic of “Tor for Smartphones”, while also taking deeper dives into specific topics like virtual private networks VPNs) and anonymous web browsing. Through a variety of methods, we gathered feedback from the participants in each of those sessions. We also ran detailed individual tests with volunteers to collect insights related to new features and usability improvements on specific apps. Our top takeaways from this process were, as follows:

Privacy Preserving Analytics in the Real World: Mailvelope Case Study

Mon, 28 Feb 2022 00:00:00 +0000

We love Mailvelope. It’s a popular browser extension for encrypting email messages. Now, Clean Insights is helping Mailvelope understand which webmail providers are most popular with their users so they can prioritize their development efforts.

Anyone who has written software knows it takes hard work to craft a great user experience. That’s even more challenging in Mailvelope’s case. Their browser extension integrates with more than a dozen ever-changing third party webmail interfaces. The Mailvelope team asks itself questions like, “Is time better spent improving the GMail integration or the mailbox.org one?” The answer often hinges on which providers are most popular among Mailvelope users, information not yet readily available to the Mailvelope team.

Implementing TLS Encrypted Client Hello

Tue, 30 Nov 2021 00:00:00 +0000

As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt. So ECH will bring some real improvements in privacy and censorship resistance.

New insights into clean analytics

Tue, 02 Mar 2021 00:00:00 +0000

There is a giant problem with the “collect it all” status quo that pervades on the Internet, this has been clear for a long time. Tracking people has become so widespread that organizations, communities, projects and university labs have sprung up dedicated to detecting and publicizing their presence. Data and analytics are clearly useful for software creators and funders, but they also easily lead to harming people’s privacy and well-being. The past year of work on Clean Insights has clarified our goals to make analytics possible without injuring the very people we aim to serve. Clean Insights takes the world of data analytics and turns it on its head. The Clean Insights approach starts with thinking about the data, then choosing only the data that is clearly safe to use. A user’s location, complete device description, or other identifying information is dangerous to gather. A simple count of how many times a feature was used, or a webpage was visited, can be gathered without links to people.

Usability: the wonderful, powerful idea that betrayed us

Thu, 18 Feb 2021 00:00:00 +0000

Usability triggered a revolution in computing, taking arcane number crunching machines and making them essential tools in so many human endeavors, even those that have little to do with mathematics. It turned the traditional design approach on its head. Initially, experts first built a system then trained users to follow it. User experience design starts with goals, observes how people actually think and act in the relevant context, then designs around those observations, and tests with users to ensure it fits the users’ understanding. These ideas were pioneered in the Silicon Valley. This was driven by the unusual confluence of a pioneering spirit and deep engineering skills. That merged with a strong counter-culture looking to empower individuals and communities. So much of the best of digital technology has its roots in these ideas. I feel fortunate to have grown up immersed in these ideas in the Silicon Valley of the 70s and 80s, and still feel that sense of idealism that these ideas can truly make the world a better place.

Clean Insights: February 2021 Update on Privacy-Preserving Measurement

Wed, 10 Feb 2021 00:00:00 +0000

Greetings, all. I hope this finds you healthy and well, finding ways to enjoy the season (whichever it may be). While everyday still provides new challenges in the life of our team at Guardian Project, we continue to strive to be productive as productive as we can be in our professional and personal lives.

I’ve just posted an updated presentation on Clean Insights, reflecting on the symposium in May, and the work we have done since then. You can see and share it from here:

New Data Sources: API Key Identifiers and BroadcastReceiver Declarations

Tue, 15 Dec 2020 00:00:00 +0000

A central focus of the Tracking the Trackers project has been to find simple ways to detect whether a given Android APK app file contains code which tracks the user. The ideal scenario is a simple program that can scan the APK and tell a non-technical user whether it contains trackers, but as decades of experience with anti-virus and malware scanners have clearly demonstrated, scanners will always contain a large degree of approximation and guesswork. Tracking the Trackers grew out of experiments in using machine learning to detect malware. This provided the spark to apply this to privacy issues.

εxodus ETIP: The Canonical Database for Tracking Trackers

Fri, 11 Dec 2020 00:00:00 +0000

There is a new story to add to the list of horrors of Surveillance Capitalism: the United States’ Military is purchasing tracking and location data from companies that track many millions of people. We believe the best solution starts with making people aware of the problem, with tools like Exodus Privacy. Then they must have real options for stepping out of “big tech”, where tracking dominates. F-Droid provides Android apps that are reviewed for tracking and other “anti-features”, and F-Droid is built into mobile platforms like CalyxOS that are free of proprietary, big tech software.

Distribution in Depth: Mirrors as a Source of Resiliency

Mon, 07 Dec 2020 00:00:00 +0000

There are many ways to get the apps and media, even when the Internet is expensive, slow, blocked, or even completely unavailable. Censorshop circumvention tools from ShadowSocks to Pluggable Transports can evade blocks. Sneakernets and nearby connections work without any network connection. Hosting on Content Delivery Networks (CDNs) can make hosting drastically cheaper and faster. One method that is often overlooked these days is repository mirrors. Distribution setups that support mirrors give users the flexibility to find a huge array of solutions for problems when things are not just working. Mirrors on local networks can be much cheaper. Mirrors in specific countries are often not blocked or filtered. Mirrors can be copied onto portable storage and moved to where the users are.

Managing offline maps with F-Droid and OsmAnd

Sat, 28 Nov 2020 00:00:00 +0000

When disaster strikes, our mobile devices can provide us with many tools to deal with a wide variety of problems. The internet is not available in every corner of the planet, and large scale outages happen. Digital maps allow us to carry detailed maps of the entire planet in our pockets. And the good map apps allow the user to download entire regions to the device so that they operate without internet at all. Unfortunately, the big map apps from Google and Apple provide limited offline capabilities. For example, it is not possible to share offline data from one device to another. Online maps are also a major privacy leak, since location data is the most sensitive data. With online maps, the service operator sees each tile of the map that you look at, each time you look at it, as well as all the locations you search for.

Easy translation workflows and the risks of translating in the cloud

Mon, 08 Jun 2020 00:00:00 +0000

Crowdsourced translation has opened up software and websites to whole new languages, regions, and uses. Making translating easier has brought in more contributors, and deploying those languages requires less work. A number of providers now offer “live”, integrated translation, speeding up the process of delivering translated websites. On the surface, this looks like a big win. Unfortunately, the way such services have been implemented opens up a big can of worms. Third parties must be trusted with user data. The translators cannot work without being tracked. Displaying the translation requires JavaScript. The security profile is more complicated and harder to defend.

Free Software Tooling for Android Feature Extraction

Wed, 06 May 2020 00:00:00 +0000

As part of the Tracking the Trackers project, we are inspecting thousands of Android apps to see what kinds of tracking we can find. We are looking at both the binary APK files as well as the source code. Source code is of course easy to inspect, since it is already a form that is meant to be read and reviewed by people. Android APK binaries are a very different story. They are first and foremost a machine-executable format. On top of that, many developers deliberately obfuscate as much as possible in the APK to resist inspection.

"Features" for Finding Trackers

Tue, 28 Apr 2020 00:00:00 +0000

One key component of the Tracking the Trackers project is building a machine learning (ML) tool to aide humans to find tracking in Android apps. One of the most important pieces of developing a machine learning tool is figuring out which “features” should be fed to the machine learning algorithms. In this context, features are constrained data sets derived from the whole data set. In our case, the whole data set is terabytes of APKs. This post is an outline of the features that we are focusing on in this current project.

Figuring Out Crowdsourced Translation of Websites

Thu, 23 Apr 2020 00:00:00 +0000

Crowdsourced translation platforms like Weblate, Transifex, Crowdin, etc. have proven to be a hugely productive way to actively translate apps and desktop software. Long form texts like documentation and websites remain much more work to translate and keep translated. Many translation services currently support Markdown and HTML, but very basically, which means much more work for translators and webmasters. Translators can inadvertently break things, either with a typo or because of a lack of knowledge of a specific syntax. This can make the whole page layout break. Webmasters and documentation maintainers must carefully check the process to ensure everything is working smoothly. With the spread of Markdown as a standard format, there is now hope! Software developers can focus efforts on the Markdown translation workflow, and Markdown is more tolerant of syntax errors than HTML.

Tracking the Trackers: using machine learning to aid ethical decisions

Thu, 16 Jan 2020 00:00:00 +0000

F-Droid is a free software community app store that has been working since 2010 to make all forms of tracking and advertising visible to users. It has become the trusted name for privacy in Android, and app developers who sell based on privacy make the extra effort to get their apps included in the F-Droid.org collection. These include Nextcloud, Tor Browser, TAZ.de, and Tutanota. Auditing apps for tracking is labor intensive and error prone, yet ever more in demand. F-Droid already has tools to aide contributors in this process, visible in the app submission and Request For Packaging (RFP) issue trackers. We also have functional prototypes of using machine learning to drastically speed up this process by augmenting humans, rather than replacing them.

IOCipher 64-bit builds

Mon, 07 Oct 2019 00:00:00 +0000

IOCipher v0.5 includes fulil 64-bit support and works with the latest SQLCipher versions. This means that the minimum supported SDK version had to be bumped to android-14, which is still older than what Google Play Services and Android Support libraries require.

One important thing to note is that newer SQLCipher versions require an upgrade procedure since they changed how the data is encrypted. Since IOCipher does use a SQLCipher database, and IOCipher virtual disks will have to be upgraded. That can be done by directly using the SQLCipher migration method on your IOCipher database files before opening them again. It should be possible to stick with SQLCipher v3.5.9 to avoid this, but this has not been tested.

Tor Project: Orfox Paved the Way for Tor Browser on Android

Tue, 03 Sep 2019 00:00:00 +0000

Last month, we tagged the final release of Orfox, an important milestone for us in our work on Tor. Today, we pushed this final build out to all the Orfox users on Google Play, which forces them to upgrade to the official Tor Browser for Android..

Our goal was never to become the primary developer or maintainer of the “best” tor-enabled web browser app on Android. Instead, we chose to act as a catalyst to get the Tor Project and the Tor Browser development team themselves to take on Android development, and upstream our work into the primary codebase. This has happened, and it is a great news for everyone. The work for developing and updating Tor Browser on the desktop and Android are now coordinated and synchronized, and end-users benefit from more frequent updates and improvements.

NetCipher update: global, SOCKS, and TLSv1.2

Tue, 25 Jun 2019 00:00:00 +0000

NetCipher has been relatively quiet in recent years, because it kept on working, doing it was doing. Now, we have had some recent discoveries about the guts of Android that mean NetCipher is a lot easier to use on recent Android versions. On top of that, TLSv1.2 now reigns supreme and is basically everywhere, so it is time to turn TLSv1.0 and TLSv1.1 entirely off.

A single method to enable proxying for the whole app

As of Android 8.0 (26 aka Oreo), it is now possible to set a URLStreamHandlerFactory, which creates URLConnection instances with custom configurations. If an app is using the built-in HttpURLConnection API for its networking, it is now possible to enable global proxying with a single method call when the app starts: NetCipher.useGlobalProxy(). Then the actual proxy configuration can be set dynamically, using things like NetCipher.useTor() or NetCipher.clearProxy().

PanicKit 1.0: built-in panic button and full app wipes

Tue, 04 Jun 2019 00:00:00 +0000

Panic Kit is 1.0! After over three years of use, it is time to call this stable and ready for widespread use.

Built-in panic button

This round of work includes a new prototype for embedding PanicKit directly into Android. Android 9.0 Pie introduced a new “lockdown” mode which follows some of the patterns laid out by PanicKit. There is an Enter lockdown button available on the power button menu, so it is rapidly available. This is a great panic trigger button, so we made a prototype of a System Settings app that lets users connect the full flexibility of PanicKit responses to this Enter lockdown button. The functionality that Google links to this new button is extremely limited, it seems to be a one time restriction on how you login. The PanicKit responses are in addition to what Google included. CalyxOS is working to integrate this, look for test releases soon!

IOCipher is the antidote to “Man-in-the-Disk” attack

Fri, 17 Aug 2018 16:56:00 -0400

Recently, at DEFCON 2018, researchers at Check Point announced a new kind of attack made possible by the way many Android apps are implemented. In summary, developers use the shared external storage space in an unsafe manner, by not taking into consideration that other apps also have read and write access to the same space. A malicious app can modify data used by another app, as a vector for compromising that app, causing it to be compromised or crash.

Haven: Building the Most Secure Baby Monitor Ever?

Fri, 22 Dec 2017 09:07:00 -0400

About eight months ago, friends at the Freedom of the Press Foundation reached out to us, to see if we were interested in prototyping an idea they had been batting around. They knew that from projects like CameraV and Proofmode, that we knew how to tap into the sensors on smartphones to do interesting things. They also knew we could connect devices together using encrypted messaging and onion routing, through our work on ChatSecure and Tor (Orbot!). They also knew of our deep interest in bringing ideas to life that can solve real problems faced by people out on the front lines (both at home and abroad), who often are more in danger from physical threats, than digital. They had a concept that would bring all of these things together, and just wanted to see if it was even possible. We were game, and well, here we are today, announcing a real working public beta, and a new open-source project, that we are extremely excited about.

No more “Root” features in Orbot… use Orfox & VPN instead!

Fri, 27 Oct 2017 13:02:02 -0400

Since I first announced the available of Orbot: Tor for Android about 8 years ago (wow!), myself and others have been working on various methods in which to make the capabilities of Tor available through the operating system. This post is to announce that as of the next, imminent release, Orbot v15.5, we will no longer be supporting the Root-required “Transproxy” method. This is due to many reasons.

First, it turns out that allowing applications to get “root” access on your device seems like a good idea, it can also be seen as huge security hole. I am on the fence myself, but considering that the ability to access root features hasn’t been standardized as part of Android, which 8 years ago I hoped it would, it means there are a whole variety of ways that this capability is managed and safeguarded (or not, in most cases). At this point in time, given the sophistication we are seeing mobile malware and rootkits, it seems like a capability that we did not want to focus time and energy on promoting.

Repomaker Usability Trainers Worldwide, June 2017

Thu, 29 Jun 2017 08:13:04 -0400

Repomaker Usability, Trainers Worldwide Study

Prepared by Carrie Winfrey and Tiffany Robertson, Okthanks, in partnership with F-Droid and Guardian Project

OK Thanks – Guardian Project

For more information, contact carrie@okthanks.com.

Purpose

The purpose of this study was to understand the following things.

Are users able to complete basic tasks including, creating a repo, adding apps from other repos, removing apps, editing app details, and creating a second repo?
Do participants understand how to get the apps from a repo installed on an Android phone?
Word choice—Do people understand the word repo?
Is repomaker a useful tool to participants?

fdroidserver UX Testing Report

Thu, 01 Jun 2017 04:36:14 -0400

We ran user tests of fdroidserver, the tools for developers to create and manage F-Droid repositories of apps and media. This test was set up to gather usability feedback about the tools themselves and the related documentation. These tests were put together and run by Seamus Tuohy/Prudent Innovation.

Methodology

Participants completed a pretest demographic/background information questionnaire. The facilitator then explained that the amount of time taken to complete the test task will be measured and that exploratory behavior within the app should take place after the tasks are completed.

F-Droid User Testing, Round 2

Mon, 01 May 2017 04:51:24 -0400

by Hailey Still and Carrie Winfrey

****

Here we outline the User Testing process and plan for the F-Droid app store for Android. The key aims of F-Droid are to provide users with a) a comprehensive catalogue of open-source apps, as well as b) provide users with the the ability to transfer any app from their phone to someone in close physical proximity. With this User Test, we are hoping to gain insights into where the product design is successful and what aspects need to be further improved. Main goals are obtaining a baseline user performance and identifying potential design concerns regarding ease of use. An additional goal is to promote F-Droid as an alternative to the Google Play app store.

F-Droid Lubbock Report – What We Want to Know

Mon, 17 Apr 2017 08:07:47 -0400

F-Droid LBK Usability Study Report – What We Want to Know

Prepared by Carrie Winfrey

Preliminary Version – April 17, 2017

Introduction

When planning this user test, the team outlined features and flows within the app on which we wanted feedback. From there, we created tasks for participants to complete that would access these areas, and produce insights related to our inquires.

This document is organized by the tasks participants completed. Initial inquiry questions are outlined under each task, followed by the feedback and observations gained from the test. Last, within each section, I’ve listed suggestions for improvement related to the task.

Proofmode critiques and progress

Thu, 30 Mar 2017 09:53:22 -0400

Bruce Schneier was kind enough to post about our work on Proofmode to his blog. A decent set of comments ensued, which we have considered, measured and weighed. We posted the response below on the post, and now also here. We also received an excellent set of feedback from the Lieberbiber blog. Below are responses to the various concerns raised, and links to work completed or in progress.

At a high level, securely dating files, digital notarization, easy capture of sensor metadata, among other things, are not solved problems. For every day activists around the world, who may only have a cheap smartphone as their only computing device, they have no easy way to do any of these things. Even for high-level war crimes investigators, they are often using consumer point and shoot digital cameras, and documenting everything on paper.

Imagining the challenges of developers in repressive environments

Thu, 26 Jan 2017 09:56:59 -0400

The Guardian Project team spends a lot of time thinking about users. In our work we focus on easy-to-use applications for users in high-risk scenarios. Because of this we are very focused on security. In our current work with the FDroid community to make it a secure, streamlined, and verifiable app distribution channel for high-risk environments we have started to become more aware of the challenges and risks facing software developers who build software in high-risk environments.

“If This, Then Panic!” Sample Code for Triggering Emergency Alerts

Mon, 17 Oct 2016 09:55:22 -0400

Earlier this year, we announced the PanicKit Library for Android and Ripple, our basic app for alerts any compatible app that you are in an emergency situation. Rather than build a solitary, enclosed “panic button” app that only can provide a specific set of functionality, we decided, as we often do, to build a framework, and encourage others to participate. Since then, we’ve had over 10 different apps implement PanicKit responder functionality, including Signal, OpenKeyChain, Umbrella app, StoryMaker and Zom.

How to Migrate Your Android App’s Signing Key

Tue, 29 Dec 2015 12:03:54 -0400

It is time to update to a stronger signing key for your Android app! The old default RSA 1024-bit key is weak and officially deprecated.

What?

The Android OS requires that every application installed be signed by a digital key. The purpose behind this signature is to identify the author of the application, allow this author and this author alone to make updates to the app, as well as provide a mechanism to establish inter-application trust. The Android security model defines an app by two things: the package name (aka packageName, ApplicationID, package) and the signing key. If either of those are different, then Android considers it a different app. When the package name and signing key of one APK match an installed app, then the APK is considered an update and Android will replace the installed app with the APK. If the APK is signed by a different key, then Android will prevent installing and updating.

Hiding Apps in Plain Sight

Thu, 07 May 2015 09:25:10 -0400

Beyond just thinking about encryption of data over the wire, or at rest on your mobile device, we also consider physical access to your mobile device, as one of the possible things we need to defend against. Some of our apps, such as Courier, our secure news reader, include a Panic feature, enabling a user to quickly delete data or remove the app, if they fear their device will be taken from them, whether by a friend, family member, criminal or an authority figure. Most recently, with our work on CameraV, our secure evidence camera app, we have implemented a few more features that help hide the app and its data, in order to block an unintended person from seeing the photos and videos captured by it.

Turn Your Device Into an App Store

Mon, 18 Nov 2013 16:27:30 -0400

As we’ve touched upon in previous blog posts the Google Play model of application distribution has some disadvantages. Google does not make the Play store universally available, instead limiting availability to a subset of countries. Using the Play store to install apps necessitates both sharing personal information with Google and enabling Google to remotely remove apps from your device (colloquially referred to as having a ‘kill switch’). Using the Play store also requires a functional data connection (wifi or otherwise) to allow apps to be downloaded. Often there is a need to quickly bootstrap users during training sessions in countries with unreliable/restricted data connectivity, or in extreme cases, no internet connectivity at all.

Gibberbot’s “ChatSecure” MakeOver: Almost Done!

Fri, 20 Sep 2013 17:19:54 -0400

In a previous post with the mouthful of a title “Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement”, I spoke about all of the necessary security features a modern mobile messaging app should have. These include encrypted local storage, end-to-end verifiable encryption over the network, certificate pinning for server connections and a variety of other features. I am VERY happy to report that the latest v12 beta release of the project formerly known as Gibberbot, now called ChatSecure, has all of the features described in that post implemented. From a feature perspective, it is the most security mobile messaging app ever. We also hope that in reality, in practice, it also is, as we have spent a great deal of effort on security code audits, penetration testing, and responding to the outcomes of those effort, to further harden our app.

Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement

Tue, 16 Jul 2013 00:52:31 -0400

The tl;dr of this lengthy (tho entertaining and immensely important!) post is this: Stopping with “We support OTR” or “We support PGP” is not enough anymore. There are at least seven, if not more, very important security features that any app claiming to provide secure messaging must implement as soon as possible, to truly safeguard a user’s communication content, metadata and identity.

Note: The names “Gibberbot” and “ChatSecure” are used interchangeabley below, as we are in the midst of an app rebrand. Apologies!

GnuPG for Android progress: we have an command line app!

Thu, 09 May 2013 10:48:52 -0400

This alpha release of our command-line developer tool brings GnuPG to Android for the first time!

GNU Privacy Guard Command-Line (gpgcli) gives you command line access to the entire GnuPG suite of encryption software. GPG is GNU’s tool for end-to-end secure communication and encrypted data storage. This trusted protocol is the free software alternative to PGP. GnuPG 2.1 is the new modularized version of GnuPG that now supports OpenPGP and S/MIME.

Lower Bounds of The Narrow Bands

Fri, 22 Feb 2013 09:05:48 -0400

Voice is becoming a standard feature of any messaging app on mobile phones, in various forms using many different protocols. There’s the old guard, whom I will refer to as “Skype”. Some tough questions have been thrown their way by many groups who support a free Internet. There’s Google Voice, which is not really VoIP. Apple is playing around in the hedge maze inside their walled garden with iChat. There’s also Facebook, who is rolling out voice calling in Canada and the USA in their Messenger app on iOS.

IOCipher beta: easy encrypted file storage for your Android app

Thu, 07 Feb 2013 14:45:28 -0400

At long last, we are proud to announce the first beta release of IOCipher, an easy framework for providing virtual encrypted disks for Android apps.

does not require root or any special permissions at all
the API is a drop-in replacement for the standard java.io.File API, so if you have ever worked with files in Java, you already know how to use IOCipher
works easiest in an app that stores all files in IOCipher, but using standard java.io with IOCipher is possible
supports android-7 v2.1 and above
licensed under the LGPL v3+

You can download it here:

report on IOCipher beta dev sprint

Thu, 31 Jan 2013 19:45:44 -0400

We are just wrapping up an intensive dev sprint on IOCipher in order to get the first real beta release out, and it has been a wonderfully productive session on many levels! Before we started this, we had a proof-of-concept project that was crashy and ridiculously slow. We’re talking crashes every 100 or so transactions and 9 minutes to write 2 megs. Abel and I were plodding thru the bugs, trying to find the motivation to dive into the hard problems in the guts of some of the more arcane parts of the code. Aaron Huttner of Gryphn found IOCipher while developing their Gryphn Secure Text Messaging and thought it was a remarkable easy way to add encrypted storage of files, and it worked quickly for him, so he included it his app before we had even announced an alpha release (thanks again for the vote of confidence!).

Proposal for Secure Connection Notification on Android

Thu, 15 Nov 2012 10:07:49 -0400

A major problem of mobile applications being increasingly used over web-based applications, is that there is no standard established for notifying the user of the state of security on the network connection. With a web browser, the evolution of the “lock” icon when an HTTPS connection is made, has been one that evolved originally out of Netscape’s first implementation, to an adhoc, defact industry-standard way of letting the user know if their connection is secure. Beyond just a binary on/off, the lock icon is also the entry point into viewing more information about the digital security tokens, keys and certificates that are powering the connection – who authorized them, who requested them, and so on. More recently, with browsers such as Chrome, there has been the user of color schemes (Green is good, Red is bad), verified domain display and other indicators to help ensure the user knows when to trust their connection, and when to be wary.

Sometimes the best solution is a library, not an app

Mon, 27 Aug 2012 12:30:15 -0400

Our general approach to software development starts with surveying existing solutions that are available and in use, to see if there is already enough of an ecosystem or whether we need to seed that. When there is already an adundance of tools and apps out there, we work to find the good ones, provide feedback and auditing, and then build apps and tools to fill in any gaps. For example, this was our approach in the Open Secure Telephony Network.

IOCipher lives! encrypted virtual file system for Android

Thu, 17 May 2012 16:44:35 -0400

Nathan and I just got the first complete test of IOCipher working in the IOCipherServer/SpotSync app. We created a filesystem sqlite.db file, then mounted it and got all the files via HTTP. In the test suite, I have lots of operations all running fine and encrypting! The core idea here is a java.io API replacement that transparently writes to an encrypted store. So for the most part, just change your import statements from:

Cross-Domain calling, or “toll-free long distance VoIP”

Fri, 04 May 2012 17:34:30 -0400

In a standard OSTN configuration, the Fully Qualified Domain Name (FQDN) of the server running Freeswitch is a core dependency to operate the service. For example, the domain ostel.me was first configured as a DNS record, a server was bootstrapped with ostel.me as the local hostname and a Freeswitch cookbook was run using the Chef automation system. Because the domain was configured both in DNS and locally, the cookbook has enough information to automatically build an operational OSTN node.

Mobile mesh in a real world test

Wed, 02 May 2012 15:37:37 -0400

Nathan, Mark, Lee, and I tried some OLSR mesh testing during the May Day protests and marches. We were able to get 4 devices to associate and mesh together, but not without some trials and travails. Two pairs of devices setup two separate BSSIDs, so were on separate networks. We turned them all off, then associated them one at a time, and then they all got onto the same BSSID and olsrd started doing its thing. This made us think that we should just use a hard-coded BSSID in the setup, with a preference to allow standard ad-hoc association to find a BSSID.

User scenarios to guide our crypto development

Sat, 14 Apr 2012 20:16:03 -0400

At Guardian Project, we find user-centered development to be essential to producing useful software that addresses real world needs. To drive this, we work with user stories and scenarios as part of the process of developing software. One particular development focus is the Portable Shared Security Token (PSST) project, which aims to make it easy to use encryption across both mobile and desktop computers, as well as keep the stores of cryptographic identities (i.e. trusted keys, certificates, etc) in sync between devices.

Transparent encrypted virtual disks for Android (we call it IOCipher)

Tue, 03 Apr 2012 13:16:41 -0400

When using phones, laptops, computers, etc. it feels like a private experience, as if our screen was the same as a piece of paper, and when that paper is gone, then no one can see it anymore. Digital media works very differently. While the user interface portrays the deletion of files as very final, for someone with the right tools, it is actually not hard to recover deleted files. Also, digital information takes up so little space, we now regularly carry vast amounts of information in our pockets. Our phones have become amazingly powerful computers, storing as many photos, videos, documents, etc. in our pockets as would have required a room not so long ago. So when you lose this phone, or it gets stolen, or accessed against your wishes, the lies of the interface are laid bare, and vast troves of your information is now in someone else’s hands. So how can we capitalize on all this power without giving up control of our information?

Knight News funding of SecureSmartCam = a #WIN for open-source mobile security

Thu, 29 Mar 2012 12:07:47 -0400

Along with our partner WITNESS, we’ve entered our SecureSmartCam project into the Knight News Challenge, and we need your support to get to the next round.

Here’s a bit more about the challenge:

The Knight News Challenge, an international media innovation contest, is evolving – and will be offered three times, with three different topics. The first challenge will be centered on networks, and will accept applications Feb. 27 – March 17. The Networks challenge round seeks projects that use the best of existing software and platforms – those already integrated into people’s lives – to find new ways to convey news and information.

Call My Email

Thu, 22 Mar 2012 16:31:45 -0400

What if you could call me directly through my email? No exchanging of phone numbers or searching for handles on Skype. Just plain and simple email. Now what if we can make that phone call as secure as it is easy. That’s the goal of what we’re doing here at Open Secure Telephony Network (OSTN).

On Verifying Identity Using Cryptography

Mon, 19 Mar 2012 11:27:51 -0400

One of the most important uses of cryptography these days is verifying the identity of the other side of a digital conversation. That conversation could be between two people using OTR-encrypted IM, a web browser showing a bank website, a Debian Developer uploading a package to the Debian build server, an ssh client logging into an ssh server, and on and on. In all of these cases, cryptography is used to ensure that the software is indeed receiving replies from the expected entity. This happens by checking the current cryptographic key against one that is known to be correct. That is essential to the whole process. If you see the key for the first time, you have no way of knowing whether that is indeed the key you are expecting because there is no point of reference.

Adventures in Porting: GnuPG 2.1.x to Android!

Thu, 15 Mar 2012 13:00:30 -0400

PGP started with Phil Zimmerman’s Pretty Good Privacy, which is now turned into an open IETF standard known as OpenPGP. These days, the reference OpenPGP platform seems to be GnuPG: its used by Debian and all its derivatives in the OS itself for verifying packages and more. It is also at the core of all Debian development work, allowing the very diffuse body of Debian, Ubuntu, etc developers to communicate and share work effectively while maintaining a high level of security. It is also used for email encryption in Thunderbird + Enigmail, Apple Mail + GPGMail, GNOME Evolution, KDE KMail, Microsoft Outlook + Gpg4win.

Our new F-Droid App Repository (out of date!)

Thu, 15 Mar 2012 01:27:43 -0400

Update: this blog post has been changed to reference our new FDroid repository at https://guardianproject.info/fdroid. If you are still using the old one originally described here which has the URL https://guardianproject.info/repo, you should switch to the new repo as soon as possible!

For all of you out there looking for a safe way to find and download apps outside of the Play Store (aka Android Market) or random, sketchy third-party app stores and file sharing sites, then your wait is over:

ObscuraCam v2 ALPHA (with video!)

Fri, 02 Mar 2012 12:20:34 -0400

We’ve been making exciting progress with our work on ObscuraCam, part of the SecureSmartCam project with our partner WITNESS. The biggest jump forward is the addition of video support, including automated face detection, pixelization and redaction.

Screenshots below, and soon a video below (also at: http://youtu.be/9hi4c_DCrkw)

Source code branch is here: https://github.com/guardianproject/securesmartcam/tree/obscurav2

Latest ALPHA test build at: https://github.com/guardianproject/SecureSmartCam/ObscuraCam-2.0-Alpha-2.apk/qr_code

How many ways to store 5 numbers?

Thu, 23 Feb 2012 12:29:49 -0400

At the core of all software that aims to be secure, private and anonymous is encryption, or as I think of it, amazing math tricks with really large numbers. These really large numbers can serve as a token of identity or the key to information locked away behind the encryption math. There are a number of different encryption methods commonly used based on different mathematical ideas, but they all rely on people managing sets of really large numbers, usually known as keys.

Free SIP Providers with ZRTP support

Wed, 22 Feb 2012 19:10:11 -0400

This post is part of a series on our work researching the Open Secure Telephony Network. After you have CSipSimple installed on your mobile handset, you will need a place to register a SIP username so you can contact others. The fastest way to get started with this is to use one of a handful of free SIP providers. I like the Ekiga free SIP service.

Open Source SIP Client for Android

Wed, 22 Feb 2012 16:12:25 -0400

The first step in the Open Secure Telephony Network (OSTN) is a client. We can’t make a phone call without a phone. In this case there are three primary goals and a number of optional features. The primary goal is an application which speaks the SIP protocol for signalling. It must also speak the ZRTP protocol for peer to peer encryption key exchange. Finally the client must have source code freely available with a license that allows free redistribution.

Open Secure Telephony Network

Wed, 22 Feb 2012 15:39:26 -0400

Over the last two months, I have been working on a project to research and develop a set of tools to provide secure peer to peer Voice over IP on the Android mobile platform. It is called the Open Secure Telephony Network, or OSTN. This work is done under the umbrella of The Guardian Project.

this is not the type of “open” we mean, and definitely not secure

Strong Mobile Passwords with Yubikey USB Token

Wed, 04 Jan 2012 00:45:43 -0400

We have been experimenting with the Yubikey, a USB hardware password token, a bit over the last few weeks and would like to share our initial findings. We have not received any financial support or donation from Yubico for this work. We simply think they have a very affordable, interesting product that, due to its design, does *not* require any on-device driver software and can easily work with any Android device that supports USB Host/HID mode.

SQLCipher for Android v1 FINAL!

Tue, 29 Nov 2011 18:17:47 -0400

Team GP along with the good folks at Zetetic, are happy to announce that we have reached FINAL on our first release (“v1” 0.0.6 build) of SQLCipher for Android. This means we consider this a production release, ready for shipping with your apps to provide for reliable, open-source, secure application data encryption.

If you need a refresher, here is what the cross-platform, open-source SQLCipher provides:

SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. Pages are encrypted before being written to disk and are decrypted when read back. Due to the small footprint and great performance it’s ideal for protecting embedded application databases and is well suited for mobile development.

Progress on Mobile Video Privacy Tools

Sat, 10 Sep 2011 04:36:11 -0400

If you are a developer you may just want to skip all the prose below, and just jump over to Github to find our new FFMPEG on Android project{.vt-p} and build system. You can also check out our SSCVideoProto Project{.vt-p} to understand how we are using it to redact faces and other identifying areas of HD video right on the Android phone itself. For more context, read on…

Last October at the Open Video Conference 2010, the idea of a camera application that could be designed to understand the needs and requirements of the human rights community was born. During a hackday hosted with WITNESS{.vt-p}, we proved that is was possible to take a feature like “Face Detection” which is built into the Android operating system, and turn it into a capability that could be used to protect people, by blurring, pixelating or removing faces that unintentionally appeared in a video filmed on a mobile phone. In the last year, through our partnership with WITNESS Labs, we have built on that concept, designing, developing and releasing apps and source code which move the state of the art in mobile video privacy and anonymity capabilities forward.

CACertMan app to address DigiNotar & other bad CA’s

Mon, 05 Sep 2011 03:29:00 -0400

As I expect many of you are aware, there was a major compromise to a Dutch Certificate Authority named “DigiNotar” recently, where they allowed SSL certs for domains like *.google.com, *.torproject.org and even *.cia.gov as well as *.*.com to be issued.

It was brought up to the contribs of CyanogenMOD that they should probably remove the DigiNotar CA cert from the built-in Android OS keystore (located at /system/etc/security/cacerts.bks). Since they have 500k+ users, and can be more nimble than other ROM/device distributors, it was seen as a way to quickly address the problem, at least within their community. It turns out that it wasn’t as easy to convince them to do this (even though Mozilla, Google Chrome, IE, etc already had). You can read the thread, but it is still an open issue:
http://code.google.com/p/cyanogenmod/issues/detail?id=4260{.vt-p}

Announcing ObscuraCam v1 – Enhance Your Visual Privacy!

Thu, 23 Jun 2011 21:28:20 -0400

We’re very happy to announce the beta release of ObscuraCam for Android. This is the first release from the SecureSmartCam project, a partnership with WITNESS, a leading human rights video advocacy and training organization. This is the result of an open-source development cycle, comprised of multiple sprints (and branches), that took place over the last five months. This “v1” release is just the first step towards the complete vision of the project.

The goal of the SecureSmartCam project to to design and develop a new type of smartphone camera app that makes it simple for the user to respect the visual privacy, anonymity and consent of the subjects they photograph or record, while also enhancing their own ability to control the personally identifiable data stored inside that photo or video. Also, we think an app that allows you to pixelize your friends, disguise their faces and otherwise defend their privacy just a little bit, is a lot of fun and helps raise awareness about an important issue. In this first release we have focused on ‘obscura’ by optimizing the workflow of identity obfuscation in still images. Future releases will look at ‘informa,’ the process of properly gaining and recording informed consent from subjects, while also moving to video.

Lil’ Debi: Easy Installer for Debian on Android

Sat, 18 Jun 2011 04:22:52 -0400

Have an Android phone and want an easy Debian chroot running it?

Alpha test our new app, Lil’ Debi. It builds up a whole Debian chroot on your phone entirely using debootstrap. You choose the release, mirror, and size of the disk image, and away it goes. It could take up to an hour, then its done. Then it has a simple chroot manager that mounts and unmounts things, and starts/stops sshd if you have it installed. You can also then use ‘apt-get’ to install any package that is released for ARM processors. This includes things like GPG, Tor, TraceRouteTCP and other security and crypto tools.

Announcing: SQLCipher for Android, Developer Preview r1

Mon, 09 May 2011 22:45:09 -0400

After some major breakthroughs during last week’s development sprint, we’re extremely excited to announce SQLCipher for Android, Developer Preview r1. SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. To date, it has been open-sourced, sponsored and maintained by Zetetic LLC, and we are glad to be able to extend their efforts to a new mobile platform. In the mobile space, SQLCipher has enjoyed widespread use in Apple’s iOS, as well as Nokia / QT for quite some time. Given that Android by default provides integrated support for SQLite databases, our goal was to create an almost identical API for SQLCipher, so that developers of all skill level could use it, without a steep learning curve.

Our Foolish Hackday!

Wed, 06 Apr 2011 21:51:12 -0400

We had a great group of people show up at our April 1st “Don’t Be Fooled” Hackday here at the OpenMobileLab in New York. There were users, there were devs, and all sorts of other people in between. We tracked some of the brainstormed ideas on an open etherpad at: http://piratepad.net/bQPFn6FOhN (text of this pasted in below).

The main outputs of the hacking were LilDebi, an updated Debian installer for Android, the beginnings of a Bitcoin digital currency client, and another called UpOn App, which uses the accelerometer and white noise generators in the device to stop your cellphone from spying on you.

Growing Mobile Test Lab and Library

Fri, 01 Apr 2011 00:32:08 -0400

At our new meatspace location in New York City, we are building up a library of mobile devices from around the world for open-source developers to use for testing, and specifically to help verify the security of apps running on different carrier configurations and hardware variables.

Mostly our collection has come from picking up what we can, when we can, always with an eye towards anything a few generations back from the state of the art. If you’ve got any mobile hardware to donate, we would love to have it.

Addressing a “Privacy Challenge” with Guardian

Wed, 02 Mar 2011 20:39:18 -0400

Organized by the ACLU, Tor Project, and PrivacyByDesign.ca, the “Develop for Privacy Challenge” is an interesting new software development challenge that was announced last month. Developers (teams or individuals) have until May 31st to come up with apps which address this goal:

Develop apps for smartphones or other mobile devices that educate users about mobile privacy and give them the ability to claim or demand greater control of their own personal information.

We don’t plan to compete in this contest ourselves, as we would rather support and encourage other developers to take a shot at it. Along those lines, we would really like to see developers use some of the apps we have built, and code we have released, as part of their solutions. We have been putting together a large number of “lego” building blocks over the last year, just waiting for someone to come and put them together in a revolutionary way. Here is a breakdown of some of our more useful components:

Create an encrypted file system on Android with LUKS

Wed, 02 Feb 2011 23:29:15 -0400

LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it not only facilitates compatibility among distributions, but also provides secure management of multiple user passwords.

Building off the work from other great sources, the Guardian Project hack team decided to take a crack at porting LUKS to Android recently, with the goal of creating a proof of concept build process that can be easily adapted to future projects.

Proxy Settings Add-on for Firefox Mobile

Mon, 08 Nov 2010 03:43:24 -0400

The latest beta of Firefox 4 on Android is proving to be very usable, stable and an increasingly viable alternative to the built-in webkit browser. However, it is unfortunately lacking the ability to manually configure proxy settings through any sort of standard user interface. This is a common problem for Android, which also lacks the ability to set browser or system wide proxy settings. This has caused real issues for us with getting Orbot (aka “Tor on Android”) to work for un-rooted Android devices, because for routing through Tor to work, you must be able to set the HTTP or SOCKS proxy settings. Why this very basic feature keeps getting missed or ignored is a mystery to us.

Orbot Update: New Setup Wizard at Startup

Thu, 29 Jul 2010 17:17:08 -0400

We’ve been working away at the 0.0.9 release of Orbot over the last few months, and have put a decent amount of effort into usability. Specifically, we hoped to better communicate to users what it means to run Tor on your Android phone. In addition, we wanted to clearly lay out how the various configuration options help to improve your mobile web anonymity and ability to circumvent web filters and tracking by your mobile service provider.

aPad / iRobot / Moons e7001 Teardown

Sat, 05 Jun 2010 13:38:23 -0400

This is the aPad or iRobot Android 7″ tablet device from www.hiapad.com. I decided to tear mine apart, as the unit I received has a battery issue, and I hoped to see if I could find a bad solder point. In addition, I was curious to see just how hackable or extensible the hardware was. In the end, I was mostly surprised by how much of the thing is put together with tape. I suppose that is what you get for < $200 Android tablet! You can find the full product overview on the Hiapad site. I have also pasted in the basic specs below.

Tor on a Tablet

Tue, 25 May 2010 16:22:01 -0400

We recently acquired a Moons e-7001 “iRobot” tablet which runs Android 1.5. This device is also known as the “aPad”. It is a very basic iPad-clone, though honestly, it can’t really compare with the iPad in terms of quality of screen, build or general use. However, it does only cost $185, supports USB host mode, has a built-in camera, and it is running Android, an actual open-source operating system! It should also be pointed out that you can also now get the Archos 7 Android tablet, which is basically the same thing as this, from Amazon for $199.

Ushahidi-Linda: “Testimony” + “Protection”

Wed, 10 Mar 2010 19:53:00 -0400

Ushahidi-linda (“Testimony” + “Protection” – disclaimer: we don’t speak Swahili so this was a shot in the dark!)

This is a fork of the Ushahidi on Android app, done as a way to prototype the implementation of increased security, anonymity and privacy for users viewing and submitting reports through Ushahidi.

Ushahidi is a platform that crowdsources crisis information, allowing anyone to submit crisis information through text messaging using a mobile phone, email or web form.