Research on Guardian Project

Repomaker Usability Trainers Worldwide, June 2017

Thu, 29 Jun 2017 08:13:04 -0400

Repomaker Usability, Trainers Worldwide Study

Prepared by Carrie Winfrey and Tiffany Robertson, Okthanks, in partnership with F-Droid and Guardian Project

OK Thanks – Guardian Project

For more information, contact carrie@okthanks.com.

Purpose

The purpose of this study was to understand the following things.

Are users able to complete basic tasks including, creating a repo, adding apps from other repos, removing apps, editing app details, and creating a second repo?
Do participants understand how to get the apps from a repo installed on an Android phone?
Word choice—Do people understand the word repo?
Is repomaker a useful tool to participants?

Tracking usage without tracking people

Thu, 08 Jun 2017 10:58:53 -0400

One thing that has become very clear over the past years is that there is a lot of value in data about people. Of course, the most well known examples these days are advertising and spy agencies, but tracking data is useful for many more things. For example, when trying to build software that is intuitive and easy to use, having real data about how people are using the software can make a massive difference when developers and designers are working on improving their software. Even in the case of advertisers, they mostly do not care exactly who you are, they want to know what you are interested in so that they can more effectively promote things to you.

fdroidserver UX Testing Report

Thu, 01 Jun 2017 04:36:14 -0400

We ran user tests of fdroidserver, the tools for developers to create and manage F-Droid repositories of apps and media. This test was set up to gather usability feedback about the tools themselves and the related documentation. These tests were put together and run by Seamus Tuohy/Prudent Innovation.

Methodology

Participants completed a pretest demographic/background information questionnaire. The facilitator then explained that the amount of time taken to complete the test task will be measured and that exploratory behavior within the app should take place after the tasks are completed.

F-Droid User Testing, Round 2

Mon, 01 May 2017 04:51:24 -0400

by Hailey Still and Carrie Winfrey

****

Here we outline the User Testing process and plan for the F-Droid app store for Android. The key aims of F-Droid are to provide users with a) a comprehensive catalogue of open-source apps, as well as b) provide users with the the ability to transfer any app from their phone to someone in close physical proximity. With this User Test, we are hoping to gain insights into where the product design is successful and what aspects need to be further improved. Main goals are obtaining a baseline user performance and identifying potential design concerns regarding ease of use. An additional goal is to promote F-Droid as an alternative to the Google Play app store.

F-Droid Lubbock Report – What We Want to Know

Mon, 17 Apr 2017 08:07:47 -0400

F-Droid LBK Usability Study Report – What We Want to Know

Prepared by Carrie Winfrey

Preliminary Version – April 17, 2017

Introduction

When planning this user test, the team outlined features and flows within the app on which we wanted feedback. From there, we created tasks for participants to complete that would access these areas, and produce insights related to our inquires.

This document is organized by the tasks participants completed. Initial inquiry questions are outlined under each task, followed by the feedback and observations gained from the test. Last, within each section, I’ve listed suggestions for improvement related to the task.

Imagining the challenges of developers in repressive environments

Thu, 26 Jan 2017 09:56:59 -0400

The Guardian Project team spends a lot of time thinking about users. In our work we focus on easy-to-use applications for users in high-risk scenarios. Because of this we are very focused on security. In our current work with the FDroid community to make it a secure, streamlined, and verifiable app distribution channel for high-risk environments we have started to become more aware of the challenges and risks facing software developers who build software in high-risk environments.

HOWTO: get all your Debian packages via Tor Onion Services

Sun, 31 Jul 2016 17:28:57 -0400

Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. That means anyone with access to the network streams could both monitor and fingerprint traffic. When an request for a security update is spotted, an attacker knows that machine is vulnerable to an exploit, and could reliably exploit it before the security update is applied.

How to Migrate Your Android App’s Signing Key

Tue, 29 Dec 2015 12:03:54 -0400

It is time to update to a stronger signing key for your Android app! The old default RSA 1024-bit key is weak and officially deprecated.

What?

The Android OS requires that every application installed be signed by a digital key. The purpose behind this signature is to identify the author of the application, allow this author and this author alone to make updates to the app, as well as provide a mechanism to establish inter-application trust. The Android security model defines an app by two things: the package name (aka packageName, ApplicationID, package) and the signing key. If either of those are different, then Android considers it a different app. When the package name and signing key of one APK match an installed app, then the APK is considered an update and Android will replace the installed app with the APK. If the APK is signed by a different key, then Android will prevent installing and updating.

First Reproducible Builds Summit

Wed, 09 Dec 2015 05:02:48 -0400

I was just in Athens for the “Reproducible Builds Summit“, an Aspiration-run meeting focused on the issues of getting all software builds to be reproducible. This means that anyone starting with the same source code can build the exact same binary, bit-for-bit. At first glance, it sounds like this horrible, arcane detail, which it is really. But it provides tons on real benefits that can save lots of time. And in terms of programming, it can actually be quite fun, like doing a puzzle or sudoku, since there is a very clear point where you have “won”.

Orfox: Aspiring to bring Tor Browser to Android

Tue, 30 Jun 2015 15:32:16 -0400

Update 24 September, 2015: Orfox BETA is now on Google Play: https://play.google.com/store/apps/details?id=info.guardianproject.orfox

In the summer of 2014 (https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html{.external}), we announced that the results of work by Amogh Pradeep (https://github.com/amoghbl1{.external}), our 2014 Google Summer of Code student, has proven we could build Firefox for Android with some of the settings and configurations from the Tor Browser desktop software. We called this app Orfox, in homage to Orbot and our current Orweb browser. This was a good first step, but we were doing the build on Mozilla’s Firefox code repository, and then retrofitting pieces from Tor Browser’s code, which wasn’t the right way to do things, honestly.

Recent news on Orweb flaws

Mon, 30 Jun 2014 12:43:51 -0400

August 2014: New browser development news here, including Orfox, our Firefox-based browser solution: https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html

On Saturday, a new post was relased by Xordern entitled IP Leakage of Mobile Tor Browsers. As the title says, the post documents flaws in mobile browser apps, such as Orweb and Onion Browser, both which automatically route communication traffic over Tor. While we appreciate the care the author has taken, he does make the mistake of using the term “security” to lump together the need for total anonymity up with the needs of anti-censorship, anti-surveillance, circumvention and local device privacy. We do understand the seriousness of this bug, but at the same time, it is not an issue encountered regularly in the wild.

Improving trust and flexibility in interactions between Android apps

Tue, 21 Jan 2014 13:51:57 -0400

Activity1 sending an Intent that either Activity2 or Activity3 can handle.

Android provides a flexible system of messaging between apps in the form of

<a href="https://developer.android.com/guide/components/intents-filters.html" target="_blank">Intent</a>s. It also provides the framework for reusing large chunks of apps based on the <a href="https://developer.android.com/reference/android/app/Activity.html" target="_blank">Activity</a> class. Intents are the messages that make the requests, and Activitys are the basic chunk of functionality in an app, including its interface. This combination allows apps to reuse large chunks of functionality while keeping the user experience seamless and fluent. For example, an app can send an Intent to request a camera Activity to prompt the user to take a picture, and that process can feel integrated into the original app that made the request. Another common use of this paradigm is choosing account information from the contacts database (aka the People app). When a user is composing an new email, they will want to select who the message gets sent to. Android provides both the contacts database, and a nice overlay screen for finding and selecting the person to send to. This combination is an Activity provided by Android. The message that the email program sends in order to trigger that Activity is an Intent.

Four Ways InformaCam Powers Mobile Media Verification

Mon, 06 Jan 2014 15:14:16 -0400

_Note: A big discussion topic of 2013 was about how hard cryptography and security is for average people, journalists and others. With that in mind, we’d like to sub-title this post “Making Mobile Crypto Easy for Eyewitnesses”, as the InformaCam software and process described below includes the full gamut of security and cryptography tools all behind a streamlined, and even attractive application user experience we are quite proud of…. _

One of the primary goals of the InformaCam project (now in public beta!) is to create an environment where, when it comes to photos and video captured on smartphones, people and organizations can trust what they see. Faked photos and videos, whether intended to be humorous or malicious, are all too common online, especially in times of crisis. Thus, the software that been developed works to ensure the full, complete original photo or video captured of an event, can safely reach the people who need to see it, without it first being filtered, modified, cropped, trimmed or otherwise manipulated.

Integrating Crypto Identities with Android

Sat, 28 Dec 2013 19:42:56 -0400

ver the past couple of years, Android has included a central database for managing information about people, it is known as the ContactsContract (that’s a mouthful). Android then provides the People app and reusable interface chunks to choose contacts that work with all the information in the ContactsContract database. Any time that you are adding an account in the Settings app, you are setting up this integration. You can see it with Google services, Skype, Facebook, and many more. This system has a lot of advantages, including:

Keys, signatures, certificates, verifications, etc. What are all these for?

Thu, 12 Dec 2013 13:20:09 -0400

For the past two years, we have been thinking about how to make it easier for anyone to achieve private communications. One particular focus has been on the “security tokens” that are required to make private communications systems work. This research area is called internally Portable Shared Security Tokens aka PSST. All of the privacy tools that we are working on require “keys” and “signatures”, to use the language of cryptography, and these are the core of what “security tokens” are. One thing we learned a lot about is how to portray and discuss tools for private or anonymous communications to people who just want to communicate and are not interested in technical discussion. This is becoming a central issue among a lot of people working to make usable privacy tools.

Turn Your Device Into an App Store

Mon, 18 Nov 2013 16:27:30 -0400

As we’ve touched upon in previous blog posts the Google Play model of application distribution has some disadvantages. Google does not make the Play store universally available, instead limiting availability to a subset of countries. Using the Play store to install apps necessitates both sharing personal information with Google and enabling Google to remotely remove apps from your device (colloquially referred to as having a ‘kill switch’). Using the Play store also requires a functional data connection (wifi or otherwise) to allow apps to be downloaded. Often there is a need to quickly bootstrap users during training sessions in countries with unreliable/restricted data connectivity, or in extreme cases, no internet connectivity at all.

Your own private dropbox with free software

Tue, 12 Nov 2013 12:50:23 -0400

There are lots of file storage and sharing software packages out there that make it easy for a group of people to share files. Dropbox is perhaps the most well known of the group, it provides an easy way for a group of people to share files. The downside of Dropbox is that it is not a private service, just like any cloud-based service. Dropbox has total access to your files that you store there. That means its likely that the NSA and its collaborators do too.

Gibberbot’s “ChatSecure” MakeOver: Almost Done!

Fri, 20 Sep 2013 17:19:54 -0400

In a previous post with the mouthful of a title “Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement”, I spoke about all of the necessary security features a modern mobile messaging app should have. These include encrypted local storage, end-to-end verifiable encryption over the network, certificate pinning for server connections and a variety of other features. I am VERY happy to report that the latest v12 beta release of the project formerly known as Gibberbot, now called ChatSecure, has all of the features described in that post implemented. From a feature perspective, it is the most security mobile messaging app ever. We also hope that in reality, in practice, it also is, as we have spent a great deal of effort on security code audits, penetration testing, and responding to the outcomes of those effort, to further harden our app.

Keeping data private means it must be truly deletable!

Fri, 23 Aug 2013 17:36:49 -0400

There are lots of apps these days that promise to keep your data secure, and even some that promise to wipe away private information mere seconds or minutes after it has been received. It is one thing to keep data out of view from people you don’t want seeing it, it is also important to be able to truly delete information. Unfortunately computers make it very difficult to make data truly disappear. When we tell a computer to delete a file, it only deletes the reference to the data. The data itself remains on the disk unchanged. For any UNIX geek out there, you can easily see an example of that by greping a partition (e.g. sudo grep password /dev/sda3. To solve this problem, there are “secure delete” options. Secure deletion removes the reference like regular deletion, then wipes the data on the disk by overwriting it with random data. That’s much better, but not always good enough. It turns out that its possible to remove the hard disk and read magnetic residue and recover even wiped data.

Jitsi, ostel.co and ISP censorship

Mon, 22 Jul 2013 15:33:44 -0400

Earlier last week n8fr8 suspected something changed on the ostel.co server, due to many users emailing support specifically about Jitsi connectivity to ostel.co. The common question was “why did it work a few weeks ago and now it doesn’t anymore?”

The tl;dr follows, skip to keyword CONCLUSION to hear only the punch line.

To support n8fr8’s hypothesis, there was a small change to the server but I wan’t convinced it effected anything since all my clients continued to work properly, including Jitsi. Obviously something had changed but none of us knew what it was. After some testing we discovered the problem was related to insecure connections from Jitsi to UDP port 5060 on ostel.co. Secure connections (on TCP port 5061) continued to work as expected.

Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement

Tue, 16 Jul 2013 00:52:31 -0400

The tl;dr of this lengthy (tho entertaining and immensely important!) post is this: Stopping with “We support OTR” or “We support PGP” is not enough anymore. There are at least seven, if not more, very important security features that any app claiming to provide secure messaging must implement as soon as possible, to truly safeguard a user’s communication content, metadata and identity.

Note: The names “Gibberbot” and “ChatSecure” are used interchangeabley below, as we are in the midst of an app rebrand. Apologies!

A Weather Report On Security

Fri, 14 Jun 2013 13:22:28 -0400

How’s the weather outside? Sunny with a chance of IP blocking.

We recently launched a new initiative we’re calling: The Weather Repo. The goal of the project is for organizations to have a more accurate method of understanding whether the apps they’re using are “safe”. It’s hard to know whether apps that claim to be secure really are. Have they been vetted by a third party? Are there existing case studies? Has a threat analysis been performed?

Carrier Grade, Verizon and the NSA

Wed, 12 Jun 2013 06:38:46 -0400

Last week Glenn Greenwald at The Guardian broke the news that Verizon has been providing the NSA with metadata about all of the calls over a subsidiary’s network. This subsidiary is called Verizon Business Network Services. It is a privately held company that “owns, operates, monitors, and maintains data and Internet networks in North America, Europe, Asia, Latin America, Australia, Japan, and Africa. The company provides converged communication solutions, such as local and long-distance voice, messaging, and Internet access services.” It is likely this company owns equipment that holds caller detail records for millions of customers. The order used section 215 of The Patriot Act, which allows the FBI to order any person or entity to turn over “any tangible things,” so long as the FBI “specif[ies]” that the order is “for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.” The “tangible things” could have been the physical servers or hard disks that store the logged details.

Gibberbot v11 is not just secure, its also simple, snappy and super fun!

Fri, 08 Mar 2013 12:54:50 -0400

Gibberbot v11 is now final as of RC3 release: https://github.com/guardianproject/Gibberbot/tree/0.0.11-RC3. From here, the only changes to v11 we will be making will be critical bug fixes. We are now focused on our v12 release, which you can track here: https://dev.guardianproject.info/versions/39

Please promote our new Gibberbot how-to interactive tutorial available here: https://guardianproject.info/howto/chatsecurely/

If you have been tracking our efforts here for the last few years, you will know that Gibberbot, our secure instant messaging app, started out as a big old mess of an app called “ORChat” as and then “OTRChat” and then “Gibber” (or “Jibber”?), and then finally settled down into the name and app it is known as now. Really it was a proof of concept, showing that you could indeed use the OTR4J library built for desktops app, on Android.

Mumble and the Bandwidth – Anonymous CB radio with Mumble and Tor

Thu, 31 Jan 2013 02:05:50 -0400

The journey towards anonymous and secure voice communication is a long one. There’s lots of roadblocks to get your voice from point A to point B over the Internet if you need to prevent eavesdropping or censorship. There is the limited bandwidth of mobile data connections. There is the high latency of the TCP protocol. To achieve anonymity via Tor, there’s even more latency added to each packet.

Proposal for Secure Connection Notification on Android

Thu, 15 Nov 2012 10:07:49 -0400

A major problem of mobile applications being increasingly used over web-based applications, is that there is no standard established for notifying the user of the state of security on the network connection. With a web browser, the evolution of the “lock” icon when an HTTPS connection is made, has been one that evolved originally out of Netscape’s first implementation, to an adhoc, defact industry-standard way of letting the user know if their connection is secure. Beyond just a binary on/off, the lock icon is also the entry point into viewing more information about the digital security tokens, keys and certificates that are powering the connection – who authorized them, who requested them, and so on. More recently, with browsers such as Chrome, there has been the user of color schemes (Green is good, Red is bad), verified domain display and other indicators to help ensure the user knows when to trust their connection, and when to be wary.

ToFU/PoP in your Android App! (a.k.a. extending Orlib to communicate over Tor)

Thu, 20 Sep 2012 15:17:36 -0400

In doing my research for InformaCam, I learned a couple of neat tricks for getting an app to communicate over Tor. Here’s a how-to for app developers to use depending on your threat model, and how you have your web server set-up. Enjoy, and please post your comments/questions/suggestions below…

Before we begin…

You’re going to need some basic stuff up-and-running for this to work. Before you get coding, make sure you have the following:

Call My Email

Thu, 22 Mar 2012 16:31:45 -0400

What if you could call me directly through my email? No exchanging of phone numbers or searching for handles on Skype. Just plain and simple email. Now what if we can make that phone call as secure as it is easy. That’s the goal of what we’re doing here at Open Secure Telephony Network (OSTN).

VoIP Survey Results of NGOs, Human Rights Groups and Activists

Wed, 07 Mar 2012 18:58:29 -0400

In November 2011, 25 individuals were surveyed using an online form, representing typical end-users, global journalists, activist and human rights organization perspectives (Thank you to all the participants!). The goal of the survey was to establish a baseline understanding of the types of tools and expectations our target user community has around making “telephone calls” over the internet, otherwise known as Voice over Internet Protocol (VoIP).

This survey is part of our work on the Open Secure Telephony Net (OSTN). In summary, we believe there is too great a reliance upon closed systems, proprietary protocols, and expensive commercial solutions, among the very people and groups who need a verifiable secure system based on free software. While using GPG for email, or OTR-encryption for chat have become somewhat standards go-tos for these groups, there has not been the same progress made on the secure voice front. OSTN aims to change that, but before we can, we need to understand where our target user community stand today.