Guardian Project Blog on Guardian Project

DiVine Supports Proofmode

Mon, 01 Dec 2025 00:00:00 +0000

If you haven’t heard the news that Vine is back, relaunched as DiVine by Evan “Rabble” Henshaw-Plath, with support from Jack Dorsey. As part of the launch news, they have made it clear that AI Creators are not welcome, and that they want to “raise the bar for authenticity”.

To build this citadel of authenticity, DiVine is relying on Proofmode’s free and open-source technology. You can learn more how they have implemented it in the DiVine app and service the DiVine Proofmode page, or read on below.

BASELINE: Native American Heritage Month

Sat, 15 Nov 2025 00:00:00 +0000

Reposted from proofmode.org

To honor Native American Heritage Month, we traveled through Oklahoma, home to 39 federally recognized Tribal Nations, each with its own distinct culture, history, and deeply rooted traditions. Our visit included stops at the First Americans Museum, the National Cowboy & Western Heritage Museum, and the Sam Noble Museum, where we explored extensive collections of Native art, jewelry, pottery, clothing, and everyday items that reflect generations of creativity and resilience.

Kindness Mode: Help People Connect to Tor on World Kindness Day

Thu, 13 Nov 2025 00:00:00 +0000

Today is World Kindness Day. As stated on Wikipedia, “World Kindness Day is to highlight good deeds in the community focusing on the positive power and the common thread of kindness for good which binds us.”

Now that word bind is particularly meaningful to use in a technical way - when a remote computer connects to another computer over a network, whether peer-to-peer or a server, one way to state what happens is “binding to their socket port”. The decentralized, privacy-focused tor network is powered by volunteer organizations and inviduals around the world sharing their network resources. On Tor, there is a great deal of positive, community “good which binds us” going on.

BASELINE: Day of the Dead

Mon, 03 Nov 2025 00:00:00 +0000

Reposted from proofmode.org

The Day of the Dead (Día de los Muertos) is an ancestral tradition celebrated in Mexico and parts of Central America, where families honor and remember those who have passed away. To help preserve this beautiful cultural heritage, our Baseline initiative teamed up with local communities to document how people celebrate this day, from creating colorful altars (ofrendas) to building memorials that reflect how their loved ones lived and are still remembered.

Join the Hunt @ Global Gathering 2025 in Estoril, Portugal!

Thu, 28 Aug 2025 00:00:00 +0000

Reposted from proofmode.org

Join the fun to defend reality against fakes by playing “The Hunt @ Global Gathering 2025”, a multi-day photo and video scavenger hunt held around the Global Gathering 2025 in Estoril, Portugal, in September 2025.

Winners from The Hunt NYC 2025

Fri, 20 Jun 2025 00:00:00 +0000

Reposted from proofmode.org

Earlier this month, we hosted another installment of our verifiable photo scavenger hunt, as part of the Content Authenticity Summit 2025 in New York City. The exciting twist of this hunt was that instead of just being limited to using Proofmode Capture, any C2PA-verifiable capture app or device could be used.

Over the course of the three days, we received variety of excellent submission. In the end, we had three winners who verifiably documented the most items in the most visually compelling way - Mario Pena, Jonathan Venguer, and David Boily!

Join the Hunt NYC at the Content Authenticity Summit 2025

Mon, 02 Jun 2025 00:00:00 +0000

Reposted from proofmode.org

Join the fun to defend reality against fakes by playing “The Hunt NYC”, a multi-day photo and video scavenger hunt held around the Content Authenticity Summit in New York City, on June 4th, 2025.

Empowering Mobile Journalism with CuttingRoom and C2PA

Wed, 02 Apr 2025 00:00:00 +0000

Reposted from proofmode.org

CuttingRoom and ProofMode Team Up for Content Authenticity Support on iPhones

In today’s digital landscape, where increasingly “AI Slop” runs rampant, the integrity of media has never been more critical. It’s a constant battle to discern fact from fiction, and the stakes are high. That’s why we’re thrilled to announce a partnership that aims to arm journalists and content creators with a powerful weapon in this fight: the integration of the Coalition for Content Provenance and Authentication (C2PA) standard into the CuttingRoom Reporter mobile app for iOS.

Generative AI Detection in ProofCheck

Tue, 18 Mar 2025 00:00:00 +0000

Reposted from proofmode.org

ProofCheck is our free and open-source, multi-purpose “Swiss Army Knife” tool for image, video, and audio metadata inspection. It can work with the “Proof Pack” bundle zip files that are produced by our ProofMode camera app, and it can also inspect any multimedia file you try to throw at it. It will look for metadata formats like EXIF, C2PA, IPTC, and more, and validate ProofMode PGP signatures, OpenTimestamp notarization, and other cryptographic signatures. All of this happens locally in your browser, without any uploads to a server, ensuring privacy of your media and metadata is maintained.

7ASecurity Completes Security Audit of Círculo

Mon, 17 Mar 2025 00:00:00 +0000

Over the last six months, we’ve been working with 7ASecurity through support from the Open Technology Fund’s Security Safety Audits, to complete an audit of our Círculo project. The public report on that is now available. You can also read the blog post on the audit from 7ASecurity.

If you don’t know about Circulo, this is a physical check-in safety app we have developed, alongside Article 19’s Mexico City team, for a number of years, focused on providing secure location sharing and urgent notifications within small trusted groups, for people under threat of physical violence. The free and open-source code we have developed includes iOS and Android mobile apps, as well as server infrastructure, largely based on the Matrix Protocol, including the mobile software development kits (SDKs), MegaOLM encryption, and Synapse Server. You can read about the last round of work we completed on Circulo, including design, development, and community building, in a public report released in November.

ProofMode at RightsCon: Join The Hunt in Taipei!

Thu, 20 Feb 2025 00:00:00 +0000

Reposted from proofmode.org

Join the fun to defend reality against AI fakes, by using the ProofMode app to play The Hunt Taipei, a multi-day photo scavenger hunt held during RightsCon 2025 in Taipei, Taiwan from February 24th to the 27th, 2025.

IOCipher 1.0 community reboot

Sat, 01 Feb 2025 00:00:00 +0000

IOCipher update to version 1.0

We are thrilled to announce that a community contributor has picked up maintaining a fork of IOCipher and updated to IOCipher 1.0, designed to enhance your development experience and empower you to create more secure applications with ease. Here’s what’s new and why it matters to you:

1. Enhanced Features

We introduced a few new features. Most notably IOCipher is also available on Desktop Java for Linux and Windows now. (Although not all IOCipher features are fully supported on Windows). The latest release even includes some example code for accessing IOCipher VFS using Python.

Splintered Networks, Unbroken Proof

Wed, 29 Jan 2025 00:00:00 +0000

Reposted from proofmode.org

Nathan shares work for capturing and preserving verifiable eyewitness reporting during internet outages and shutdowns, sometimes called “Splinternets”. This solution builds on our Butter Box and ProofMode projects. ButterBox is a private, local micro-server hotspot, that allows for the secure upload and storage of multimedia evidence, along with other features.

We can also provide online and in-person trainings for humanitarian organizations, news organizations, journalists, election monitoring groups, and others.

A Look Back at 2024: F-Droid's Progress and What’s Coming in 2025

Tue, 21 Jan 2025 00:00:00 +0000

With 2024 now behind us, we wanted to take a moment to reflect on the growth and achievements we accomplished as a community last year, and celebrate the incredible support we received from the FOSS community throughout the journey.

This year has been a milestone for us, with significant strides in decentralizing app distribution, expanding the F-Droid ecosystem, and solidifying our infrastructure. All of these advancements were made possible thanks to donations, grants, our volunteers and regular contributors. So thank you again to everyone who helped make 2024 another great year for F-Droid. Now let’s take a closer look at what we accomplished.

Using TLS ECH from Python

Fri, 10 Jan 2025 00:00:00 +0000

At first, the idea of encrypting more of the metadata found inside the initial packet (the “ClientHello”) of a TLS connection may seem simple and obvious, but there are of course reasons that this wasn’t done right from the start. In this post I will describe the flow of a connection using Encrypted Client Hello (ECH) to protect the metadata fields, and present a working code example using a fork of CPython built with DEfO project’s OpenSSL fork to connect to ECH-enabled HTTPS servers.

Seeking Ruby/Jekyll contractors to start ASAP

Fri, 06 Dec 2024 00:00:00 +0000

Guardian Project is seeking Ruby/Jekyll contractors for mobile/free software and privacy work!

We’re looking for self-motivated, free software hackers to work with Guardian Project on privacy and internet freedom for mobile devices. Our work is 100% free software and we have a steady stream of projects that tie into F-Droid, Debian, Android, Fastlane, Mobifree and other exciting projects. We work to support people and communities around the world. This is a flexible, remote position but we also like to work in person when possible.

Seeking part-time Grant Administrator

Mon, 05 Aug 2024 00:00:00 +0000

Location: Fully remote (African/European time zone) or Vienna, Austria.

Type: Part-time contractor.

About us

Guardian Project is a small organization working to make a big impact in data privacy and secure communications. From the average person looking to use the internet and their mobile device more securely, to journalists needing to safely communicate with sources, to activists looking for secure communication channels, Guardian Project creates solutions that focus on privacy so you have true freedom.

First Time Using CalyxOS Review

Wed, 03 Apr 2024 00:00:00 +0000

“But how are you planning on using the phone?” he asked me. I paused, a bit confused. “As a replacement for my iPhone. I want to do everything with this phone that I can do with my iPhone, and use it as I normally would.” He took a beat to respond, “Wow, alright. Well let’s give it a shot.”

I would describe myself as tech-curious, but the reality is I am not your typical CalyxOS user. In fact, I didn´t know CalyxOS existed until recently. I am not a software developer, I can´t write code and until recently, I never worked in tech. But none-the-less I found myself needing a replacement for my iPhone and asked HC if they could help me out.

IETF119 Conference Report: Monday March 18, 2024

Mon, 18 Mar 2024 00:00:00 +0000

It’s Opening Day of the 119th IETF meeting in Brisbane Australia. This post commences a daily rundown of privacy and Internet Freedom activities at this IETF meeting. For the rundown on IETF119 Hackathon, see my Hackathon report

Dispatch

IETF meetings don’t often kick off with the open dispatch but this time it happened. Dispatch sessions are meant to help specification authors find a home for their work if a home isn’t obvious. There are two classes of dispatch request:

IETF119 Conference Report: Hackathon March 17, 2024

Sun, 17 Mar 2024 00:00:00 +0000

Hackathon Weekend at the 119th IETF meeting in Brisbane Australia. This post commences a daily rundown of privacy and Internet Freedom activities at this IETF meeting.

IETF’s Hackathon, held at each face-to-face IETF meeting, is designed to encourage interoperability testing of standards under development. See this meeting’s wiki page for a description ofthis year’s twenty-four projects.

The The HTTP Signature Authentication Scheme has been winding its way through the HTTPbis Working Group since being adopted as a Working Group draft in July 2022. This work proposes a mechanism by which HTTP servers can offer authenticated resources without telegraphing they do so (thus resisting probing attacks).

The future of our fdroid-compatible app repository

Sat, 24 Feb 2024 00:00:00 +0000

Guardian Project has been running its own fdroid-compatible app repository since 2012. Up until now, we worked to ensure that our repository had the same standards of free software as the official F-Droid repository. Therefore, the Guardian Project repository was included in the official F-Droid client app by default. A lot has changed since then, for the better. F-Droid has long since stopped shipping pre-built binaries from any provider. Back in the day, F-Droid shipped some binaries, like Mozilla’s Firefox APKs, and allowed some non-free libraries in apps. The free software ecosystem on Android has since blossomed, so F-Droid no longer needs to make those kinds of compromises. And F-Droid is completing a big update on how repositories are handled.

Quick set up guide for Encrypted Client Hello (ECH)

Fri, 10 Nov 2023 00:00:00 +0000

The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project has developed an implementation of ECH for OpenSSL, and proof-of-concept implementations of various clients and servers that use OpenSSL, and other TLS libraries, as a demonstration and for interoperability testing. DEfO is funded by the Open Technology Fund (OTF).

DEfO - Developing ECH for OpenSSL (round two)

Thu, 09 Nov 2023 00:00:00 +0000

Encrypted ClientHello (ECH) plugs a privacy-hole in TLS, hiding previously visible details from network observers. The most important being the name of the web-site the client wishes to visit (the Server Name Indication or SNI). This can be a major privacy leak, like when accessing a dissident news source hosted on a Content Delivery Network (CDN). A visible domain name also provides a straightforward method for censors to block websites and internet services. Tolerant Networks Limited and the Guardian Project successfully ran the OTF-funded DEfO project that developed interoperable implementations of ECH for OpenSSL, Conscrypt and, via those libraries, a range of ECH-enabled web servers and clients. This second funded project, DEfO-2, is a timely continuation of that project from the same the team. As needed for disambiguation, we use DEfO-1 to refer the completed project and DEfO-2 for this current project. When there’s no ambiguity, we use the DEfO acronym to cover both past and future work related to ECH for OpenSSL, related applications and other TLS stacks.

FIFA2023 Report

Fri, 03 Nov 2023 00:00:00 +0000

Forum on Internet Freedom in Africa (FIFAfrica) organized by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) took place in September 26-29, 2023 in Dar es Salaam, Tanzania at the Hyatt Regency Hotel.

The first two days - the 26th and 27th of September - were invite only. The rest of the days - 28th and 29th of September - were meant for all the other participating attendees.

The theme of the event was “The Internet Freedom we want for Africa” which was highlighted during the opening ceremony. It was well organized with a dedicated media and photography team who did a great job in their coverage. Attendees and attending organizations were diverse coming from all over the world. They were not only limited to digital security folks but also there were attendees from academia, law, policy and government.

Achieve Onion Layers of Security with the Triad of Apple-tizing Apps!

Tue, 25 Jul 2023 00:00:00 +0000

Our summer intern Alfred just graduated high-school and is preparing to attend a major university to focus on a technical degree. He has a personal interest in privacy and security, and is working with us on a variety of projects this summer as part of a broad, crash-course in all things Guardian Project!

Last week, I worked with three different apps for the iPhone that, when they work together, allow for a secure and private mobile internet experience. Since they all build on the Tor Network, they also offer an untraceable way to share and download media. My task was to test the user experience in these apps and see how they interact with each other and to make sure that they’re working in the intended ways following a test plan.

F-Droid's Community-controlled Backup Ceremony

Sat, 15 Jul 2023 00:00:00 +0000

(Guest post from F-Droid, originally on f-droid.org)

Seven core contributors and one board member met in Scotland, the birthplace of F-Droid, for the first in-person F-Droid team meeting. One of the most pressing tasks we needed to take care of was setting up a contributor-controlled backup of all of our signing keys. The requirements made it necessary to have a lengthy, in-person, consensus-driven planning session. We found no good documentation of such a procedure, so we’re going out on a limb here and publishing the general outline of our process. This process was informally audited by multiple people with varying expertise before the public key was used to encrypt anything.

Improving website resilience with LibResilient and IPFS

Thu, 15 Jun 2023 00:00:00 +0000

We’re always looking for techniques to make services more resilient to all sorts of issues. That’s why we took special interest in LibResilient and mapped out it’s capabilities. It’s a JavaScript library for decentralized content delivery in web-browsers and markets itself as easy to deploy to any website. We’ve looked at LibResilient primarily in the context of static websites. While it should work with dynamic websites too, that was out of focus for us.

EU should not require sharing unpatched vulnerabilities

Sun, 11 Jun 2023 00:00:00 +0000

We, the undersigned organisations, write to express our concern with vulnerability disclosure requirements under the proposed Cyber Resilience Act (CRA). The CRA’s objective to encourage software publishers to patch vulnerabilities and report cyber incidents is salutary. However, the CRA’s mandatory disclosure of unmitigated vulnerabilities will undermine the security of digital products and the individuals who use them.

The CRA would require organisations to disclose software vulnerabilities to government agencies within 24 hours of exploitation (Cyber Resilience Act, Articles 11.1, 13.6, 14.4). However, such recently exploited vulnerabilities are unlikely to be mitigated within such a short time, leading to real-time databases of software with unmitigated vulnerabilities in the possession of potentially dozens of government agencies. The more this kind of information is spread, the more likely it is to be misused for state intelligence or offensive purposes, or to be inadvertently exposed to adversaries before a mitigation is in place. In addition, laws that require disclosure of unmitigated vulnerabilities to government agencies create an international precedent that may be reflected by other countries.

Improving Usability of Tor on Smartphones in Latin America

Fri, 02 Jun 2023 00:00:00 +0000

Between 2022 and 2023 Guardian Project, with support from Okthanks and the Tor Project, organized and participated in a total of 12 workshops in Ecuador, Mexico and Brazil with the participation of 161 people. The workshops focused both on the broad topic of “Tor for Smartphones”, while also taking deeper dives into specific topics like virtual private networks VPNs) and anonymous web browsing. Through a variety of methods, we gathered feedback from the participants in each of those sessions. We also ran detailed individual tests with volunteers to collect insights related to new features and usability improvements on specific apps. Our top takeaways from this process were, as follows:

IETF116 Conference Report: Friday March 31, 2023

Tue, 04 Apr 2023 00:00:00 +0000

Day Five of the 116th IETF meeting in Yokohama Japan. For the rundown on Day Four, see my daily report.

With a lot of focus on privacy with respect to Internet protocols, novel new cryptography schemes are an important requirement for new protocol designs. For example, Privacy Preserving Measurement is relying on new cryptography to support distributed aggregation of a wide range of measurements in the advertising domain as well as application telemetry. Privacy Pass is relying on new cryptography to allow web browsing across the broad Internet after a single, lightweight authentication to an authority. IETF Working Groups are encouraged to work with the Crypto Forum Research Group of the Internet Research Task Force (IRTF) to develop, test and refine new cryptography techniques that meet defined security/privacy goals and can scale for Internet-wide use.

IETF116 Conference Report: Thursday March 30, 2023

Thu, 30 Mar 2023 00:00:00 +0000

Day Four of the 116th IETF meeting in Yokohama Japan. For the rundown on Day Three, see my daily report.

The IETF is getting serious about interoperability among messaging services (this might have had something to do with it). The charter for the Messaging Layer Security Working Group (MLS) specifically excluded interoperability, though the group organized a draft that addressed the basic concepts that would allow MLS-compatible systems to federate. In early 2023, a new Working Group - More Instant Messaging Interoperability (MIMI) - was chartered to expand on the MLS federation work. Given IETF’s relatively long and somewhat checkered history with messaging, the Working Group’s charter included this reminder to itself:

IETF116 Conference Report: Wednesday March 29, 2023

Thu, 30 Mar 2023 00:00:00 +0000

Day Three of the 116th IETF meeting in Yokohama Japan. For the rundown on Day Two, see my daily report.

The long-running work on MASQUE - proxying all network-layer datatypes over QUIC (HTTP/3) - is nearing completion, with the specification for Proxying IP in HTTP in IESG review. With these components in place, the original MASQUE concept - a non-probable relay for client traffic providing privacy guarantees - has been revived, now defined within the new framework and leveraging HTTP Unprompted Authentication.

IETF116 Conference Report: Tuesday March 28, 2023

Wed, 29 Mar 2023 00:00:00 +0000

Day Two of the 116th IETF meeting in Yokohama Japan. For the rundown on Day One, see my daily report.

The OHAI Working Group has submitted the core draft of Oblivious HTTP Application Intermediation to the RFC Editor for editorial finalization and publication. OHAI is designed to support transational uses of the HTTP protocol that seek IP address privacy (by means of a relay pair, one associated with the client and one associated with the target resource). The target resource is, thus, said to be oblivious to the requester’s IP address. While the initially-imagined use case for OHAI was access to the DNS service (with some in the IETF feeling DNS-over-HTTP did not go far enough to protect user privacy), the dominant use case imagined today is telemetry - monitoring vendor-, application- or operating system-defined usage parameters on centralized systems.

IETF116 Conference Report: Monday March 27, 2023

Tue, 28 Mar 2023 00:00:00 +0000

This post begins a daily blog, live from the 116th meeting of the Internet Engineering Task Force in Yokohama, Japan, March 25-31, 2023. We’re focusing on standards activities of importance to the Internet Freedom community.

Since IETF114 (report), the Privacy Preserving Measurement Working Group has been deliberating over two distinct proposals offering very different technical methodologies for undertaking measurement activities while respecting user privacy. STAR offers an approach called k-anonymity - reporting a measurement value only if k or more parties are also reporting the same value. This approach theoretically prevents rare values being used to single-out individuals. Distributed Aggregation Protocol, DAP, uses an approach that distributes individual measures across a set of aggregators, none of which gets to see all the granular measurement data - the fully-aggregated total only seen by the third-party who requested it (who, in turn, gets to see none of the granular measurements). At IETF116 we’re learning about the operational experience with these technologies, with multiple implementations of both running in different testbeds. Performance analysis has also been undertaken.

Arti, next-gen Tor on mobile

Sat, 04 Mar 2023 10:00:00 -0400

For software projects with recurring bugs, efficiency or security issues there’s a joke making the rounds in the software industry: “Let’s re-write it in Rust!” It’s a fairly new low-level programming language with the declared goal to help developers avoid entire classes of bugs, security issues and other pitfalls. Re-writing software is very time consuming, so it rarely happens, especially when just one more fix will keep a project up and running.

Steps towards trusted VPNs

Tue, 28 Feb 2023 00:00:00 +0000

VPNs have become quite popular in recent years for a number of reasons, and more and more they are being touted as a privacy tool. The question is whether using a VPN does improve privacy. It is clear that VPNs are quite useful for getting access to things on the internet when direct connections are blocked. VPN providers include a number of tactics in both their client apps and server infrastructure to ensure that their users are able to make a connection. Then once users are connected, all of their traffic that goes over the VPN will see the internet from the point of view of the VPN’s server. That is how VPNs “unblock” the internet. In contrast, some are using VPNs to selectively block things, like making a system-wide adblocker.

Scanning apps, off the record

Wed, 28 Sep 2022 00:00:00 +0000

Smart phones have brought us so many wonderful capabilities. They let people around the world access vast realms of information. They let app developers solve problems large and small in a way most relevent to their local context. They are personal computers for the world. They also have given surveillance capitalism an unprecedented reach into everyone’s lives. Repressive governments use them in ways that the East German Stasi secret police could only have dreamed of. And as promising as artificial intelligence is, it is also threatening humanity. People around the world are pushing back. This public interest work requires technical inspection of apps. There are organizations highlighting algorithmic transparency and calling out surveillance capitalism. Journalists are linking apps into key stories about the misdeeds of powerful companies. Activists are exposing the hidden machinations of their governments. All of these people require technical skills to see what a given app is going.

The Search for Ethical Apps: Let's start with governments

Thu, 01 Sep 2022 00:00:00 +0000

Governments across the world are moving services to mobile apps. The vast majority of these apps are only available in the Google Play store or in the Apple App store. Installing apps from these services requires users to agree to their terms of service. This means governments require their citizens to sign opaque and privacy invading contracts with foreign Big Tech in order to use digital services. This feeds ever more into Big Tech data control, filtering, and information bubbles. There are some exceptions here, like China has multiple app stores that are popular. Chinese Big Tech also require restrictive terms of service agreements. Additionally, many of apps are developed by the same firms that are tied into the surveillance capitalism ecosystem. So they include features that track the end users. The governments are not demanding data transparency, and these firms have not been delivering it.

Serving Websites Privately Over Tor Onion Services (From Your Laptop!)

Mon, 29 Aug 2022 00:00:00 +0000

In this day and age when our data is consistently being tracked and profited off of, sharing information safely and securely is difficult. However, that does not necessarily mean that all network services are subject to such scrutiny. Users now have the ability to combine the security of HTTPS with the privacy benefits of Tor Browser and share information through Tor’s anonymous network services – Onion Services. By using an onion service, users can hide their location while active, connect to other Tor users, and retain their privacy throughout. But to do so, one needs to know how to set up an Onion Service.

DWeb versus Web3: An Intern's Journey!

Fri, 19 Aug 2022 00:00:00 +0000

Close your eyes and imagine. You are sitting, designing the next game-changing innovative idea; however, you are not worried about any information leakage or spread, as you are in control. You not only hold ownership of your data, but with each online activity, your fear of being tracked dissipates more. This new internet you explore on understands each input, tailoring the content to your specific needs as it no longer runs on basic commands, but rather uses the combination of technologies and concepts such as machine learning, big data, and decentralized ledger technology to process information in a smart, human-like manner. This image in your mind is no longer a distant fantasy, but rather a closely approaching reality – this reality is the decentralized web, otherwise referred to as the DWeb.

IETF114 Conference Report: Friday July 29, 2022

Fri, 29 Jul 2022 00:00:00 +0000

Day Five of the 114th IETF meeting in Philadelphia USA. For the rundown on Day Four, see my daily report.

A quiet day today with only the Messaging Layer Security Working Group holding its session. Draft 16 of the MLS protocol completed last-call in mid-July and has been submitted for review after significant technical and editorial feedback from the working group. Are we getting close (again)? The MLS Architecture document was lightly revised and version 8 submitted for review. Two new drafts were presented: MLS Content Negotiation and MLS Extensions. The former has yet to be adopted as a Working Group item, but the latter was adopted during IETF114 (before the MLS session, over the mailing list).

IETF114 Conference Report: Thursday July 28, 2022

Thu, 28 Jul 2022 00:00:00 +0000

Day Four of the 114th IETF meeting in Philadelphia USA. For the rundown on Day Three, see my daily report.

At IETF112 (online) a formal Birds of a Feather (BoF) session was held on the concept of Privacy Preserving Measurement. A Working Group was chartered and, at IETF113 in Vienna, we were treated to an incredibly detailed presentation on Prio, an academic concept for supporting privacy in the context of Internet-scale measurement. Quickly following that presentation was an IETF proposal for a defined protocol for distributed aggregation of measurement data, based on Prio’s core concepts and using a range of cryptographic and system architecture techniques to separate measurements from the identities of the human users being measured.

IETF114 Conference Report: Wednesday July 27, 2022

Wed, 27 Jul 2022 00:00:00 +0000

*Day Three of the 114th IETF meeting in Philadelphia USA. For the rundown on Day Two, see my daily report.

Interest is starting to consolidate on the need for additional definition for serving media over the QUIC transport layer, particularly for streaming and conferencing applications. Following an informal gathering at IETF113 in March 2022, a formal Birds of Feather session met today with a draft charter proposal and two draft documents describing the intended use cases and a protocol. Here’s a more visual overview. There was broad concensus (at this well-attended session) as to the need for this work, but a split between one camp that sought a much narrower set of use cases (not wanting to boil the Internet as it were) and another who wanted to solve this problem once. This will be addressed as the BoF leaders work towards a vote on chartering the effort. Either way, this is substantial work ahead. I mention this here not so much in the realm of privacy as to look towards a future where QUIC’s efficiency and scalability benefits might make media-rich services available to those of lesser economic means or with mediocre connectivity.

IETF114 Conference Report: Tuesday July 26, 2022

Tue, 26 Jul 2022 00:00:00 +0000

Day Two of the 114th IETF meeting in Philadelphia USA. For the rundown on Day One, see my daily report.

Lucas Pardue, of Cloudflare and co-chair of the QUIC Working Group, gave a not-so-tongue-in-cheek talk about the breakdown of the OSI layering model of the Internet. His focus was on the top of the stack, illustrating handsomely what QUIC and HTTP/3 have done (unknowingly to most) to our perception of layers. A key challenge: tools for HTTP/1 are widely available and the protocol and its impacts are widely understood. HTTP/2 and HTTP/3? Not so much (both are binary, not text-based, protocols). Yet, here in mid-2022, the world of the Internet is predominantly (91%!) HTTP/2 and HTTP/3 traffic. Similarly, TLS/1.3 and QUIC represent 87% of traffic. And many of the now-being-standardized protocols for privacy insert several layers of proxy into every transaction. From a sound knowledge perspective, we seem to have taken a rather quick, and rather deep, step backwards.

IETF114 Conference Report: Monday July 25, 2022

Mon, 25 Jul 2022 00:00:00 +0000

Day One of the 114th IETF meeting in Philadelphia USA.

With privacy a key consideration in new protocol design, cryptography has become a major focus of IETF activities. The Internet Research Task Force (IRTF) has the Crypto Forum Research Group where new cryptography schemes are brought forward and vetted for use in IETF protocols. Well, new is a misnomer. Much of the mathematics has long been defined, at least at its core, and the work is rather being brought into the IETF context where important engineering considerations apply: use of memory (at rest or in flight), processing required, round-trips required, etc.. Of significance at this meeting, mechanisms for blinding a digitial signature are in high demand given the prevalence of multi-tiered approaches to privacy (that is, approaches that insert one or more proxies between entities in a transaction). Something similar is in the works for cryptographic keys. A number of IETF protocol specifications, still in development, are in line to receive these mathematical gems including Privacy Pass, Private Access Tokens, Oblivious HTTP Application Intermediation and others. An excellent summary of the National Institute for Standards and Technology (NIST) Post-Quantum Cryptography contest was also provided. The topic itself, let alone the solutions chosen, is not for the weak-kneed.

IETF114 Hackathon Report: Sunday July 24, 2022

Sun, 24 Jul 2022 00:00:00 +0000

This post begins a daily blog, live from the 114th meeting of the Internet Engineering Task Force in Philadelpha Pennsylvania USA, July 23-29, 2022 (in-person meetings having restarted in March 2022 after the COVID pandemic abated). We’re focusing on standards activities of importance to the Internet Freedom community.

The Hackathon event kicks off each IETF event, with projects that run the gamut from early implementations of just-emerging specifications to full multi-vendor interoperability testing of nearly-mature protocols. At this event, I sat in on the MASQUE team’s effort to commence work on the new CONNECT-IP specification. With the recent completion of two key specifications - CONNECT-UDP and H3 Datagrams - MASQUE has become IETF’s solution for proxying all types of network traffic over QUIC and HTTP/3, including VPN and other privacy-focused scenarios. CONNECT-IP will complete the trio. But this initial effort didn’t go well. Google and Ericcson (co-authors on the spec) had brought teams who, indeed, implemented the key protocol elements of CONNECT-IP live and in-the-moment but were both stymied setting up testbeds that could deliver raw IP packets for routing by this new code. Wait, you might say, aren’t these network engineers? True, but it was mostly the practicalities that got in the way - only laptops as test machines, working from the open source QUICHE repository on a machine that also hosts an environment for building production code, even deciding what sort of packets could be used for testing and where to route them. These are the frustrations of a first-ever effort.

RightsCon Report: Surveillance and Facial Recognition: Protection or Instruments of Control?

Wed, 20 Jul 2022 00:00:00 +0000

Safety is one of the foremost questions we seek to answer as we roam about in our everyday lives, taking precautions to reduce the likelihood of all threats. It is the very reasoning behind the use of surveillance technology from civilians to the state government, as it hinders crime through fear of persecution and retribution. However, variables such as the time taken for assistance can limit this objective. In these instances, surveillance is not a means of protection, but rather justice, as facial recognition technology can discern the perpetrator to bring to justice. However, the concern arises: do those with the access to this means of seeking justice utilize it for other purposes?

IETF113 Conference Report: Friday March 25, 2022

Mon, 28 Mar 2022 00:00:00 +0000

Final day of the 113th IETF meeting, in Vienna Austria.

The IETF is looking to make a clear contribution to the problem of hyper-aggressive measurement of user activities on the Internet and the many misuses thereof. To do so, the IETF recognizes that some measurement is important but that many desirable measurements require data most people consider sensitive. It also recognizes that aggregated measurements often provide the most value, rather than individual ones. Yet, today, parties interested in measurement need to collect and store individual records in order to aggregate them, exposing themselves to potential violations of their privacy agreements with users (or governments) and to theft of that data by outsiders. Instead, IETF is looking at ways this aggregation can be managed in ways that protect user privacy while still providing much of the statistical power needed. The Privacy Preserving Measurement Working Group has formed.

IETF113 Conference Report: Thursday March 24, 2022

Sun, 27 Mar 2022 00:00:00 +0000

Day four of the 113th IETF meeting, in Vienna Austria.

Privacy Pass - originating at Cloudflare in 2017 as a solution to user frustration with CAPTCHA - has been in full swing as an IETF activity since mid-2020. Privacy Pass allows a client to solve some form of validity check (a CAPTCHA, a puzzle, a user-pass authentication) to then receive some number of tokens to be used at websites accepting Privacy Pass, thus eliminating the need to do a CAPTCHA at each site. Sites hosted on large CDNs like Cloudflare benefit (Cloudflare provides the service for them) and users get a more convenient experience. Users accessing the Internet through Tor are even more positively affected since they are most prone to CAPTCHA. Privacy Pass is now in Version 3 and working to support a multi-issuer environment to provide another uplift to the user experience (tokens can be validated across issuers). Just prior to this IETF meeting, a standardized mechanism for exchanging Privacy Pass tokens was adopted by the Working Group - The Privacy Pass HTTP Authentication Scheme. Both request and response mechanisms are provided so that use of (or demand for) the token can be either server- or client-initiated. Going forward, it will be interesting to see if Privacy Pass benefits mostly the web browsing environment or finds its way into applications using HTTP as a substrate for richer styles of interaction.

IETF113 Conference Report: Wednesday March 23, 2022

Sat, 26 Mar 2022 00:00:00 +0000

Day three of the 113th IETF meeting, in Vienna Austria.

Messaging Layer Security (MLS) is (finally) closing in on Last Call at protocol Draft 14 and architecture Draft 7 (which will be taken forward together). Sometimes referred to as the TLS for messaging systems, Messaging Layer Security creates a uniform secure group discussion protocol, scalable to very large groups and providing similarly uniform security guarantees across providers. The near completion of the architecture and protocol drafts, and commencement of interoperability testing has prompted the Working Group to dust off the Federation draft as the next object of their affection. Will I be able to connect my Wire client to the Facebook Messenger server? Don’t hold your breath, but in the meantime you’ll be able to enjoy the manifest benefits of secure group chat (with security guarantees as high as the industry knows how to produce) on your own network.

IETF113 Conference Report: Tuesday March 22, 2022

Thu, 24 Mar 2022 00:00:00 +0000

Day two of the 113th IETF meeting, in Vienna Austria. The crisis in Ukraine is on everyone’s mind, lending immediacy to the work of the Global Access to the Internet for All (GAIA) Research Group. While past and continuing work has focused on Internet access for the world’s population (especially those disadvantaged by economics, distance, mobility, and social constraints) the situation in Ukraine resulting from military activities give cause for both concern and hope. While communications access points have been obviously targeted, the inherently decentralized topology of the Internet infrastructure in Ukraine has afforded surprising resiliency, increased by the willingness of nominal competitors to patch the communication systems back together for the good of all. Few will remember that this resiliency from military attack was the raison d’être for ARPANet, predecessor to the Internet. Perhaps, in this era of increasing centralization (hardware and software), the crisis in Ukraine will give us the impetus to consider changes to the trajectory of consolidation we’ve allowed to occur. We’ll follow up on this topic tomorrow after the Human Rights Protocol Considerations (HRPC) Research Group who will take up the topic of Regional Internet Blocking.

IETF113 Conference Report: Monday March 21, 2022

Mon, 21 Mar 2022 00:00:00 +0000

It’s opening day at the 113th IETF meeting, the first in-person meeting in two years due to the COVID pandemic and being held in Vienna Austria. We’re focusing on standards activities of importance to the Internet Freedom community.

New work is brought to the IETF via Birds-of-a-Feature sessions and also each technical area’s Dispatch Working Group. The Application area often sees the most unique and interesting ideas and this meeting was no exception. The [Open Ethics Initiative] (https://openethics.ai/) introduced its idea for an ethics disclosure or transparency protocol to help promote trust among users and service providers in a way similar to nutrition labelling on foods. Two new drafts have been written related to the format of data exchange among messaging services. I know what you’re thinking: “but messaging services don’t interoperate”. Exactly. These drafts are a push to get that to happen, initially in the context of the Messaging Layer Security (MLS) effort. Along the same lines, a plea was made to liberate messaging from the confines of the encapsulating (and in some cases proprietary) protocols, to be used as first-class network transactions on their own via the Event Streaming Open Network. And, the team doing Encrypted Client Hello (ECH) introduced an idea to liberate ECH’s host configuration information from the DNS to which some folks believe it is inextricably bound. Well, they didn’t present it quite that way, but… Liberation was the theme of the event, it seems!

IETF113 Hackathon Project

Sun, 20 Mar 2022 00:00:00 +0000

This post begins a daily blog, live from IETF113 in Vienna Austria, March 19-25, 2022 (first in-person meeting after six remote-only meetings during the COVID pandemic).

The Hackathon event kicks off IETF and, at this meeting, we picked up work originally done by one of our teammates implementing version 5 of Internet Draft HTTP Transport Authentication. HTTP Transport Authentication is designed to authenticate such protocol flows in a manner that does not reveal any information to an attacker during failure cases. Therefore, applications using HTTP Transport Authentication are resistant to active probing by network adversaries.

Privacy Preserving Analytics in the Real World: Mailvelope Case Study

Mon, 28 Feb 2022 00:00:00 +0000

We love Mailvelope. It’s a popular browser extension for encrypting email messages. Now, Clean Insights is helping Mailvelope understand which webmail providers are most popular with their users so they can prioritize their development efforts.

Anyone who has written software knows it takes hard work to craft a great user experience. That’s even more challenging in Mailvelope’s case. Their browser extension integrates with more than a dozen ever-changing third party webmail interfaces. The Mailvelope team asks itself questions like, “Is time better spent improving the GMail integration or the mailbox.org one?” The answer often hinges on which providers are most popular among Mailvelope users, information not yet readily available to the Mailvelope team.

Spearphishing for developers

Wed, 23 Feb 2022 00:00:00 +0000

I received an interesting email that points to a new direction in targeting developers to exploit them. This email is a reply to a message that I actually wrote to an email list in 2012, that was posted on a public thread on a public list. It also uses the name of a person that posted on that thread: “Paul Eggers”. Oddly, it did not use that person’s actual email from the original thread. Especially considering that I replied to the message to ask for more info, but got no answer. I guess this was just to ensure that the real “Paul Eggers” did not respond.

Decentralizing Distribution

Sat, 05 Feb 2022 00:00:00 +0000

Guardian Project has been awarded a grant from the Filecoin Foundation for the Decentralized Web (FFDW) to work on decentralizing veracity and distribution (DVD). FFDW’s Mission is to “ensure the permanent preservation of humanity’s most important information by stewarding the development of open source software and open protocols for decentralized data storage and retrieval networks.” Filecoin is built on top of IPFS, which is “a distributed system for storing and accessing files”. The distribution component of the FFDW-DVD project is focused on improving F-Droid’s free, open, and decentralized mobile app ecosystem. On top of the flagship unified experience offered by this website and the F-Droid official app, F-Droid provides all the pieces for anyone to create, build, remix, publish, reproduce, redistribute and review mobile apps.

IETF: Year End Review 2021

Thu, 23 Dec 2021 00:00:00 +0000

In terms of potential impact on Internet Freedom, it’s been a banner year at the Internet Engineering Task Force (IETF). QUIC (featuring the improved privacy and security of TLS1.3) reached Proposed Standard status, with implementations and rollouts from every major vendor on both server and client, and with multiple open source toolkit options for developers. Encrypted Client Hello for TLS1.3 gained traction via the DEfO project that, through pull requests, makes a huge privacy enhancement easily available to the major security library (OpenSSL) underpinning the Internet’s most important service engines (nginx, apache, lighttpd, haproxy on the server, even curl on the client). IP address privacy got new attention with a working group formed around Oblivious HTTP Application Intermediation (OHAI), as did Privacy-Preserving Measurement (PPM) which seeks to drastically reduce the amount of personal information swept up in the pervasive monitoring of all public Internet activity. Meanwhile, the Internet Research Task Force (IRTF) has focused on developing new cryptographic techniques to serve these rapidly-evolving privacy-focused activities. IRTF also fosters work on truly-global Internet access and, in a sense, serves as the IETF’s conscience through it’s work on the human rights implications of protocol design.

Debian over HTTPS

Wed, 08 Dec 2021 00:00:00 +0000

Debian’s package manager apt has a time-tested method of securely providing packages from the network built on OpenPGP signatures. Even though this signing method works well for verifying the indexes and package files, there are new threats that have become relevant as man-in-the-middle attacks and data mining become ever easier. Since 2013, apt developers have supported encrypted transport methods HTTPS and Tor Onion Service. We have been recommending their use since 2013.

Most major mirrors already support HTTPS, and now https://security.debian.org has finally joined the party. That means it is possible to use HTTPS on all of the official repositories. On top of that, many Debian Developers are working on making HTTPS the default for new installs.

Implementing TLS Encrypted Client Hello

Tue, 30 Nov 2021 00:00:00 +0000

As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt. So ECH will bring some real improvements in privacy and censorship resistance.

Announcement: AnyNews 1.0: Censorship-Resistant News and Media Distribution

Mon, 29 Nov 2021 00:00:00 +0000

Summary

For content publishers, AnyNews is a news distribution suite focused on service to censorship-prone geographies, easily integrated into existing content sources. AnyNews is open-source and easily branded (or customized, if desired) without extensive effort or expense. AnyNews integrates technologies to counter a range of censorship regimes and is designed to accommodate new technologies more easily and quickly as they arise. Tools are provided to support a range of publishing options for environments that suffer from connectivity or performance problems. Service engagements are possible when custom software is required.

IETF112 - Meeting Update (November 2021)

Wed, 24 Nov 2021 00:00:00 +0000

The 112th meeting of the Internet Engineering Task Force (IETF) took place November 8-12, 2021 - as a virtual event for the sixth time in succession due to the COVID-19 pandemic. Here’s a summary of the work I found important to the Internet Freedom community.

Privacy Preserving Measurement

While we often (rightly) focus on unwanted surveillance of targeted individuals by nation-states and other bad actors, the Internet’s surveillance economy presents a major threat to personal privacy and freedom for all users of the Internet, as Mozilla so aptly describes on this wiki page. Since IETF significantly boosted its focus on privacy at IETF105 (July 2019, where privacy was the plenary topic), participants at both research and engineering levels have begun to address this problem - initially with research studies and statements of requirements, and then with proposals. Later we’ll discuss proposals that try to offer more anonymity in the way users access the Internet. But new at this conference was a Birds of a Feather session formed around the idea of Privacy Preserving Measurement (PPM) and led by Mozilla’s Eric Rescorla who has collected significant thoughts and technical ideas here. This thinking would insert a layer of protection between end users and the data collection infrastructure in a way that would significantly impact the bad (for privacy) practices of current-term measurement tools - over-collection, under-protection and deep-interlinking. An architecture for PPM was proposed and, as there was significant interest from IETF attendees, a Working Group is being established to undertake the technical effort. There is a future work effort here to understand how this work overlaps or dove-tails with CleanInsights.

The IETF and Internet Freedom

Mon, 18 Oct 2021 00:00:00 +0000

It seems useful to clarify the relationship between the near-term work of keeping the Internet open on a daily basis - work that dominates the efforts of the Internet Freedom community - and the long term work of the industry on crafting operational standards for the same network.

Those involved in Internet Freedom are typically focused on the “problems of today”, creating solutions using existing technologies offering immediate effect. Often, it’s hard to tell if Internet standards are helping, hurting, or just in the way. However, looking back at the (roughly) 15-year history of Internet Freedom work, it’s useful to recognize the many times we’ve said to ourselves “Gosh, I would have done that differently if I’d had a chance to think about it”.

New insights into clean analytics

Tue, 02 Mar 2021 00:00:00 +0000

There is a giant problem with the “collect it all” status quo that pervades on the Internet, this has been clear for a long time. Tracking people has become so widespread that organizations, communities, projects and university labs have sprung up dedicated to detecting and publicizing their presence. Data and analytics are clearly useful for software creators and funders, but they also easily lead to harming people’s privacy and well-being. The past year of work on Clean Insights has clarified our goals to make analytics possible without injuring the very people we aim to serve. Clean Insights takes the world of data analytics and turns it on its head. The Clean Insights approach starts with thinking about the data, then choosing only the data that is clearly safe to use. A user’s location, complete device description, or other identifying information is dangerous to gather. A simple count of how many times a feature was used, or a webpage was visited, can be gathered without links to people.

Usability: the wonderful, powerful idea that betrayed us

Thu, 18 Feb 2021 00:00:00 +0000

Usability triggered a revolution in computing, taking arcane number crunching machines and making them essential tools in so many human endeavors, even those that have little to do with mathematics. It turned the traditional design approach on its head. Initially, experts first built a system then trained users to follow it. User experience design starts with goals, observes how people actually think and act in the relevant context, then designs around those observations, and tests with users to ensure it fits the users’ understanding. These ideas were pioneered in the Silicon Valley. This was driven by the unusual confluence of a pioneering spirit and deep engineering skills. That merged with a strong counter-culture looking to empower individuals and communities. So much of the best of digital technology has its roots in these ideas. I feel fortunate to have grown up immersed in these ideas in the Silicon Valley of the 70s and 80s, and still feel that sense of idealism that these ideas can truly make the world a better place.

Clean Insights: February 2021 Update on Privacy-Preserving Measurement

Wed, 10 Feb 2021 00:00:00 +0000

Greetings, all. I hope this finds you healthy and well, finding ways to enjoy the season (whichever it may be). While everyday still provides new challenges in the life of our team at Guardian Project, we continue to strive to be productive as productive as we can be in our professional and personal lives.

I’ve just posted an updated presentation on Clean Insights, reflecting on the symposium in May, and the work we have done since then. You can see and share it from here:

New Data Sources: API Key Identifiers and BroadcastReceiver Declarations

Tue, 15 Dec 2020 00:00:00 +0000

A central focus of the Tracking the Trackers project has been to find simple ways to detect whether a given Android APK app file contains code which tracks the user. The ideal scenario is a simple program that can scan the APK and tell a non-technical user whether it contains trackers, but as decades of experience with anti-virus and malware scanners have clearly demonstrated, scanners will always contain a large degree of approximation and guesswork. Tracking the Trackers grew out of experiments in using machine learning to detect malware. This provided the spark to apply this to privacy issues.

εxodus ETIP: The Canonical Database for Tracking Trackers

Fri, 11 Dec 2020 00:00:00 +0000

There is a new story to add to the list of horrors of Surveillance Capitalism: the United States’ Military is purchasing tracking and location data from companies that track many millions of people. We believe the best solution starts with making people aware of the problem, with tools like Exodus Privacy. Then they must have real options for stepping out of “big tech”, where tracking dominates. F-Droid provides Android apps that are reviewed for tracking and other “anti-features”, and F-Droid is built into mobile platforms like CalyxOS that are free of proprietary, big tech software.

Distribution in Depth: Mirrors as a Source of Resiliency

Mon, 07 Dec 2020 00:00:00 +0000

There are many ways to get the apps and media, even when the Internet is expensive, slow, blocked, or even completely unavailable. Censorshop circumvention tools from ShadowSocks to Pluggable Transports can evade blocks. Sneakernets and nearby connections work without any network connection. Hosting on Content Delivery Networks (CDNs) can make hosting drastically cheaper and faster. One method that is often overlooked these days is repository mirrors. Distribution setups that support mirrors give users the flexibility to find a huge array of solutions for problems when things are not just working. Mirrors on local networks can be much cheaper. Mirrors in specific countries are often not blocked or filtered. Mirrors can be copied onto portable storage and moved to where the users are.

Managing offline maps with F-Droid and OsmAnd

Sat, 28 Nov 2020 00:00:00 +0000

When disaster strikes, our mobile devices can provide us with many tools to deal with a wide variety of problems. The internet is not available in every corner of the planet, and large scale outages happen. Digital maps allow us to carry detailed maps of the entire planet in our pockets. And the good map apps allow the user to download entire regions to the device so that they operate without internet at all. Unfortunately, the big map apps from Google and Apple provide limited offline capabilities. For example, it is not possible to share offline data from one device to another. Online maps are also a major privacy leak, since location data is the most sensitive data. With online maps, the service operator sees each tile of the map that you look at, each time you look at it, as well as all the locations you search for.

Mon, 08 Jun 2020 00:00:00 +0000

In 2010, at the Open Video Conference hackathon, I came up with a concept called “auto blur the news”, while in a brainstorm with activists, advocates and coders, including Sam Gregory, a longtime ally from WITNESS. Using the built-in face recognition features on modern smartphones, you could instantly redact faces from a photo or video, instead of tagging or tracking those same faces. Out of this came an app called ObscuraCam, which was always meant as a proof of concept demonstration to help lobby mainstream apps and operating systems a simple feature available for all.

Easy translation workflows and the risks of translating in the cloud

Mon, 08 Jun 2020 00:00:00 +0000

Crowdsourced translation has opened up software and websites to whole new languages, regions, and uses. Making translating easier has brought in more contributors, and deploying those languages requires less work. A number of providers now offer “live”, integrated translation, speeding up the process of delivering translated websites. On the surface, this looks like a big win. Unfortunately, the way such services have been implemented opens up a big can of worms. Third parties must be trusted with user data. The translators cannot work without being tracked. Displaying the translation requires JavaScript. The security profile is more complicated and harder to defend.

Onion Browser Release 2.6 Tutorial

Tue, 02 Jun 2020 00:00:00 +0000

In this tutorial we’re going to talk about the best practices to browse the web securely on iOS using Onion Browser Release 2.6 and the Tor network. Onion Browser for iOS is a free, open-source web browser app developed originally by Mike Tigas, with Release 2.6 as a collaboration with the Guardian Project. Onion Browser has Tor built-in and uses Tor to protect your web activity.

You can also watch the Onion Browser Video Tutorial on YouTube.

On the classification of tracking

Wed, 20 May 2020 00:00:00 +0000

This position paper tries to outline a framework for defining trackers in smart phones and lists mechanisms for identifying them. It hopes to serve as the foundation for the work done in the Tracking-the-Trackers project.

In section 1 we start with an abstract analysis of levels of unwanted behaviour in the context of tracking.

Next, in section 2, we focus on an attacker’s perspective, on anonymity and pseudonymity. This foundation allows us to define terms which are needed throughout the paper.

Free Software Tooling for Android Feature Extraction

Wed, 06 May 2020 00:00:00 +0000

As part of the Tracking the Trackers project, we are inspecting thousands of Android apps to see what kinds of tracking we can find. We are looking at both the binary APK files as well as the source code. Source code is of course easy to inspect, since it is already a form that is meant to be read and reviewed by people. Android APK binaries are a very different story. They are first and foremost a machine-executable format. On top of that, many developers deliberately obfuscate as much as possible in the APK to resist inspection.

"Features" for Finding Trackers

Tue, 28 Apr 2020 00:00:00 +0000

One key component of the Tracking the Trackers project is building a machine learning (ML) tool to aide humans to find tracking in Android apps. One of the most important pieces of developing a machine learning tool is figuring out which “features” should be fed to the machine learning algorithms. In this context, features are constrained data sets derived from the whole data set. In our case, the whole data set is terabytes of APKs. This post is an outline of the features that we are focusing on in this current project.

Figuring Out Crowdsourced Translation of Websites

Thu, 23 Apr 2020 00:00:00 +0000

Crowdsourced translation platforms like Weblate, Transifex, Crowdin, etc. have proven to be a hugely productive way to actively translate apps and desktop software. Long form texts like documentation and websites remain much more work to translate and keep translated. Many translation services currently support Markdown and HTML, but very basically, which means much more work for translators and webmasters. Translators can inadvertently break things, either with a typo or because of a lack of knowledge of a specific syntax. This can make the whole page layout break. Webmasters and documentation maintainers must carefully check the process to ensure everything is working smoothly. With the spread of Markdown as a standard format, there is now hope! Software developers can focus efforts on the Markdown translation workflow, and Markdown is more tolerant of syntax errors than HTML.

The Promise and Hazards of COVID Contact Tracing Apps

Thu, 09 Apr 2020 00:00:00 +0000

There has been increasing interest in the possibilities of tracking people who are infected with Coronavirus using all of the various methods that smart phones provide. There is good reason: “contact tracing” has been a pillar of public health efforts for decades. It is an effective means to curtail the spread of infectious disease. At the same time, governments, companies, and organizations are acting fast to offer services to help end this current pandemic. The problem is that many of these are taking advantage of these times to introduce more tracking of people, more data collection, and more control over people. We must not let contact tracing be used to reduce privacy and increase unnecessary data collection.

We Support the Open COVID Pledge

Thu, 09 Apr 2020 00:00:00 +0000

Please join this Open COVID Pledge by committing to freely share technology for all work that aims to end the Coronavirus Disease 2019 (COVID-19) pandemic.

We believe that free software licenses like the GNU GPL and the Apache License already provide these key benefits. We are making this statement to make it clear that all of our code is available for any effort to end the COVID Pandemic.

We grant to every person and entity that wishes to accept it, a non-exclusive, royalty-free, worldwide, fully paid-up license to fully use, practice and exploit all our patent and copyright rights, for the sole purpose of ending the COVID-19 pandemic and minimising the impact of the disease, including diagnosis, prevention, containment, and treatment.

Improving Crowdsourced Translation of Long Form Text

Thu, 05 Mar 2020 00:00:00 +0000

We are happy to announce the start of work on another step in improving crowdsourced localization, funded by the ISC Project. This is the second part of our ongoing “Linguine” collaboration to move crowdsourced translation to privacy-respecting free software.

Crowdsourced translation has proven enormously successful getting apps and website software translated into many languages. Using tools like Weblate or Transifex, developers can quite easily incorporate translated app strings into their mobile apps and websites. Any kinds of text that is easily broken down into phrases and sentences will fit easily into the crowdsourced workflow. Localization Lab enables a wide range of volunteers to contribute to the most important projects in a wide array of languages.

MASQUE Review

Tue, 25 Feb 2020 00:00:00 +0000

MASQUE is set of related IETF drafts for specifying flexible proxying built into a standard webserver. It is meant to be deployed on a server that is serving public websites, then this connection can be reused for proxying generic connections. It is very much a work in progress, so any of this can change. It is currently built on top of the QUIC+HTTP/3 and HTTP/2+TLS+TCP protocols. The website and proxy packets look the same, and all connections to the webserver will be shared and reused, regardless of whether its a web page request or proxy traffic. Each new proxy/website request will reuse any existing connection, providing a key reduction in metadata that makes all the packets blend together from the point of view of the network observer. For example, to prevent the network observer from corrolating requests to proxy with the outbound request to the destination, a client could first connect to the website, then some time later, connect to the proxy.

Tracking the Trackers: using machine learning to aid ethical decisions

Thu, 16 Jan 2020 00:00:00 +0000

F-Droid is a free software community app store that has been working since 2010 to make all forms of tracking and advertising visible to users. It has become the trusted name for privacy in Android, and app developers who sell based on privacy make the extra effort to get their apps included in the F-Droid.org collection. These include Nextcloud, Tor Browser, TAZ.de, and Tutanota. Auditing apps for tracking is labor intensive and error prone, yet ever more in demand. F-Droid already has tools to aide contributors in this process, visible in the app submission and Request For Packaging (RFP) issue trackers. We also have functional prototypes of using machine learning to drastically speed up this process by augmenting humans, rather than replacing them.

NetCipher + Conscrypt for the best possible TLS

Tue, 17 Dec 2019 00:00:00 +0000

A new NetCipher library has recently been merged: netcipher-conscrypt. In the same vein as the other NetCipher libraries, netcipher-conscrypt wraps the Google Conscrypt library, which provides the latest TLS for any app that includes it. netcipher-conscrypt lets apps then disable old TLS versions like TLSv1.0 and TLSv1.1, as well as disable TLS Session Tickets. This is an alpha release because it only works on recent Android versions (8.1 or newer). The actual functionality works well, the hard part remains making sure that it is possible to inject netcipher-conscrypt as the TLS provider on all Android devices and versions. And the last missing piece is finding the right place in Conscrypt to configure proxying to support Tor or other privacy proxies

Trusted Update Channels vs. Scratching Your Itch

Mon, 02 Dec 2019 00:00:00 +0000

One of the great things about free software is that people can easily take a functional program or library and customize it as they see fit. Anyone can come along, submit bug fixes or improvements, and they can be easily shared across many people, projects, and organizations. With distribution systems like Python’s pypi, there is an update channel that the trusted maintainers can publish fixes so consumers of the library can easily get updates. When talking about update channels and code, it is unavoidable to also talk about people and trust. One key piece is the trust relationship between the consumer and the maintainer. The ideal software distribution system would be a blind, trustworthy pipe between the software maintainers and each end user.

Onions on Apples: A New Release of Onion Browser for iOS

Tue, 08 Oct 2019 00:00:00 +0000

During 2019, Guardian Project has been working with developer Mike Tigas to make improvements to his Tor-enabled web browser for iOS, Onion Browser. Here we re-cap the major improvements currently - and soon-to-be - available.

Mike developed Onion Browser on his own, in close collaboration with the Tor Project. Though we’ve worked with Mike in the recent-past, this 2019 project – funded by the Open Technology Fund – gave us significantly more bandwidth to address the challenges of running Tor on iOS, especially alongside a full web-browsing feature set.

IOCipher 64-bit builds

Mon, 07 Oct 2019 00:00:00 +0000

IOCipher v0.5 includes fulil 64-bit support and works with the latest SQLCipher versions. This means that the minimum supported SDK version had to be bumped to android-14, which is still older than what Google Play Services and Android Support libraries require.

One important thing to note is that newer SQLCipher versions require an upgrade procedure since they changed how the data is encrypted. Since IOCipher does use a SQLCipher database, and IOCipher virtual disks will have to be upgraded. That can be done by directly using the SQLCipher migration method on your IOCipher database files before opening them again. It should be possible to stick with SQLCipher v3.5.9 to avoid this, but this has not been tested.

Tor Project: Orfox Paved the Way for Tor Browser on Android

Tue, 03 Sep 2019 00:00:00 +0000

Last month, we tagged the final release of Orfox, an important milestone for us in our work on Tor. Today, we pushed this final build out to all the Orfox users on Google Play, which forces them to upgrade to the official Tor Browser for Android..

Our goal was never to become the primary developer or maintainer of the “best” tor-enabled web browser app on Android. Instead, we chose to act as a catalyst to get the Tor Project and the Tor Browser development team themselves to take on Android development, and upstream our work into the primary codebase. This has happened, and it is a great news for everyone. The work for developing and updating Tor Browser on the desktop and Android are now coordinated and synchronized, and end-users benefit from more frequent updates and improvements.

NetCipher update: global, SOCKS, and TLSv1.2

Tue, 25 Jun 2019 00:00:00 +0000

NetCipher has been relatively quiet in recent years, because it kept on working, doing it was doing. Now, we have had some recent discoveries about the guts of Android that mean NetCipher is a lot easier to use on recent Android versions. On top of that, TLSv1.2 now reigns supreme and is basically everywhere, so it is time to turn TLSv1.0 and TLSv1.1 entirely off.

A single method to enable proxying for the whole app

As of Android 8.0 (26 aka Oreo), it is now possible to set a URLStreamHandlerFactory, which creates URLConnection instances with custom configurations. If an app is using the built-in HttpURLConnection API for its networking, it is now possible to enable global proxying with a single method call when the app starts: NetCipher.useGlobalProxy(). Then the actual proxy configuration can be set dynamically, using things like NetCipher.useTor() or NetCipher.clearProxy().

PanicKit 1.0: built-in panic button and full app wipes

Tue, 04 Jun 2019 00:00:00 +0000

Panic Kit is 1.0! After over three years of use, it is time to call this stable and ready for widespread use.

Built-in panic button

This round of work includes a new prototype for embedding PanicKit directly into Android. Android 9.0 Pie introduced a new “lockdown” mode which follows some of the patterns laid out by PanicKit. There is an Enter lockdown button available on the power button menu, so it is rapidly available. This is a great panic trigger button, so we made a prototype of a System Settings app that lets users connect the full flexibility of PanicKit responses to this Enter lockdown button. The functionality that Google links to this new button is extremely limited, it seems to be a one time restriction on how you login. The PanicKit responses are in addition to what Google included. CalyxOS is working to integrate this, look for test releases soon!

Exploring possibilities of Pluggable Transports on Android

Tue, 16 Apr 2019 15:00:00 -0400

Pluggable Transports (PT) give software developers the means to establishing reliable connections in DPI-filtered network scenarios. A variety of techniques are supported, all available by implementing just one standard. We looked into how this can be put to work in Android Apps. Hence we crafted 3 fully functional PT-enabled prototype Apps based on well known open source projects.

All our prototypes rely on obfs4 which is a stable PT implementation widely deployed by Tor. Guardian Project published a library called AndroidPluggableTransports for giving Android developers access easy access to PT. Since we could not find any easily accessible sample code, we created a minimal demo project, illustrating a minimal setup for sending a HTTP-request through a OBFS4 connection.

Use Onions/HTTPS for software updates

Wed, 23 Jan 2019 06:35:40 -0400

There is a new vulnerability in Debian’s apt that allows anything that can Man-in-the-Middle (MITM) your traffic to get root on your Debian/Ubuntu/etc boxes. Using encrypted connections for downloading updates, like HTTPS or Tor Onion Services, reduces this vulnerability to requiring root on the mirror server in order to exploit it. That is a drastic reduction in exposure. We have been pushing for this since 2014, and Debian, mirror operators, and others in the ecosystem have taken some big steps towards making this the standard. This should finally put to rest the idea that plain HTTP is enough for software updates with signed metadata.

Wind is a Mozilla & National Science Foundation Grand Prize Winner

Wed, 26 Sep 2018 10:54:38 -0400

On August 14th, members of the Guardian Project team traveled to Mountain View to compete in the final round of the Wireless Innovation for a Networked Society (WINS) Challenge. We learned in July that our Wind project was a finalist, and we now had the opportunity to compete for one of the grand prizes, in a TED-meets-SharkTank style event, at Mozilla HQ.

Wind is a network designed for opportunistic communication and sharing of local knowledge that provides off-grid services for everyday people, using the mobile devices they already have. In the Wind network, Chime is the hyperlink, but one that exists in time and space, discoverable through beacon broadcasts and human-to-human sharing. All of this is powered by free and open-source software, running on readily available consumer hardware, and can be deployed at little to no cost, in a very short amount of time.

IOCipher is the antidote to “Man-in-the-Disk” attack

Fri, 17 Aug 2018 16:56:00 -0400

Recently, at DEFCON 2018, researchers at Check Point announced a new kind of attack made possible by the way many Android apps are implemented. In summary, developers use the shared external storage space in an unsafe manner, by not taking into consideration that other apps also have read and write access to the same space. A malicious app can modify data used by another app, as a vector for compromising that app, causing it to be compromised or crash.

Our “Wind” project is a Mozilla-NSF challenge finalist!

Fri, 20 Jul 2018 14:28:23 -0400

For the last few years, we’ve been working on the Wind network concept, as a nearby, local, off-grid companion, or alternative, to the Web. This year, we decided to participate in the Wireless Innovation Challenge, sponsored by Mozilla and the National Science Foundation. Today, it was announced that we are a finalist in, as they put it, “A Science Fair with $1.6 Million in Prizes”.

Watch the video below to learn more about Wind, or jump right over to the Wind project page.

Orbot: Over 20 Million Served, Ready for the Next Billion

Wed, 16 May 2018 07:42:38 -0400

We recently published the latest release of Orbot (16.0.2!), and as usual, we make it available via Google Play, as well F-Droid, and through direct download on our website. Whether we like it or not, Google keeps tracks of things like total installs and active installs (i.e. not uninstalled), and reports on that for us through their dashboard. While publishing this release, we noticed a milestone that made us a bit proud… so pardon this humblebrag.

Orbot v16: a whole new look, and easier to use!

Fri, 05 Jan 2018 13:14:17 -0400

Orbot: Tor for Android has a new release (tag and changelog), with a major update to the user experience and interface. This is the 16th major release of Orbot, since it was launched in late 2009.

The main screen of the app now looks quite different, with all the major features and functions exposed for easy access. We have also added a new onboarding setup wizard for first time users, that assists with configuring connections to the Tor network for users in places where Tor itself is blocked. This release also continues to support users looking to use Orbot to unblock specific apps, that may not be available on their network or country. From the main screen, users can activate Orbot’s built-in VPN feature, and easily choose which specific apps they want to be routed over the Tor network. You can also refresh your Tor identity, rebuilding all circuit connections through the network, using the circular reload icon in the expanded notification provided by Orbot.

Haven: Building the Most Secure Baby Monitor Ever?

Fri, 22 Dec 2017 09:07:00 -0400

About eight months ago, friends at the Freedom of the Press Foundation reached out to us, to see if we were interested in prototyping an idea they had been batting around. They knew that from projects like CameraV and Proofmode, that we knew how to tap into the sensors on smartphones to do interesting things. They also knew we could connect devices together using encrypted messaging and onion routing, through our work on ChatSecure and Tor (Orbot!). They also knew of our deep interest in bringing ideas to life that can solve real problems faced by people out on the front lines (both at home and abroad), who often are more in danger from physical threats, than digital. They had a concept that would bring all of these things together, and just wanted to see if it was even possible. We were game, and well, here we are today, announcing a real working public beta, and a new open-source project, that we are extremely excited about.

Building a Signing Server

Mon, 18 Dec 2017 05:43:34 -0400

The Android APK signing model sets the expectation that the signing key will be the same for the entire lifetime of the app. That can be seen in the recommended lifetype of an Android signing key: 20+ years. On top of that, it is difficult to migrate an app to a new key. Since the signing key is an essential part to preventing APKs from impersonating another, Android signing keys must be kept safe for the entire life of the app.

No more “Root” features in Orbot… use Orfox & VPN instead!

Fri, 27 Oct 2017 13:02:02 -0400

Since I first announced the available of Orbot: Tor for Android about 8 years ago (wow!), myself and others have been working on various methods in which to make the capabilities of Tor available through the operating system. This post is to announce that as of the next, imminent release, Orbot v15.5, we will no longer be supporting the Root-required “Transproxy” method. This is due to many reasons.

First, it turns out that allowing applications to get “root” access on your device seems like a good idea, it can also be seen as huge security hole. I am on the fence myself, but considering that the ability to access root features hasn’t been standardized as part of Android, which 8 years ago I hoped it would, it means there are a whole variety of ways that this capability is managed and safeguarded (or not, in most cases). At this point in time, given the sophistication we are seeing mobile malware and rootkits, it seems like a capability that we did not want to focus time and energy on promoting.

Ostel.co is permanently offline

Thu, 10 Aug 2017 17:16:51 -0400

We are sad to announce that the Ostel service is officially discontinued and permanently offline. While Guardian Project had a hand in its conception and initial implementation, the actual operation of the service was spun out long ago to be run by a new venture a member of our original team. They have kept Ostel running free of charge for many years of reliable service, but at this point it seems, they have decided they can no longer do so.

Repomaker Usability Trainers Worldwide, June 2017

Thu, 29 Jun 2017 08:13:04 -0400

Repomaker Usability, Trainers Worldwide Study

Prepared by Carrie Winfrey and Tiffany Robertson, Okthanks, in partnership with F-Droid and Guardian Project

OK Thanks – Guardian Project

For more information, contact carrie@okthanks.com.

Purpose

The purpose of this study was to understand the following things.

Are users able to complete basic tasks including, creating a repo, adding apps from other repos, removing apps, editing app details, and creating a second repo?
Do participants understand how to get the apps from a repo installed on an Android phone?
Word choice—Do people understand the word repo?
Is repomaker a useful tool to participants?

Tracking usage without tracking people

Thu, 08 Jun 2017 10:58:53 -0400

One thing that has become very clear over the past years is that there is a lot of value in data about people. Of course, the most well known examples these days are advertising and spy agencies, but tracking data is useful for many more things. For example, when trying to build software that is intuitive and easy to use, having real data about how people are using the software can make a massive difference when developers and designers are working on improving their software. Even in the case of advertisers, they mostly do not care exactly who you are, they want to know what you are interested in so that they can more effectively promote things to you.

fdroidserver UX Testing Report

Thu, 01 Jun 2017 04:36:14 -0400

We ran user tests of fdroidserver, the tools for developers to create and manage F-Droid repositories of apps and media. This test was set up to gather usability feedback about the tools themselves and the related documentation. These tests were put together and run by Seamus Tuohy/Prudent Innovation.

Methodology

Participants completed a pretest demographic/background information questionnaire. The facilitator then explained that the amount of time taken to complete the test task will be measured and that exploratory behavior within the app should take place after the tasks are completed.

Announcing new libraries: F-Droid Update Channels

Wed, 31 May 2017 11:40:27 -0400

In many places in the world, it is very common to find Android apps via a multitude of sources: third party app stores, Bluetooth transfers, swapping SD cards, or directly downloaded from websites. As developers, we want to make sure that our users get secure and timely update no matter how they got our apps. We still recommend that people get apps from trusted sources like F-Droid or Google Play.

New research report on the challenges developers face

Mon, 15 May 2017 05:07:17 -0400

The Guardian Project has been working with the F-Droid community to make it a secure, streamlined, and verifiable app distribution channel for high-risk environments. While doing this we have started to become more aware of the challenges and risks facing software developers who build software in closed and closing spaces around the world.

There are a wealth of resources available on how to support and collaborate with high-risk users. Surprisingly, we could not find any guidance on how to support and collaborate with developers where the internet is heavily monitored and/or filtered, let alone developers who might be at risk because of the software they develop.

F-Droid User Testing, Round 2

Mon, 01 May 2017 04:51:24 -0400

by Hailey Still and Carrie Winfrey

****

Here we outline the User Testing process and plan for the F-Droid app store for Android. The key aims of F-Droid are to provide users with a) a comprehensive catalogue of open-source apps, as well as b) provide users with the the ability to transfer any app from their phone to someone in close physical proximity. With this User Test, we are hoping to gain insights into where the product design is successful and what aspects need to be further improved. Main goals are obtaining a baseline user performance and identifying potential design concerns regarding ease of use. An additional goal is to promote F-Droid as an alternative to the Google Play app store.

F-Droid: A new UX 6 years in the making

Mon, 17 Apr 2017 10:19:19 -0400

(post by Peter Serwylo)

F-Droid has been a part of the Android ecosystem for over 6 years now.
Since then, over 2000 apps have been built for the main repository,
many great features have been added, the client has been translated into over 40 different languages, and much more.

However, the F-Droid UX has never changed much from the original three tab layout:

F-Droid Lubbock Report – What We Want to Know

Mon, 17 Apr 2017 08:07:47 -0400

F-Droid LBK Usability Study Report – What We Want to Know

Prepared by Carrie Winfrey

Preliminary Version – April 17, 2017

Introduction

When planning this user test, the team outlined features and flows within the app on which we wanted feedback. From there, we created tasks for participants to complete that would access these areas, and produce insights related to our inquires.

This document is organized by the tasks participants completed. Initial inquiry questions are outlined under each task, followed by the feedback and observations gained from the test. Last, within each section, I’ve listed suggestions for improvement related to the task.

Proofmode critiques and progress

Thu, 30 Mar 2017 09:53:22 -0400

Bruce Schneier was kind enough to post about our work on Proofmode to his blog. A decent set of comments ensued, which we have considered, measured and weighed. We posted the response below on the post, and now also here. We also received an excellent set of feedback from the Lieberbiber blog. Below are responses to the various concerns raised, and links to work completed or in progress.

At a high level, securely dating files, digital notarization, easy capture of sensor metadata, among other things, are not solved problems. For every day activists around the world, who may only have a cheap smartphone as their only computing device, they have no easy way to do any of these things. Even for high-level war crimes investigators, they are often using consumer point and shoot digital cameras, and documenting everything on paper.

Announcing the Developer Challenges Survey

Tue, 21 Mar 2017 11:32:22 -0400

In the Guardian Project‘s current work with the FDroid community to make it a secure, streamlined, and verifiable app distribution channel for high-risk environments we have started to become more aware of the challenges and risks facing software developers who build software in around the world.

Build Android apps with Debian: apt install android-sdk

Mon, 13 Mar 2017 10:03:30 -0400

In Debian stretch, the upcoming new release, it is now possible to build Android apps using only packages from Debian. This will provide all of the tools needed to build an Android app targeting the “platform” android-23 using the SDK build-tools 24.0.0. Those two are the only versions of “platform” and “build-tools” currently in Debian, but it is possible to use the Google binaries by installing them into /usr/lib/android-sdk.

Combating “Fake News” With a Smartphone “Proof Mode”

Fri, 24 Feb 2017 02:10:47 -0400

We have been working for many years with our partners at WITNESS, a leading human rights media training and advocacy organization, to figure out how best to turn smartphone cameras into tools of empowerment for activists. While it is often enough to use the visual pixels you capture to create awareness or pressure on an issue, sometimes you want those pixels to actually be treated as evidence. This means, you want people to trust what they see, to know it hasn’t been tampered with, and to believe that it came from the time, place and person you say it came from.

F-Droid now supports APK Expansion Files aka OBB

Wed, 22 Feb 2017 10:24:53 -0400

Many games, mapping, and other apps require a large amount of data to work. The APK file of an Android app is limited to 100MB in size, yet it is common for a single country map file to be well over 100MB. Also, in order to get users running as quickly as possible, they should not have to wait for huge amounts of data to download in order to just start the app for the first time.

Build Your Own App Store: Android Media Distribution for Everyone

Wed, 22 Feb 2017 09:45:11 -0400

Most people get their Android apps from Google Play. It is usually the simplest and most secure option for them. But there are also many people who do not have access to Google Play. This might be due to lack of a proper internet connection or simply because Google Play is blocked within their country.

The F-Droid project already offers tools to create independent app distribution channels for Android apps. These tools are ready for production, but require expert knowledge and the command-line to be used. Now, we want to build upon this foundation and develop curation tools that can also be used by people with little technical knowledge, thus making the app distribution technology more broadly available.

How can we learn without watching?

Mon, 30 Jan 2017 14:40:05 -0400

What kind of measurement, tracking or analytics do you use, and can you sleep at night with your decision?

As part of the Berkman-Klein Assembly program at Harvard, I am working with a team to imagine a next-generation mobile and IoT analytics system that has privacy, confidentiality and anonymity at its core. The hope is we can find ways to learn what our users like and understand how our apps are performing without having to rely on proprietary cloud services, logging liability, network vulnerabilities, and invasive app permissions.

Imagining the challenges of developers in repressive environments

Thu, 26 Jan 2017 09:56:59 -0400

The Guardian Project team spends a lot of time thinking about users. In our work we focus on easy-to-use applications for users in high-risk scenarios. Because of this we are very focused on security. In our current work with the FDroid community to make it a secure, streamlined, and verifiable app distribution channel for high-risk environments we have started to become more aware of the challenges and risks facing software developers who build software in high-risk environments.

New Partnership with Circle of 6 mobile safety app

Thu, 19 Jan 2017 06:00:34 -0400

Circle of 6 Focuses on Security with Guardian Project Partnership

Safety App Will Get End-to-End Encryption and More To Support High-Risk Communities

New York, NY: Two innovative organizations have partnered to bring increased digital security and privacy capabilities to users interested in improved safety for their mobile devices. Tech 4 Good, the developer of Circle of 6, a highly regarded mobile safety app developed to promote safety and health through networks of trust, has partnered with Guardian Project, a leader in mobile security and privacy technologies. The two organizations will work to upgrade the capabilities of the Circle of 6 app to provide users with secure messaging, private identities and improved physical security of device data.

Orfox 1.2.1 released

Fri, 02 Dec 2016 00:50:40 -0400

We’ve released a new version of Orfox, our Tor Browser for Android, that contains an an important security update to Firefox.

This update is based on the latest release of Tor Browser, which was announced with this message:

The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.

“If This, Then Panic!” Sample Code for Triggering Emergency Alerts

Mon, 17 Oct 2016 09:55:22 -0400

Earlier this year, we announced the PanicKit Library for Android and Ripple, our basic app for alerts any compatible app that you are in an emergency situation. Rather than build a solitary, enclosed “panic button” app that only can provide a specific set of functionality, we decided, as we often do, to build a framework, and encourage others to participate. Since then, we’ve had over 10 different apps implement PanicKit responder functionality, including Signal, OpenKeyChain, Umbrella app, StoryMaker and Zom.

Orfox 1.2: An Overdue Update to Our Privacy-Focused Browser!

Sun, 25 Sep 2016 00:43:54 -0400

Primarily this release is the first in a long while after improving our ability to stay up-to-date with core Tor Browser development. In addition, as Mozilla adds more and more features to the core Firefox, we must review them for any issues related to increased permission request, access to data, and privacy and network leaks. This is a slow, tedious job, so thank you for your patience. We expect to have more frequent, regular releases moving forward.

HOWTO: get all your Debian packages via Tor Onion Services

Sun, 31 Jul 2016 17:28:57 -0400

Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections. That means anyone with access to the network streams could both monitor and fingerprint traffic. When an request for a security update is spotted, an attacker knows that machine is vulnerable to an exploit, and could reliably exploit it before the security update is applied.

OpenArchive: Free & Secure Mobile Media Sharing #DWebSummit

Tue, 07 Jun 2016 15:37:03 -0400

I am excited to share another new “mini app” effort we have joined up with, as part of work we are doing to create simple, focused tools that solve a single issue. We also are aiming to builds apps that are 1 to 3MB in size, and work on Android phones back to version 2.3, in order to maximize accessibility for a global audience. OpenArchive is one of these efforts. It is a project led by Natalie Cadranel, who received a Knight Foundation prototype grant in 2014. The initial work was done by our partners at Scal.io, and continued now by the core Guardian Project team. The app is now in stable beta and ready for wider testing.

Building the most private app store

Thu, 02 Jun 2016 11:08:52 -0400

App stores can work well without any tracking at all

Attackers are increasingly seeing app stores as a prime attack vector, whether it is aimed at the masses like XCodeGhost or very targeted like in FBI vs Apple. When we install software from an app store, we are placing a lot of trust in a lot of different parties involved in getting the source code from the original developer delivered to our device in a useful form. Most people are entirely unaware of how much trust they are putting into this system, which they are entrusting with their personal data. Even for people who do understand the technical details involved, figuring out whether the people and the system itself is trustworthy is difficult to do.

Data Usage and Protection Policies

Wed, 04 May 2016 00:00:00 +0000

At a high level, it is easy say that “we know nothing”. We do not log data or include analytics in our websites or applications. When we do operate servers to support our applications, they are configured to store as minimal data as possible, usually just a username and password, if that is required. We also only recommend third party services, such as XMPP services, VoIP services, or Proxy and VPN providers, who abide by these same policies.

Copperhead, Guardian Project and F-Droid Partner to Build Open, Verifiably Secure Mobile Ecosystem

Mon, 28 Mar 2016 13:42:36 -0400

Three open-source projects haved joined together to announce a new partnership to create an open, verifiably secure mobile ecosystem of software, services and hardware. Led by the work of the Toronto-based CopperheadOS team on securing the core Android OS, Guardian Project and F-Droid have joined in to partner on envisioning and developing a full mobile ecosystem. The goal is to create a solution that can be verifiably trusted from the operating system, through the network and network services, all the way up to the app stores and apps themselves. Through a future planned crowdfunded and commercial offering, the partnership will provide affordable off-the-shelf solutions, including device hardware and self-hosted app and update distribution servers, for any individual and organizations looking for complete mobile stacks they can trust.

PanicKit: making your whole phone respond to a panic button

Tue, 12 Jan 2016 08:59:41 -0400

Our mobile devices do so many things for us, making it easy to communicate with people in all manners while giving us access to all sorts of information wherever we are. But in times of anxiety and panic, it is difficult to quickly use them. Will you be too shaky to type in your PIN or lock pattern? Will you have enough time to find your trusted contacts and send them a message? On top of that, our mobile devices carry massive amounts of private information in them: banking details, pictures, all of our messages and call logs.

How to Migrate Your Android App’s Signing Key

Tue, 29 Dec 2015 12:03:54 -0400

It is time to update to a stronger signing key for your Android app! The old default RSA 1024-bit key is weak and officially deprecated.

What?

The Android OS requires that every application installed be signed by a digital key. The purpose behind this signature is to identify the author of the application, allow this author and this author alone to make updates to the app, as well as provide a mechanism to establish inter-application trust. The Android security model defines an app by two things: the package name (aka packageName, ApplicationID, package) and the signing key. If either of those are different, then Android considers it a different app. When the package name and signing key of one APK match an installed app, then the APK is considered an update and Android will replace the installed app with the APK. If the APK is signed by a different key, then Android will prevent installing and updating.

Good translations are essential to usability

Wed, 09 Dec 2015 17:20:15 -0400

All too often, translation of an app are treated as an afterthought. It is not something that the app developers see, since they create the software in languages that work best for them. So the software looks complete to the developers. But for anyone using the software in a different language, translation is essential in order for the app to be useful. If you can’t understand the words that you see in the app’s interface, it is going to be difficult or impossible to use that app.

First Reproducible Builds Summit

Wed, 09 Dec 2015 05:02:48 -0400

I was just in Athens for the “Reproducible Builds Summit“, an Aspiration-run meeting focused on the issues of getting all software builds to be reproducible. This means that anyone starting with the same source code can build the exact same binary, bit-for-bit. At first glance, it sounds like this horrible, arcane detail, which it is really. But it provides tons on real benefits that can save lots of time. And in terms of programming, it can actually be quite fun, like doing a puzzle or sudoku, since there is a very clear point where you have “won”.

CipherKit reproducible builds

Mon, 21 Sep 2015 10:54:05 -0400

We have been on a kick recently with making our build process support “reproducible builds” aka “deterministic builds”. What is this reproducible thing? Basically, what that means is that you can run a script and end up with the exact same binary file as our official releases, be it a APK, JAR, AAR, whatever. That lets anyone verify that our releases are produced only from the source in git, without including anything else, whether deliberately or accidentally (like malware).

Orfox: Aspiring to bring Tor Browser to Android

Tue, 30 Jun 2015 15:32:16 -0400

Update 24 September, 2015: Orfox BETA is now on Google Play: https://play.google.com/store/apps/details?id=info.guardianproject.orfox

In the summer of 2014 (https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html{.external}), we announced that the results of work by Amogh Pradeep (https://github.com/amoghbl1{.external}), our 2014 Google Summer of Code student, has proven we could build Firefox for Android with some of the settings and configurations from the Tor Browser desktop software. We called this app Orfox, in homage to Orbot and our current Orweb browser. This was a good first step, but we were doing the build on Mozilla’s Firefox code repository, and then retrofitting pieces from Tor Browser’s code, which wasn’t the right way to do things, honestly.

Building a trustworthy app store that respects privacy

Tue, 02 Jun 2015 16:38:03 -0400

One core piece of our approach is thinking about very high risk situations, like Ai Weiwei or Edward Snowden, then making the tools for operating under that pressure as easy to use as possible. That means that we might occasionally come across as a little paranoid. It is important to dive into the depths of what might be possible. That is an essential step in evaluating what the risks and defenses are, and how to prioritize them. Making usable software is not just making things easy, but rather making tools for real world situations that are a simple as possible.

Hiding Apps in Plain Sight

Thu, 07 May 2015 09:25:10 -0400

Beyond just thinking about encryption of data over the wire, or at rest on your mobile device, we also consider physical access to your mobile device, as one of the possible things we need to defend against. Some of our apps, such as Courier, our secure news reader, include a Panic feature, enabling a user to quickly delete data or remove the app, if they fear their device will be taken from them, whether by a friend, family member, criminal or an authority figure. Most recently, with our work on CameraV, our secure evidence camera app, we have implemented a few more features that help hide the app and its data, in order to block an unintended person from seeing the photos and videos captured by it.

Getting Android tools into Debian

Thu, 30 Apr 2015 11:13:26 -0400

As part of Debian’s project in Google Summer of Code, I’ll be working with two students, Kai-Chung Yan and Komal Sukhani, and another mentor from the Debian Java Team team, Markus Koschany. We are going to be working on getting the Android SDK and tools into Debian, as part of the Debian Android Tools team, building upon the existing work already included from the Java and Android Tools teams. This project is in conjunction with the Java team since there is overlap between Android and Java tools, like gradle, maven, etc. Since this work is in Debian, all of the Debian-derivatives will automatically inherit this work. That includes: Ubuntu, Mint, Elementary, and many more.

Phishing for developers

Tue, 24 Feb 2015 04:41:29 -0400

I recently received a very interesting phishing email directed at developers with apps in Google Play. One open question is, how targeted it was: did anyone else get this?

It turns out that Google has been recently stepping up enforcement of certain terms, so it looks like some people are taking advantage of that. It is a pretty sophisticated or manually targeted phishing email since they got the name of the app, email address, and project name all correct. The one detail that gives it away is that the From: address uses the fake domain, even though it would have been possible to send the email using the actual Google account in the From: field. But this likely would have triggered spam and malware detection algorithms. So they took a subtly different approach by using a real Google address in the Reply-To:. But they were clever enough to use the same sub-domain, gooogle.com.de, in the From: address as in the phishing link accounts.gooogle.com.de, following a Google pattern of subdomains. They also included other real Google links for support and as a “follow up” URL.

Complete, reproducible app distribution achieved!

Wed, 11 Feb 2015 14:51:22 -0400

With F-Droid, we have been working towards getting a complete app distribution channel that is able to reproducibly build each Android app from source. while this may sound like a mundane detail, it does provide lots of tangible benefits. First, it means that anyone can verify that the app that they are using is 100% built from the source code, with nothing else added. That verifies that the app is indeed 100% free, open source software.

Experimental app to improve privacy in location sharing

Thu, 29 Jan 2015 07:36:58 -0400

As part of the T2 Panic effort, I’ve recently been diving deep into the issues of sharing location. It is unfortunately looking really bad, with many services, including Google, frequently sharing location as plain text over the network. I’ve started to write up some of the issues on this blog.

As part of this, I’ve put together an experimental Android app that aims to act as a privacy filter for all ways of sharing location. Mostly, that means it accepts all sorts of URLs from location services, and tries to parse the location from the URL, then rewrites it into a geo: URI, which is the standard way to share location in Android (and hopefully soon all others). As of ChatSecure v14.1.0, these geo: URLs are also clickable.

First working test of IOCipher for Obj-C

Mon, 26 Jan 2015 04:32:29 -0400

Every so often, we revisit our core libraries in the process of improving our existing apps, and creating new ones. IOCipher has become a standard part of our apps since it provides a really easy way to include encrypted file storage in Android apps. And we are now working on spreading it to iOS as well, headed up by Chris Ballinger, with the first preliminary tests of IOCipher for Obj-C. Testing and contributions are most welcome! Find us in our chat room or mailing list for questions, or just post a comment below! Since the iOS version is based on the exact same core library, libsqlfs, the container files they produce will also be fully compatible with each other.

Sharing your location privately

Fri, 23 Jan 2015 15:00:10 -0400

Facebook location sharing embeds the location in every single message, providing a detailed log to the recipient, Facebook, and anyone Facebook shares that data with

One handy feature that many smartphones give us is the ability to easily share our exact position with other people. You can see this feature in a lot of apps. Google Maps lets you click “Share” and send a URL via any method you have available. In Facebook Messenger, you can click a button and the people on the other side of the chat will receive a little embedded map showing the received location. Of course, the question we always ask is: how can we do this in a privacy-preserving way? And the follow up question: what kinds of information are apps leaking, storing, using, etc? Location is especially valuable and sensitive metadata, especially when there is a lot of it, because it can be used to derive so much information about a person. Most people do not want to publicly post their phone number or home address on the internet, yet are unwittingly giving away far more detailed information by using the various location-based services that are available. There is a lot of specific location information that people do not want to publicize that they visit: a cancer specialist, an abortion clinic, a criminal court, a mistress’ house, or any location information to an abusive spouse. For a great illustration of the power of location metadata, you can watch an animation of German politician Malte Spitz’s life, based on his telephone metadata that his telecom had stored.

2015 is the Year of Bore-Sec

Fri, 02 Jan 2015 12:35:41 -0400

Over the last few months, the Guardian Project team has been thinking about how to approach the next five years of our work. An idea of “security so easy and seamless, that it is boring” came to the surface through some discussions. This led us to look for inspiration in important inventions and innovations of the past, that provide safety and security to all on a day-to-day basis, without the users of these technologies hardly thinking about them. This is no longer about James Bond super-spy technologies, it is about having as little impact on your day-to-day use of mobile technology while still providing the maximum protection to your data and communications, as possible.

Reducing metadata leakage from software updates

Thu, 16 Oct 2014 12:48:04 -0400

Update: now you can do this with Tor Onion Services

Many software update systems use code signing to ensure that only the correct software is downloaded and installed, and to prevent the code from being altered. This is an effective way to prevent the code from being modified, and because of that, software update systems often use plain, unencrypted HTTP connections for downloading code updates. That means that the metadata of what packages a machine has installed is available in plain text for any network observer, from someone sitting on the same public WiFi as you, to state actors with full network observation capabilities.

CipherKit updates: IOCipher and CacheWord

Fri, 26 Sep 2014 21:39:54 -0400

We’ve been on a big kick recently, updating the newest members of our CipherKit family of frameworks: IOCipher and CacheWord. There also are is a little news about the original CipherKit framework: SQLCipher-for-Android.

IOCipher v0.2

IOCipher is a library for storing files in an encrypted virtual disk. It’s API is the exact same as java.io for working with files, and it does not need root access. That makes it the sibling of SQLCipher-for-Android, both are native Android APIs that wrap the SQLCipher database.

Question: central server, federated, or p2p? Answer: all!

Thu, 18 Sep 2014 00:30:57 -0400

There are many ideas of core architectures for providing digital services, each with their own advantages and disadvantages. I break it down along the lines of central servers, federated servers, and peer-to-peer, serverless systems.

a central service with clients connecting to it

Most big internet companies operate in effect as a central server (even though they are implemented differently). There is only facebook.com, there are no other services that can inter-operate with facebook.com. Have a single, central repo makes problems of finding the service and finding people within the service a lot easier. Once you are in Facebook, you just need to know the name of the person you want to contact and you are connected. The Facebook apps just need to talk to facebook.com, so the user does not need to know which service they are using in order to configure the app.

ChatSecure for Android v14 is FINALLY here!

Wed, 10 Sep 2014 08:35:39 -0400

I am so happy to announce that ChatSecure for Android v14 IS FINALLY HERE!

BUT This is our first “release candidate” of v14 for public use, and while we love it dearly, you may want to wait for 14.0.1 for us to work out any hiccups.

The update should be out on Google Play shortly, and FDroid in the next few days. Otherwise, you can always download the APK direct from us:

ChatSecure 13.2: Important Beta!

Tue, 05 Aug 2014 11:35:54 -0400

Today is the first public beta of ChatSecure v13.2, an important update of the user interface, networking code, and overall stability. We’ve spent the last six months tracking down crashes, memory leaks and performance issues, and have reached a stable, functional point which we want to share for public use. Reliability and simplicity our the goals, as we move towards v14 in the next few months.

This beta also features a new account setup wizard that we are eager for feedback on. Our goal is to enable new users to have a much simpler experience in setting up ChatSecure to connect to existing or create new accounts. We have also provided a “one-click burner” option to quickly create throwaway accounts, that require Tor and OTR encryption always, for chatting with a single contact or even just a single conversation.

Introducing TrustedIntents for Android

Wed, 30 Jul 2014 23:29:23 -0400

Following up on our research on secure Intent interactions, we are now announcing the first working version of the TrustedIntents library for Android. It provides methods for checking any Intent for whether the sending and receiving app matches a specified set of trusted app providers. It does this by “pinning” to the signing certificate of the APKs. The developer includes this “pin” in the app, which includes the signing certificate to trust, then TrustedIntents checks Intents against the configured certificate pins. The library includes pins for the Guardian Project and Tor Project signing certificates. It is also easy to generate the pin using our new utility Checkey (available in our FDroid repo and in Google Play).

New Official Guardian Project app repo for FDroid!

Mon, 30 Jun 2014 20:26:39 -0400

We now have an official FDroid app repository that is available via three separate methods, to guarantee access to a trusted distribution channel throughout the world! To start with, you must have FDroid installed. Right now, I recommend using the latest test release since it has support for Tor and .onion addresses (earlier versions should work for non-onion addresses):

https://f-droid.org/repo/org.fdroid.fdroid_710.apk

In order to add this repo to your FDroid config, you can either click directly on these links on your devices and FDroid will recognize them, or you can click on them on your desktop, and you will be presented with a QR Code to scan. Here are your options:

Recent news on Orweb flaws

Mon, 30 Jun 2014 12:43:51 -0400

August 2014: New browser development news here, including Orfox, our Firefox-based browser solution: https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html

On Saturday, a new post was relased by Xordern entitled IP Leakage of Mobile Tor Browsers. As the title says, the post documents flaws in mobile browser apps, such as Orweb and Onion Browser, both which automatically route communication traffic over Tor. While we appreciate the care the author has taken, he does make the mistake of using the term “security” to lump together the need for total anonymity up with the needs of anti-censorship, anti-surveillance, circumvention and local device privacy. We do understand the seriousness of this bug, but at the same time, it is not an issue encountered regularly in the wild.

Our first deterministic build: Lil’ Debi 0.4.7

Mon, 09 Jun 2014 16:41:34 -0400

We just released Lil’ Debi 0.4.7 into the Play Store and f-droid.org. It is not really different than the 0.4.6 release except in has a new, important property: the APK contents can be reproduced on other machines to the extent that the APK signature can be swapped between the official build and builds that other people have made from source, and this will still be installable. This is known as a “deterministic build” or “reproducible build”: the build process is deterministic, meaning it runs the same way each time, and that results in an APK that is reproducible by others using only the source code. There are some limitations to this, like it has to be built using similar versions of the OpenJDK 1.7 and other build tools, for example. But this process should work on any recent version of Debian or Ubuntu. Please try the process yourself, and let us know if you can verify or not:

Orbot now at v14.0.0 build 100!

Sat, 07 Jun 2014 23:45:17 -0400

The latest Orbot is out soon on Google Play, and by direct download from the link below:
Android APK: https://guardianproject.info/releases/orbot-latest.apk
(PGP Sig)

The major improvements for this release are:

Uses the latest Tor 0.2.42.22 stable version
Fix for recent OpenSSL vulnerabilities
Addition of Obfuscated Bridges 3 (Obfs3) support
Switch from Privoxy to Polipo (semi-experimental)

and much more… see the CHANGELOG link below for all the details.

The tag commit message was “updating to 14.0.0 build 100!”
https://gitweb.torproject.org/orbot.git/commit/81bd61764c2c300bd1ba1e4de5b03350455470c1

and the full CHANGELOG is here: https://gitweb.torproject.org/orbot.git/blob_plain/81bd61764c2c300bd1ba1e4de5b03350455470c1:/CHANGELOG

Automatic, private distribution of our test builds

Fri, 06 Jun 2014 17:17:01 -0400

One thing we are very lucky to have is a good community of people willing to test out unfinished builds of our software. That is a very valuable contribution to the process of developing usable, secure apps. So we want to make this process as easy as possible while keeping it as secure and private as possible. To that end, we have set up an FDroid repository of apps generated from the test builds that our build server generates automatically every time we publish new code.

Reset The Net!

Wed, 04 Jun 2014 19:07:14 -0400

We’re making the Internet more secure, by taking part in #ResetTheNet https://resetthenet.org

Security in a thumb drive: the promise and pain of hardware security modules, take one!

Fri, 28 Mar 2014 16:54:39 -0400

Hardware Security Modules (aka Smartcards, chipcards, etc) provide a secure way to store and use cryptographic keys, while actually making the whole process a bit easier. In theory, one USB thumb drive like thing could manage all of the crypto keys you use in a way that makes them much harder to steal. That is the promise. The reality is that the world of Hardware Security Modules (HSMs) is a massive, scary minefield of endless technical gotchas, byzantine standards (PKCS#11!), technobabble, and incompatibilities. Before I dive too much into ranting about the days of my life wasted trying to find a clear path through this minefield, I’m going to tell you about one path I did find through to solve a key piece of the puzzle: Android and Java package signing.

Eric Schmidt Awards Guardian Project a “New Digital Age” Grant

Mon, 10 Mar 2014 12:22:34 -0400

An interesting turn of events (which we are very grateful for!)

FOR IMMEDIATE RELEASE
Diana Del Olmo, diana@guardianproject.info
Nathan Freitas (in Austin / SXSW) +1.718.569.7272
nathan@guardianproject.info

Get press kit and more at: https://guardianproject.info/press

Permalink:
https://docs.google.com/document/d/1kI6dV6nPSd1z3MkxSTMRT8P9DcFQ9uOiNFcUlGTjjXA/edit?usp=sharing

GOOGLE EXECUTIVE CHAIRMAN ERIC SCHMIDT AWARDS GUARDIAN PROJECT A “NEW DIGITAL AGE” GRANT

The Guardian Project is amongst the 10 chosen grantee organizations to be awarded a $100,000 digital age grant due to its extensive work creating open source software to help citizens overcome government-sponsored censorship.

Tweaking HTTPS for Better Security

Wed, 12 Feb 2014 19:14:59 -0400

The HTTPS protocol is based on TLS and SSL, which are standard ways to negotiate encrypted connections. There is a lot of complexity in the protocols and lots of config options, but luckily most of the config options can be ignored since the defaults are fine. But there are some things worth tweaking to ensure that as many connections as possible are using reliable encryption ciphers while providing forward secrecy. A connection with forward secrecy provides protection to past transactions even if the server’s HTTPS private key/certificate is stolen or compromised. This protects your users from large scale network observers that can store all traffic for later decryption, like governments, ISPs, telecoms, etc. From the server operator’s point of view, it means less risk of leaking users’ data, since even if the server is compromised, past network traffic will probably not be able to be encrypted.

Improving trust and flexibility in interactions between Android apps

Tue, 21 Jan 2014 13:51:57 -0400

Activity1 sending an Intent that either Activity2 or Activity3 can handle.

Android provides a flexible system of messaging between apps in the form of

<a href="https://developer.android.com/guide/components/intents-filters.html" target="_blank">Intent</a>s. It also provides the framework for reusing large chunks of apps based on the <a href="https://developer.android.com/reference/android/app/Activity.html" target="_blank">Activity</a> class. Intents are the messages that make the requests, and Activitys are the basic chunk of functionality in an app, including its interface. This combination allows apps to reuse large chunks of functionality while keeping the user experience seamless and fluent. For example, an app can send an Intent to request a camera Activity to prompt the user to take a picture, and that process can feel integrated into the original app that made the request. Another common use of this paradigm is choosing account information from the contacts database (aka the People app). When a user is composing an new email, they will want to select who the message gets sent to. Android provides both the contacts database, and a nice overlay screen for finding and selecting the person to send to. This combination is an Activity provided by Android. The message that the email program sends in order to trigger that Activity is an Intent.

Four Ways InformaCam Powers Mobile Media Verification

Mon, 06 Jan 2014 15:14:16 -0400

_Note: A big discussion topic of 2013 was about how hard cryptography and security is for average people, journalists and others. With that in mind, we’d like to sub-title this post “Making Mobile Crypto Easy for Eyewitnesses”, as the InformaCam software and process described below includes the full gamut of security and cryptography tools all behind a streamlined, and even attractive application user experience we are quite proud of…. _

One of the primary goals of the InformaCam project (now in public beta!) is to create an environment where, when it comes to photos and video captured on smartphones, people and organizations can trust what they see. Faked photos and videos, whether intended to be humorous or malicious, are all too common online, especially in times of crisis. Thus, the software that been developed works to ensure the full, complete original photo or video captured of an event, can safely reach the people who need to see it, without it first being filtered, modified, cropped, trimmed or otherwise manipulated.

Integrating Crypto Identities with Android

Sat, 28 Dec 2013 19:42:56 -0400

ver the past couple of years, Android has included a central database for managing information about people, it is known as the ContactsContract (that’s a mouthful). Android then provides the People app and reusable interface chunks to choose contacts that work with all the information in the ContactsContract database. Any time that you are adding an account in the Settings app, you are setting up this integration. You can see it with Google services, Skype, Facebook, and many more. This system has a lot of advantages, including:

Keys, signatures, certificates, verifications, etc. What are all these for?

Thu, 12 Dec 2013 13:20:09 -0400

For the past two years, we have been thinking about how to make it easier for anyone to achieve private communications. One particular focus has been on the “security tokens” that are required to make private communications systems work. This research area is called internally Portable Shared Security Tokens aka PSST. All of the privacy tools that we are working on require “keys” and “signatures”, to use the language of cryptography, and these are the core of what “security tokens” are. One thing we learned a lot about is how to portray and discuss tools for private or anonymous communications to people who just want to communicate and are not interested in technical discussion. This is becoming a central issue among a lot of people working to make usable privacy tools.

SQLCipher has 100M+ Mobile Users (Thanks to WeChat!)

Tue, 10 Dec 2013 16:38:02 -0400

(Note: Originally this post had a title claiming 300 Million WeChat users… that would have included iOS and Android, and we don’t know if the WeChat iOS app also includes SQLCipher encryption or not. That said, there are 50-100M Google Play downloads of WeChat for Android, which does not include all of the users inside China)

Through some of our own recent sluething, Citizen Lab’s research into “Asia Chats” security, and now via this detailed look at WeChat security from Emaze.com, it has been recently discovered that WeChat for Android uses SQLCipher for local data encryption in its app. We co-developed SQLCipher for Android with Zetetic, and have been working to promote its adoption among Android developers who need to protect data stored locally on a device. While many people would point to Android’s Full Disk Encryption feature as a solution for that, only a small percentage of users ever enable it, and even then, once a device is unlocked, then all data is accessible by someone looking to extract it. With SQLCipher, the application can ensure its own data is encrypted, and if the app is closed, then the data is secured.

Getting keys into your keyring with Gnu Privacy Guard for Android

Fri, 06 Dec 2013 15:11:53 -0400

Now that you can have a full GnuPG on your Android device with Gnu Privacy Guard for Android, the next step is getting keys you need onto your device and included in Gnu Privacy Guard. We have tried to make it as easy as possible without compromising privacy, and have implemented a few approaches, while working on others. There are a few ways to get this done right now.

Gnu Privacy Guard registered itself with Android as a handler of all the standard OpenPGP MIME types (application/pgp-keys, application/pgp-encrypted, application/pgp-signature), as well as all of the OpenPGP and GnuPG file extensions (.pkr .skr .key .sig .asc .gpg .bin). This means that users just have to share a file to Gnu Privacy Guard using any of the standard Android methods, these files can be launched from an email attachment, opened from the SD card using a file browser, clicked in the Downloads view, etc.

Ostel.co secure VoIP network partners with Open Hosting

Tue, 03 Dec 2013 17:56:18 -0400

Ostel.co began as a R&D effort sponsored by The Guardian Project. The question: Is a peer-to-peer secure voice and video call network possible to build with open Internet standards and Open Source software? After two years and tens of thousands of users later, the answer is a resounding YES!

Two of the crucial components of any standards based VoIP service are infrastructure to route calls and a database to locate end users. Open Hosting’s service was a perfect fit, so we’ve teamed up for ongoing support of ostel.co. Open Hosting has a high speed, low-latency network in the southern USA, which hosts the backend to route calls over the ostel.co domain. It also has a clearly defined, concise Privacy Policy and Terms of Service.

VoIP security architecture in brief

Thu, 21 Nov 2013 19:07:17 -0400

Voice over IP (VoIP) has been around for a long time. It’s ubiquitous in homes, data centers and carrier networks. Despite this ubiquity, security is rarely a priority. With the combination of a handful of important standard protocols, it is possible to make untappable end to end encryption for an established VoIP call.

TLS is the security protocol between the signaling endpoints of the session. It’s the same technology that exists for SSL web sites; ecommerce, secure webmail, Tor and many others use TLS for security. Unlike web sites, VoIP uses a different protocol called the Session Initiation Protocol (SIP) for signaling: actions like ringing an endpoint, answering a call and hanging up. This is the metadata of calls. SIP-TLS uses the standard Certificate Authorities for key agreement. This implies trust between the certificate issuer and the calling endpoints.

A tag-team git workflow that incorporates auditing

Thu, 21 Nov 2013 14:03:22 -0400

Git is as wonderful as it is terrible, it is immensly flexible but also far from intuitive. So to make our lives easier, we try to use git as it was originally intended, as a toolkit for building workflows.

Integration-Manager Workflow

We use a simple version of the “

Integration-Manager Workflow“. One key difference is that we often have multiple contributors acting as the integration manager. This means that there is always someone else besides the original author reviewing each commit. For example: I make a commit and push it to my public developer’s repo. I ask Abel to review my commit, and if he agrees with it, he then pushes it to the official public “upstream” repo (aka “blessed repository”). And since git will tell us if a remote repo is different than our local repo, this process makes it harder for an attacker to slip a commit into our remote repo without us noticing.

Turn Your Device Into an App Store

Mon, 18 Nov 2013 16:27:30 -0400

As we’ve touched upon in previous blog posts the Google Play model of application distribution has some disadvantages. Google does not make the Play store universally available, instead limiting availability to a subset of countries. Using the Play store to install apps necessitates both sharing personal information with Google and enabling Google to remotely remove apps from your device (colloquially referred to as having a ‘kill switch’). Using the Play store also requires a functional data connection (wifi or otherwise) to allow apps to be downloaded. Often there is a need to quickly bootstrap users during training sessions in countries with unreliable/restricted data connectivity, or in extreme cases, no internet connectivity at all.

Your own private dropbox with free software

Tue, 12 Nov 2013 12:50:23 -0400

There are lots of file storage and sharing software packages out there that make it easy for a group of people to share files. Dropbox is perhaps the most well known of the group, it provides an easy way for a group of people to share files. The downside of Dropbox is that it is not a private service, just like any cloud-based service. Dropbox has total access to your files that you store there. That means its likely that the NSA and its collaborators do too.

Setting up your own app store with F-Droid

Tue, 05 Nov 2013 11:55:43 -0400

(This blog post as now been cooked into an updated HOWTO)

The Google Play Store for Android is not available in all parts of the world, US law restricts its use in certain countries like Iran, and many countries block access to the Play Store, like China. Also, the Google Play Store tracks all user actions, reporting back to Google what apps have been installed and also run on the phone. Because of the NSA leaks, we’re seeing that governments are actively tapping into the raw data streams of Google, Yahoo, and others. So that means the information the Google Play Store sends back to Google is also intercepted by the NSA (and probably other country’s agencies), and that information is shared with other governments. In other words, your activity on the Google Play Store is far from private. Lastly, the Google Play Store is not free software, unlike the core of Android itself. It is proprietary software that Google entirely controls.

Issues when distributing software

Thu, 31 Oct 2013 15:51:19 -0400

There is currently a discussion underway on the Debian-security list about adding TLS and Tor functionality to the official repositories (repos) of Debian packages that is highlighting how we need to update how we think about the risks when distributing software. Mostly, we are used to thinking about making sure that the software that the user is installing is the same exact software that has been posted for distribution. This is generally handled by signing the software package, then verifying that signature on the user’s machine. This is how it works on Mac OS X, Windows, Debian, etc. etc.

ChatSecure v12 Provides Comprehensive Mobile Security and a Whole New Look

Thu, 24 Oct 2013 01:50:13 -0400

ChatSecure v12 Provides Comprehensive Mobile Security and a Whole New Look

The Guardian Project’s award-winning open-source app “Gibberbot” for Android, has been rebranded to “ChatSecure” for its version 12 release, unifying the branding with the iPhone and iPad apps, while offering major updates in security from the device through the network.

Download on Google Play or Direct Download now.

October 20, New York, NY – The Guardian Project, a New York-based open-source mobile security incubator, has launched version 12 of its well-regarded secure messaging app for Android, rebranding it to “ChatSecure” to unify branding with existing open-source iPhone and iPad apps. The new upgrade brings an entirely new fluid user interface, and unprecedented security features for users looking to protect their message content (what they are saying) and their metadata (who, why and where) from malicious adversaries and apps, hostile network operators, and dragnet surveillance. It is completely open-source, utilizes interoperable protocols, and has undergone third-party security audits and code reviews.

Open Office Hours Every Friday This Fall

Wed, 16 Oct 2013 16:51:36 -0400

Fri, Oct 18, 1:00 PM EDT – 3:00 PM

Members of the Guardian Project will be hosting weekly public hangouts every Friday for the rest of year to answer questions about our apps (Orbot, Orweb, ChatSecure), building on our mobile security libraries (IOCipher, SQLCipher, NetCipher) and using services like OStel (including how to run your own secure phone service!).

      <p>
        We will also be live in IRC on Freenode at <a href="https://plus.google.com/s/%23guardianproject">#guardianproject</a>  as always for those of you who don’t feel the need to be on camera.
      </p>
      
      <p>
        Sound fun? You betcha it will be. This will be the <b>first</b> event on Friday, so please come and join. <a href="https://guardianproject.info/" rel="nofollow">https://guardianproject.info</a>
      </p>
    </div>
    
    <div>
      For EU, Africa, Asia: We’ll have some early sessions in the coming weeks. This is just our first test run. Thanks for understanding!
    </div>
    
    <div>
    </div>
    
    <div>
      <strong>Fri, Oct 18, 1:00 PM EDT – 3:00 PM</strong>
    </div>
    
    <div>
      RSVP the Google+ Event today: <a href="https://plus.google.com/events/cumq8tucoc31ap55iqdn7pq9abs">https://plus.google.com/events/cumq8tucoc31ap55iqdn7pq9abs</a> or we’ll just see you on IRC.
    </div>
  </div>
</div>

Gibberbot’s “ChatSecure” MakeOver: Almost Done!

Fri, 20 Sep 2013 17:19:54 -0400

In a previous post with the mouthful of a title “Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement”, I spoke about all of the necessary security features a modern mobile messaging app should have. These include encrypted local storage, end-to-end verifiable encryption over the network, certificate pinning for server connections and a variety of other features. I am VERY happy to report that the latest v12 beta release of the project formerly known as Gibberbot, now called ChatSecure, has all of the features described in that post implemented. From a feature perspective, it is the most security mobile messaging app ever. We also hope that in reality, in practice, it also is, as we have spent a great deal of effort on security code audits, penetration testing, and responding to the outcomes of those effort, to further harden our app.

Keeping data private means it must be truly deletable!

Fri, 23 Aug 2013 17:36:49 -0400

There are lots of apps these days that promise to keep your data secure, and even some that promise to wipe away private information mere seconds or minutes after it has been received. It is one thing to keep data out of view from people you don’t want seeing it, it is also important to be able to truly delete information. Unfortunately computers make it very difficult to make data truly disappear. When we tell a computer to delete a file, it only deletes the reference to the data. The data itself remains on the disk unchanged. For any UNIX geek out there, you can easily see an example of that by greping a partition (e.g. sudo grep password /dev/sda3. To solve this problem, there are “secure delete” options. Secure deletion removes the reference like regular deletion, then wipes the data on the disk by overwriting it with random data. That’s much better, but not always good enough. It turns out that its possible to remove the hard disk and read magnetic residue and recover even wiped data.

Orweb Security Advisory: Possible IP leakage with HTML5 video/audio

Wed, 21 Aug 2013 16:15:36 -0400

The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.

Orbot v12 now in beta

Wed, 24 Jul 2013 12:32:45 -0400

After much too long, we’ve got a new build of Orbot out, and it is… a stable beta! Nothing radically new here, just many small changes to continue to improve the experience of our hundreds of thousands of active users out in the world. There will likely be one or two more “beta” releases to iron out small issues in v12, but for now, this one is good to go.

Jitsi, ostel.co and ISP censorship

Mon, 22 Jul 2013 15:33:44 -0400

Earlier last week n8fr8 suspected something changed on the ostel.co server, due to many users emailing support specifically about Jitsi connectivity to ostel.co. The common question was “why did it work a few weeks ago and now it doesn’t anymore?”

The tl;dr follows, skip to keyword CONCLUSION to hear only the punch line.

To support n8fr8’s hypothesis, there was a small change to the server but I wan’t convinced it effected anything since all my clients continued to work properly, including Jitsi. Obviously something had changed but none of us knew what it was. After some testing we discovered the problem was related to insecure connections from Jitsi to UDP port 5060 on ostel.co. Secure connections (on TCP port 5061) continued to work as expected.

Our Newest App: PixelKnot

Thu, 18 Jul 2013 13:14:49 -0400

Have you ever hidden in plain sight? Worn camouflage in the woods or an invisibility cloak in a narrow crooked alley? It’s really hard to do properly. We’re hoping that all changes with PixelKnot.

PixelKnot is an app for hiding secret messages in pictures. Sort of like invisible ink on the back of a painting, updated to the present. The ancient art known as steganography, now updated for the 21st century and requiring a more rigorous set of safety standards.

Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement

Tue, 16 Jul 2013 00:52:31 -0400

The tl;dr of this lengthy (tho entertaining and immensely important!) post is this: Stopping with “We support OTR” or “We support PGP” is not enough anymore. There are at least seven, if not more, very important security features that any app claiming to provide secure messaging must implement as soon as possible, to truly safeguard a user’s communication content, metadata and identity.

Note: The names “Gibberbot” and “ChatSecure” are used interchangeabley below, as we are in the midst of an app rebrand. Apologies!

Building, Securing, and Anonymizing Android Apps

Fri, 05 Jul 2013 13:02:37 -0400

Calling all Android devs:

Tuesday, July 9, 2013 - 12:30 PM to 1:30 PM

  <li>
    <div>
      Live on the web: <a title="Livestream Pivotal" href="http://www.livestream.com/pivotallabs" target="_blank">livestream</a>
    </div>
  </li>
  
  <li id="event-where" data-id="1561918" data-name="Pivotal Labs" data-address="841 Broadway, 8th Floor, New York, NY">
    <div>
      <div id="event-where-display" itemprop="location" itemscope="" itemtype="http://schema.org/Place">
        Live in person (with <a title="Pivotal RSVP" href="m&#x61;&#x69;l&#116;&#x6f;:&#105;&#x6e;&#x66;o&#x40;&#x67;u&#97;&#x72;d&#105;&#x61;&#x6e;p&#x72;&#x6f;j&#101;&#x63;t&#46;&#x69;&#x6e;f&#x6f;" target="_blank">RSVP</a>) <a title="" href="http://maps.google.com/maps?q=841+Broadway%2C+8th+Floor%2C+New+York%2C+NY" target="_blank">Pivotal Labs </a>841 Broadway, 8th Floor, New York, NY (<a href="http://maps.google.com/maps?q=841+Broadway%2C+8th+Floor%2C+New+York%2C+NY" target="_blank">map</a>)
      </div>
    </div>
  </li>
</ul>

Please join us for lunch and crypto-talk with Hans-Christoph Steiner of the Guardian Project. Hans will talk about the how and why of building secure mobile applications that keep the user's data encrypted and hidden from prying eyes. We'll have a few short presentations on tools like SQLCipher, IOCipher, and NetCipher and how they can be used in modern applications. We'll answer questions about general strategies and specific toolkits that we've created.

A Weather Report On Security

Fri, 14 Jun 2013 13:22:28 -0400

How’s the weather outside? Sunny with a chance of IP blocking.

We recently launched a new initiative we’re calling: The Weather Repo. The goal of the project is for organizations to have a more accurate method of understanding whether the apps they’re using are “safe”. It’s hard to know whether apps that claim to be secure really are. Have they been vetted by a third party? Are there existing case studies? Has a threat analysis been performed?

Carrier Grade, Verizon and the NSA

Wed, 12 Jun 2013 06:38:46 -0400

Last week Glenn Greenwald at The Guardian broke the news that Verizon has been providing the NSA with metadata about all of the calls over a subsidiary’s network. This subsidiary is called Verizon Business Network Services. It is a privately held company that “owns, operates, monitors, and maintains data and Internet networks in North America, Europe, Asia, Latin America, Australia, Japan, and Africa. The company provides converged communication solutions, such as local and long-distance voice, messaging, and Internet access services.” It is likely this company owns equipment that holds caller detail records for millions of customers. The order used section 215 of The Patriot Act, which allows the FBI to order any person or entity to turn over “any tangible things,” so long as the FBI “specif[ies]” that the order is “for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.” The “tangible things” could have been the physical servers or hard disks that store the logged details.

The Only Way to Visit Strongbox on a Phone

Thu, 16 May 2013 17:43:06 -0400

The New Yorker magazine just launched Strongbox, a whistleblower submission system that’s hosted on a hidden website. There’s only one way to access the hidden site on a phone or tablet, and that’s with our Orweb app. Here’s a simple breakdown of how to do securely and anonymously blow the whistle, explained in an interactive tutorial:

Visit guardianproject.info/howto/strongbox for an interactive tutorial on using Strongbox on your phone.

GnuPG for Android progress: we have an command line app!

Thu, 09 May 2013 10:48:52 -0400

This alpha release of our command-line developer tool brings GnuPG to Android for the first time!

GNU Privacy Guard Command-Line (gpgcli) gives you command line access to the entire GnuPG suite of encryption software. GPG is GNU’s tool for end-to-end secure communication and encrypted data storage. This trusted protocol is the free software alternative to PGP. GnuPG 2.1 is the new modularized version of GnuPG that now supports OpenPGP and S/MIME.

Security Awareness Party

Fri, 26 Apr 2013 09:05:36 -0400

In the security world, there’s a pesky belief that a tool can either be secure or easy to use, but not both. Some experts also argue that training people to be safe online is too hard and doesn’t accomplish much (see Bruce Schneier’s recent post Security Awareness Training). Without a thoughtful approach, that’s usually how it plays out. But it doesn’t have to be that way! We’re committed to making online security fun to learn and fun to use, and we’re launching a new series of interactive tutorials to make it happen. Consider this post an invitation to our festive Security Awareness Party. Beer is encouraged, especially if it comes from an Android-powered kegbot.

Gibberbot v11 is not just secure, its also simple, snappy and super fun!

Fri, 08 Mar 2013 12:54:50 -0400

Gibberbot v11 is now final as of RC3 release: https://github.com/guardianproject/Gibberbot/tree/0.0.11-RC3. From here, the only changes to v11 we will be making will be critical bug fixes. We are now focused on our v12 release, which you can track here: https://dev.guardianproject.info/versions/39

Please promote our new Gibberbot how-to interactive tutorial available here: https://guardianproject.info/howto/chatsecurely/

If you have been tracking our efforts here for the last few years, you will know that Gibberbot, our secure instant messaging app, started out as a big old mess of an app called “ORChat” as and then “OTRChat” and then “Gibber” (or “Jibber”?), and then finally settled down into the name and app it is known as now. Really it was a proof of concept, showing that you could indeed use the OTR4J library built for desktops app, on Android.

Lower Bounds of The Narrow Bands

Fri, 22 Feb 2013 09:05:48 -0400

Voice is becoming a standard feature of any messaging app on mobile phones, in various forms using many different protocols. There’s the old guard, whom I will refer to as “Skype”. Some tough questions have been thrown their way by many groups who support a free Internet. There’s Google Voice, which is not really VoIP. Apple is playing around in the hedge maze inside their walled garden with iChat. There’s also Facebook, who is rolling out voice calling in Canada and the USA in their Messenger app on iOS.

IOCipher beta: easy encrypted file storage for your Android app

Thu, 07 Feb 2013 14:45:28 -0400

At long last, we are proud to announce the first beta release of IOCipher, an easy framework for providing virtual encrypted disks for Android apps.

does not require root or any special permissions at all
the API is a drop-in replacement for the standard java.io.File API, so if you have ever worked with files in Java, you already know how to use IOCipher
works easiest in an app that stores all files in IOCipher, but using standard java.io with IOCipher is possible
supports android-7 v2.1 and above
licensed under the LGPL v3+

You can download it here:

report on IOCipher beta dev sprint

Thu, 31 Jan 2013 19:45:44 -0400

We are just wrapping up an intensive dev sprint on IOCipher in order to get the first real beta release out, and it has been a wonderfully productive session on many levels! Before we started this, we had a proof-of-concept project that was crashy and ridiculously slow. We’re talking crashes every 100 or so transactions and 9 minutes to write 2 megs. Abel and I were plodding thru the bugs, trying to find the motivation to dive into the hard problems in the guts of some of the more arcane parts of the code. Aaron Huttner of Gryphn found IOCipher while developing their Gryphn Secure Text Messaging and thought it was a remarkable easy way to add encrypted storage of files, and it worked quickly for him, so he included it his app before we had even announced an alpha release (thanks again for the vote of confidence!).

Mumble and the Bandwidth – Anonymous CB radio with Mumble and Tor

Thu, 31 Jan 2013 02:05:50 -0400

The journey towards anonymous and secure voice communication is a long one. There’s lots of roadblocks to get your voice from point A to point B over the Internet if you need to prevent eavesdropping or censorship. There is the limited bandwidth of mobile data connections. There is the high latency of the TCP protocol. To achieve anonymity via Tor, there’s even more latency added to each packet.

InformaCam wins Knight News Challenge

Sun, 27 Jan 2013 08:11:56 -0400

WITNESS and The Guardian Project, the mobile security and app development experts, have just been awarded a Knight News Challenge grant from the John S. and James L. Knight Foundation for InformaCam – the first app seeking to address issues of authentication for digital media. In total, the funding was for ~$320,000 USD, with about one third of the funding going directly to software development and testing. The rest of the funding will be applied to deployment, partnerships, awareness building, and all the other necessary things you must do to turn a “great idea” into something with real adoption and use.

Voice over Tor?

Mon, 10 Dec 2012 11:00:03 -0400

Voice calls over Tor are supposed to be impossible. It seems this may no longer be the case.

Without being able to do voice over IP (VOIP) conversations over the Tor network, people are prevented from being able to route calls outside of censored networks. People ask us if there is any way they can route voice traffic through Tor to avoid blocks. To our surprise, we tested Skype and found that it can work acceptably over Orbot.

Proposal for Secure Connection Notification on Android

Thu, 15 Nov 2012 10:07:49 -0400

A major problem of mobile applications being increasingly used over web-based applications, is that there is no standard established for notifying the user of the state of security on the network connection. With a web browser, the evolution of the “lock” icon when an HTTPS connection is made, has been one that evolved originally out of Netscape’s first implementation, to an adhoc, defact industry-standard way of letting the user know if their connection is secure. Beyond just a binary on/off, the lock icon is also the entry point into viewing more information about the digital security tokens, keys and certificates that are powering the connection – who authorized them, who requested them, and so on. More recently, with browsers such as Chrome, there has been the user of color schemes (Green is good, Red is bad), verified domain display and other indicators to help ensure the user knows when to trust their connection, and when to be wary.

Orbot v11 is out!

Fri, 26 Oct 2012 06:37:23 -0400

After previous fits and starts, we’ve stabilized Orbot v11 now with the RC6 release. Our core testers and public users via the Google Play distribution are back to happy and stable states of being.

The latest version can be found:

In Google Play:
https://play.google.com/store/apps/details?id=org.torproject.android
In our F-Droid repo:
https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/
Our via direct APK here:
https://guardianproject.info/releases/Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
(.asc)

As always you can file bugs on trac.torproject.org or the guardian
tracker: https://dev.guardianproject.info/projects/orbot/issues/new

ToFU/PoP in your Android App! (a.k.a. extending Orlib to communicate over Tor)

Thu, 20 Sep 2012 15:17:36 -0400

In doing my research for InformaCam, I learned a couple of neat tricks for getting an app to communicate over Tor. Here’s a how-to for app developers to use depending on your threat model, and how you have your web server set-up. Enjoy, and please post your comments/questions/suggestions below…

Before we begin…

You’re going to need some basic stuff up-and-running for this to work. Before you get coding, make sure you have the following:

Sometimes the best solution is a library, not an app

Mon, 27 Aug 2012 12:30:15 -0400

Our general approach to software development starts with surveying existing solutions that are available and in use, to see if there is already enough of an ecosystem or whether we need to seed that. When there is already an adundance of tools and apps out there, we work to find the good ones, provide feedback and auditing, and then build apps and tools to fill in any gaps. For example, this was our approach in the Open Secure Telephony Network.

From #HOPE9: Your Cell Phone Is Covered in Spiders! – Practical Android Security

Thu, 19 Jul 2012 14:53:21 -0400

Cooperq gave a great talk on Android security late Saturday night at the recent Hackers on Planet Earth Number 9 aka Hope9 gathering. You can find the slides/src on Github and video up on Vimeo. Cooper wrote some notes, as well:

This talk was given at hope 9. Please feel free to give it yourself, repourpose it, add to it or do whatever you want. I release this talk to the public domain. I have included here some additional resources that are worth checking out.

Threats and Usability of Secure Voice

Tue, 10 Jul 2012 12:48:18 -0400

In my previous post I found that end-to-end encryption with OSTN is both effective and usable. There are two important things the user must be aware of when using OSTN. They must confirm with each phone call that the encryption icon is present and they must correctly complete SAS verification dialog boxes. So on a basic level, encrypted voice just works. But, what does this all mean? This post looks at the threats to security and usability of encrypted ZRTP phone calls in CSipSimple.

A Network Analysis of Encrypted Voice over OSTN

Thu, 05 Jul 2012 14:23:50 -0400

Introduction to OSTN

The OSTN network stands for Open Source Telephony Network. It is a federated network standard for supporting Internet calling with end-to-end encryption ala ZRTP. Its very similar to e-mail in that VOIP calls can be routed to addresses such as user@domain.tld. Its a simple concept, but I believe it to be ground breaking implementation! Never before have I seen such an accessible solution to encrypted VOIP calls. OSTN is platform independent, is a federated network, and it is an open standard such that it is widely adoptable. There are two main components that are required to use OSTN with encryption: a VOIP client that supports ZRTP for end-to-end encryption and user account with an OSTN provider.

Our Research

Tue, 03 Jul 2012 11:48:40 -0400

You can track our latest work on our public research wiki located at https://guardianproject.info/wiki or through the links below.

EVENTS

Head to the Events page for a full list of past and future events that we’ll be attending or featured at.

RESEARCH & DEVELOPMENT

In addition to our open software development projects, we’re actively engaged in a number of research projects focused on critical unsolved mobile security problems. Solving these problems with freely available, open source software has the potential to greatly benefit activists, human rights defenders and journalists worldwide.

Freebird Flys High

Thu, 28 Jun 2012 11:59:38 -0400

Freebird: Rio group picture via Obscuracam for Android

What happens when you gather coders with privacy and security activists from around the world? Freebird!

We held a simultaneous event in NYC and Rio, a one-day barcamp aimed to empower users to be more informed and engaged around their use of mobile technology, while engaging with developers to promote interest in open-source tools, security and privacy. Freebird was a pre-event for RightsCon:Rio, which allowed us to continue and extend conversations and ideas into the larger context of information technologies and human rights.

Orbot Data Tax (Updated!)

Wed, 20 Jun 2012 13:05:53 -0400

Update (6/26/12): I Found Orbot to have lower idle usage then previously recorded. The post now reflects the new statistics. The previous stats were based on idle usage at 92 bytes/s

There have been many inquiries about the cost of Orbot’s data usage. I ran five different tests to record the types of data tax a user might encounter. Heavy usage of Orbot combined with a low monthly data allotment could be an issue.

Auditing Twitter With Orbot

Wed, 13 Jun 2012 20:31:57 -0400

Twitter’s new Android application provides a proxy option that supports Orbot. It is a great way to access Twitter, particularly if Twitter is blocked. Check out the Orbot Your Twitter blog post! That post explains how to set up Orbot with Twitter, however, it came with an important disclaimer:

WARNING AND DISCLAIMER: Twitter for Android is proprietary, closed-source software. Details of the implementation of proxy support have not been publicly disclosed or audited by a third-party at this time. In particular, resolution of hostnames via DNS may not be properly routed through Tor (this is a common issue with proxied software). In addition, through other permissions that Twitter for Android may have you on your device, there may be a strong ability to correlate identity between your registered Google Account and your activities on Twitter.

A Partnership for Open Secure Mobile Messaging between iOS and Android

Fri, 08 Jun 2012 12:05:34 -0400

**We believe in protocols, not products. We believe in partnerships, not proprietary fiefdoms. We believe in building a community of collaborators, not a cacophony of criticism and unnecessary competition. We believe in practical solutions to perilous problems. **

With all of this in mind, we are very happy to announce our partnership and support of the ChatSecure for iOS open-source free software project. Through our our two year history, we have been lucky to receive support from a variety of donors and funders, and we are now using what influence and opportunities we have to endorse other projects that we feel are compatible with our outlook and goals.

OSTN secure VoIP wizard now built into CSipSimple for Android

Sat, 26 May 2012 21:14:52 -0400

If you saw our last post about how to

setup your own secure voice-over-IP server instance, then this news is for you.

If you are an Android user looking for the best open-source VoIP app, and really need one that can support secure communications, then this post is ALSO for you.

CSipSimple, the previously mentioned “best VoIP app”, now includes a wizard for setting up an account configuration for any server which complies with our Open Secure Telephony Network specification. In short, this means it uses TLS or SSL to secure the SIP signaling traffic, and supports proxying of the RTP media streams for the actual voice or video calls, without in any way interfering with the ZRTP encryption passing through it.

Build your own Open Secure Telephony Network, some assembly required

Thu, 17 May 2012 17:13:39 -0400

The Open Secure Telephony Network is a standard that defines how to configure a VoIP softswitch with the capability to have secure two-way VoIP conversations if both parties are using the same server. The system requires both backend and frontend components, which makes OSTN is a little different than some of the other Guardian apps. Unlike Gibberbot, there are few public SIP services that support secure signalling for a mobile app to connect with. Notably

Tanstagi.net offers free accounts. But it’s more fun to run your own.

IOCipher lives! encrypted virtual file system for Android

Thu, 17 May 2012 16:44:35 -0400

Nathan and I just got the first complete test of IOCipher working in the IOCipherServer/SpotSync app. We created a filesystem sqlite.db file, then mounted it and got all the files via HTTP. In the test suite, I have lots of operations all running fine and encrypting! The core idea here is a java.io API replacement that transparently writes to an encrypted store. So for the most part, just change your import statements from:

Bye, bye, BBM! Facebook Allows Verifiable Encrypted Mobile Messaging for Android and iOS; Mobile Revenue Threatened?

Wed, 16 May 2012 17:28:03 -0400

Yes, yes, we are trying to get in on all of the Facebook pre-IPO buzz. Fortunately, the headline is true – through

Facebook’s support for open-standards messaging, our secure mobile messaging app, Gibberbot for Android, can be used to communicate securely with any other friend on Facebook who is ALSO using a secure messaging app. Whether it is Gibberbot, ChatSecure for iOS, Adium (Mac), Pidgin (Windows/Linux), or one of the many secure messaging apps that support the Off-the-Record encryption capability, Facebook allows encrypted messaging between mobile and desktops alike.

Cross-Domain calling, or “toll-free long distance VoIP”

Fri, 04 May 2012 17:34:30 -0400

In a standard OSTN configuration, the Fully Qualified Domain Name (FQDN) of the server running Freeswitch is a core dependency to operate the service. For example, the domain ostel.me was first configured as a DNS record, a server was bootstrapped with ostel.me as the local hostname and a Freeswitch cookbook was run using the Chef automation system. Because the domain was configured both in DNS and locally, the cookbook has enough information to automatically build an operational OSTN node.

Orbot Your Twitter!

Wed, 02 May 2012 17:19:27 -0400

In some ways, Twitter is the perfect application to run over the Tor network. It works with small bits of data, it is asynchronous, works naturally in a “store and forward” queue model, and in general, has a decent amount of default security built-in through HTTP/S support and OAuth. Compared to the problem-child of the open web, which often involves large websites, streaming video, flash embeds, and malicious javascript, Twitter is a nearly perfect candidate for use over a secure, anonymous (but sometimes high latency) network. Add to the fact that Twitter is often blocked or monitored in many countrieswho do not care for free speech and human rights, and it becomes almost a necessity that you use it with a service like Tor.

Mobile mesh in a real world test

Wed, 02 May 2012 15:37:37 -0400

Nathan, Mark, Lee, and I tried some OLSR mesh testing during the May Day protests and marches. We were able to get 4 devices to associate and mesh together, but not without some trials and travails. Two pairs of devices setup two separate BSSIDs, so were on separate networks. We turned them all off, then associated them one at a time, and then they all got onto the same BSSID and olsrd started doing its thing. This made us think that we should just use a hard-coded BSSID in the setup, with a preference to allow standard ad-hoc association to find a BSSID.

Singing and Dancing for Encryption

Thu, 19 Apr 2012 09:30:48 -0400

If you see me dancing or singing with my phone in my hand, I may not just be having a great time, but also creating an encryption key. Part of the issue with security is that it can often be difficult to implement or an added step in what users want to be an easy and seamless process. What if we can make secure and private communications fun and easy?

User scenarios to guide our crypto development

Sat, 14 Apr 2012 20:16:03 -0400

At Guardian Project, we find user-centered development to be essential to producing useful software that addresses real world needs. To drive this, we work with user stories and scenarios as part of the process of developing software. One particular development focus is the Portable Shared Security Token (PSST) project, which aims to make it easy to use encryption across both mobile and desktop computers, as well as keep the stores of cryptographic identities (i.e. trusted keys, certificates, etc) in sync between devices.

How We Help

Tue, 10 Apr 2012 00:00:00 +0000

While we think that a secure, privacy-enhanced mobile phone is a good thing for just about anybody going about their daily lives, we like to also consider the extreme cases, where this technology might change the course of someones life.

The Economist covered our work with WITNESS on Secure Smart Cameras, and the “Future of Protest Video”.

Below are a few ideas of how Guardian phones might be used in the real world.

Transparent encrypted virtual disks for Android (we call it IOCipher)

Tue, 03 Apr 2012 13:16:41 -0400

When using phones, laptops, computers, etc. it feels like a private experience, as if our screen was the same as a piece of paper, and when that paper is gone, then no one can see it anymore. Digital media works very differently. While the user interface portrays the deletion of files as very final, for someone with the right tools, it is actually not hard to recover deleted files. Also, digital information takes up so little space, we now regularly carry vast amounts of information in our pockets. Our phones have become amazingly powerful computers, storing as many photos, videos, documents, etc. in our pockets as would have required a room not so long ago. So when you lose this phone, or it gets stolen, or accessed against your wishes, the lies of the interface are laid bare, and vast troves of your information is now in someone else’s hands. So how can we capitalize on all this power without giving up control of our information?

Knight News funding of SecureSmartCam = a #WIN for open-source mobile security

Thu, 29 Mar 2012 12:07:47 -0400

Along with our partner WITNESS, we’ve entered our SecureSmartCam project into the Knight News Challenge, and we need your support to get to the next round.

Here’s a bit more about the challenge:

The Knight News Challenge, an international media innovation contest, is evolving – and will be offered three times, with three different topics. The first challenge will be centered on networks, and will accept applications Feb. 27 – March 17. The Networks challenge round seeks projects that use the best of existing software and platforms – those already integrated into people’s lives – to find new ways to convey news and information.

Call My Email

Thu, 22 Mar 2012 16:31:45 -0400

What if you could call me directly through my email? No exchanging of phone numbers or searching for handles on Skype. Just plain and simple email. Now what if we can make that phone call as secure as it is easy. That’s the goal of what we’re doing here at Open Secure Telephony Network (OSTN).

Acrobits Groundwire – OSTN supports iPhone

Wed, 21 Mar 2012 09:09:21 -0400

The Guardian Project develops open source software primarily for the Android platform but we strive for security by design to be a part of all platforms. With OSTN, there are two major components. The the first is the server, which operates as the primary user directory and call switch. The other is the client, which is the program you interact with to send and receive calls.

While the Apple App Store forbids distribution of GPL licensed software from their service, the underlying protocols used by OSTN are open, so even iPhone developers may implement them in a proprietary client application without breaking any intellectual property laws.

On Verifying Identity Using Cryptography

Mon, 19 Mar 2012 11:27:51 -0400

One of the most important uses of cryptography these days is verifying the identity of the other side of a digital conversation. That conversation could be between two people using OTR-encrypted IM, a web browser showing a bank website, a Debian Developer uploading a package to the Debian build server, an ssh client logging into an ssh server, and on and on. In all of these cases, cryptography is used to ensure that the software is indeed receiving replies from the expected entity. This happens by checking the current cryptographic key against one that is known to be correct. That is essential to the whole process. If you see the key for the first time, you have no way of knowing whether that is indeed the key you are expecting because there is no point of reference.

Adventures in Porting: GnuPG 2.1.x to Android!

Thu, 15 Mar 2012 13:00:30 -0400

PGP started with Phil Zimmerman’s Pretty Good Privacy, which is now turned into an open IETF standard known as OpenPGP. These days, the reference OpenPGP platform seems to be GnuPG: its used by Debian and all its derivatives in the OS itself for verifying packages and more. It is also at the core of all Debian development work, allowing the very diffuse body of Debian, Ubuntu, etc developers to communicate and share work effectively while maintaining a high level of security. It is also used for email encryption in Thunderbird + Enigmail, Apple Mail + GPGMail, GNOME Evolution, KDE KMail, Microsoft Outlook + Gpg4win.

Our new F-Droid App Repository (out of date!)

Thu, 15 Mar 2012 01:27:43 -0400

Update: this blog post has been changed to reference our new FDroid repository at https://guardianproject.info/fdroid. If you are still using the old one originally described here which has the URL https://guardianproject.info/repo, you should switch to the new repo as soon as possible!

For all of you out there looking for a safe way to find and download apps outside of the Play Store (aka Android Market) or random, sketchy third-party app stores and file sharing sites, then your wait is over:

VoIP Survey Results of NGOs, Human Rights Groups and Activists

Wed, 07 Mar 2012 18:58:29 -0400

In November 2011, 25 individuals were surveyed using an online form, representing typical end-users, global journalists, activist and human rights organization perspectives (Thank you to all the participants!). The goal of the survey was to establish a baseline understanding of the types of tools and expectations our target user community has around making “telephone calls” over the internet, otherwise known as Voice over Internet Protocol (VoIP).

This survey is part of our work on the Open Secure Telephony Net (OSTN). In summary, we believe there is too great a reliance upon closed systems, proprietary protocols, and expensive commercial solutions, among the very people and groups who need a verifiable secure system based on free software. While using GPG for email, or OTR-encryption for chat have become somewhat standards go-tos for these groups, there has not been the same progress made on the secure voice front. OSTN aims to change that, but before we can, we need to understand where our target user community stand today.

ObscuraCam v2 ALPHA (with video!)

Fri, 02 Mar 2012 12:20:34 -0400

We’ve been making exciting progress with our work on ObscuraCam, part of the SecureSmartCam project with our partner WITNESS. The biggest jump forward is the addition of video support, including automated face detection, pixelization and redaction.

Screenshots below, and soon a video below (also at: http://youtu.be/9hi4c_DCrkw)

Source code branch is here: https://github.com/guardianproject/securesmartcam/tree/obscurav2

Latest ALPHA test build at: https://github.com/guardianproject/SecureSmartCam/ObscuraCam-2.0-Alpha-2.apk/qr_code

How many ways to store 5 numbers?

Thu, 23 Feb 2012 12:29:49 -0400

At the core of all software that aims to be secure, private and anonymous is encryption, or as I think of it, amazing math tricks with really large numbers. These really large numbers can serve as a token of identity or the key to information locked away behind the encryption math. There are a number of different encryption methods commonly used based on different mathematical ideas, but they all rely on people managing sets of really large numbers, usually known as keys.

Free SIP Providers with ZRTP support

Wed, 22 Feb 2012 19:10:11 -0400

This post is part of a series on our work researching the Open Secure Telephony Network. After you have CSipSimple installed on your mobile handset, you will need a place to register a SIP username so you can contact others. The fastest way to get started with this is to use one of a handful of free SIP providers. I like the Ekiga free SIP service.

Open Source SIP Client for Android

Wed, 22 Feb 2012 16:12:25 -0400

The first step in the Open Secure Telephony Network (OSTN) is a client. We can’t make a phone call without a phone. In this case there are three primary goals and a number of optional features. The primary goal is an application which speaks the SIP protocol for signalling. It must also speak the ZRTP protocol for peer to peer encryption key exchange. Finally the client must have source code freely available with a license that allows free redistribution.

Open Secure Telephony Network

Wed, 22 Feb 2012 15:39:26 -0400

Over the last two months, I have been working on a project to research and develop a set of tools to provide secure peer to peer Voice over IP on the Android mobile platform. It is called the Open Secure Telephony Network, or OSTN. This work is done under the umbrella of The Guardian Project.

this is not the type of “open” we mean, and definitely not secure

February 2012: Project Update

Thu, 09 Feb 2012 17:19:06 -0400

Through coordination with the Tor Project, we released Orbot 1.0.7, which includes an embedded version of OpenSSL to assure we have the latest security enhancements for this critical cryptographic library. In addition, compatibility testing was done on Android 4.0 (Ice Cream Sandwich) and with the latest versions of Firefox Mobile. As always you can learn more and download Orbot in the Android Market and at https://guardianproject.info/apps/orbot

With the public awareness of internet censorship and surveillence growing thanks to SOPA, PIPA and CarrierIQ, not to mention the ongoing unrest in many regions if the world, we have seen a huge spike in interest and download of Orbot, Orweb and Gibberbot. Here are some notable links:
http://mobileactive.org/howtos/user-guide-to-orbot
http://www.chinagfw.org/2012/01/orbot-tor.html
http://geeknews.cz/orbot-svobodnejsi-brouzdani-pro-android/352/
http://www.101hacker.com/2012/01/10-must-have-free-android-apps.html

Introducing InformaCam

Fri, 20 Jan 2012 13:58:26 -0400

These are interesting times, if you go by Times Magazine as an indicator. The magazine’s person of the year for 2011 was The Protester, preceded in 2010 by Facebook founder Mark Zuckerberg. Both entities partners with equal stake in freely sharing the digital content that shows the world what’s going on in it, at any time, from behind any pair of eyes. Also casting in their lot with the others is Time Magazine’s 2006 person of the year, You: the You that puts the “you” in “user-generated content;” the You whose miasma of bits, bytes, and the powerful images they express are becoming increasingly problematic. Problematic and exciting. As governments, police forces, and other power players here and abroad crack down on voices of dissent, it is only You, The Protester, armed not with a press pass, but with a smartphone and a Twitter account, who brings the rest of the world its news. You do it mainly without either the support or permission of those in power, and this makes you a very important person in the world.

Strong Mobile Passwords with Yubikey USB Token

Wed, 04 Jan 2012 00:45:43 -0400

We have been experimenting with the Yubikey, a USB hardware password token, a bit over the last few weeks and would like to share our initial findings. We have not received any financial support or donation from Yubico for this work. We simply think they have a very affordable, interesting product that, due to its design, does *not* require any on-device driver software and can easily work with any Android device that supports USB Host/HID mode.

Thoughts on Mobile Video for Activism

Thu, 22 Dec 2011 16:39:43 -0400

I’ve co-written a blog post with Bryan Nunez of WITNESS, on some important concepts around using mobile video technology within activists and protest situations. It is up now on their blog, but here is a short excerpt:

Activists all over the world have turned to mobile phones to organize, coordinate and document their struggle. Images and videos shot on mobile phones have been the standard for what revolution looks like in the public imagination. We have seen iconic moments, captured in low resolution on mobile phones, captivate global audiences. We have moved from a handful of grainy clips uploaded hours or days after events unfold, to multiple livestreams, showing different angles on something happening right now. The Arab Spring, the #Occupy Movement, as well less politicized events like the London and Vancouver riots have shown us that the mobile phone is the recording device used to document the next breaking news story, especially if that story involves any sort of protest or activism.

SQLCipher for Android v1 FINAL!

Tue, 29 Nov 2011 18:17:47 -0400

Team GP along with the good folks at Zetetic, are happy to announce that we have reached FINAL on our first release (“v1” 0.0.6 build) of SQLCipher for Android. This means we consider this a production release, ready for shipping with your apps to provide for reliable, open-source, secure application data encryption.

If you need a refresher, here is what the cross-platform, open-source SQLCipher provides:

SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. Pages are encrypted before being written to disk and are decrypted when read back. Due to the small footprint and great performance it’s ideal for protecting embedded application databases and is well suited for mobile development.

Don’t Get Burned, Anonymize Your Fire

Wed, 16 Nov 2011 22:37:24 -0400

Thanks to Jesse Vincent, aka @obra of the K-9 mail project, we can say that Orbot (Tor on Android) and Orweb (Privacy Browser) work just fine on the new Amazon Kindle Fire. This means that while everything you do through Amazon’s store and browser are tracked and accounted for by Team Bezos, you can use our apps to more safely and privately access web content through the Tor network. While we are mostly Nook Color fans around here, we know that the Kindle Fire is going to be quite popular this Christmas, and are glad to see that mobile privacy now has a toehold on the device from Seattle.

Two years in…

Tue, 25 Oct 2011 15:11:39 -0400

Greetings mobile believers,

I am about to head into the first ever Silicon Valley Human Rights Conference, aka #RightsCon, and though I would post some thoughts about the state of the Guardian Project, and the world in which we operate. RightsCon looks to be an amazing event (live streaming here: https://www.rightscon.org/), by an amazing organization (Access), and it comes at an interesting time in the world, and for our project.

One year ago, I was invited to attend the first Liberation Technology held at Stanford University, a forebearer of sorts, to the RightsCon event today. It was a novel event, being that is was so forthright about the possibility of liberation from oppressors through ones and zeros. It was also quite informative, in that brought together a wide array of participants, including from Egypt, Syria and Yemen, and allowed them to speak directly about the variety of tactics they were using to defeat censors, route around filters, connect diasporas to their homeland and ultimately find fissures in the system that could slowly be mined and widened.

Progress on Mobile Video Privacy Tools

Sat, 10 Sep 2011 04:36:11 -0400

If you are a developer you may just want to skip all the prose below, and just jump over to Github to find our new FFMPEG on Android project{.vt-p} and build system. You can also check out our SSCVideoProto Project{.vt-p} to understand how we are using it to redact faces and other identifying areas of HD video right on the Android phone itself. For more context, read on…

Last October at the Open Video Conference 2010, the idea of a camera application that could be designed to understand the needs and requirements of the human rights community was born. During a hackday hosted with WITNESS{.vt-p}, we proved that is was possible to take a feature like “Face Detection” which is built into the Android operating system, and turn it into a capability that could be used to protect people, by blurring, pixelating or removing faces that unintentionally appeared in a video filmed on a mobile phone. In the last year, through our partnership with WITNESS Labs, we have built on that concept, designing, developing and releasing apps and source code which move the state of the art in mobile video privacy and anonymity capabilities forward.

CACertMan app to address DigiNotar & other bad CA’s

Mon, 05 Sep 2011 03:29:00 -0400

As I expect many of you are aware, there was a major compromise to a Dutch Certificate Authority named “DigiNotar” recently, where they allowed SSL certs for domains like *.google.com, *.torproject.org and even *.cia.gov as well as *.*.com to be issued.

It was brought up to the contribs of CyanogenMOD that they should probably remove the DigiNotar CA cert from the built-in Android OS keystore (located at /system/etc/security/cacerts.bks). Since they have 500k+ users, and can be more nimble than other ROM/device distributors, it was seen as a way to quickly address the problem, at least within their community. It turns out that it wasn’t as easy to convince them to do this (even though Mozilla, Google Chrome, IE, etc already had). You can read the thread, but it is still an open issue:
http://code.google.com/p/cyanogenmod/issues/detail?id=4260{.vt-p}

ACLU believes “Software Developers Can Put Privacy First!” (and so do we!)

Fri, 19 Aug 2011 19:46:40 -0400

A bit more on our big win in the Develop4Privacy contest, from Brian Robick at the ACLU of Washington State:

When software developers put privacy first, everybody wins!

Too often, user privacy is an afterthought in the design of computer software and online services. In recent months, social networks have rolled back changes, cell phone manufacturers have altered the way that location tracking data is stored, and most recently, mobile application developers have been caught inappropriately collecting children’s personal data. For companies, the costs in lost consumer confidence, fines, and corrective measures can be substantial. Everyday users pay a price as well, and for victims of domestic violence, political protesters, whistleblowers, and others whose safety and livelihood could hinge on their privacy, those costs can be devastating.

Announcing ObscuraCam v1 – Enhance Your Visual Privacy!

Thu, 23 Jun 2011 21:28:20 -0400

We’re very happy to announce the beta release of ObscuraCam for Android. This is the first release from the SecureSmartCam project, a partnership with WITNESS, a leading human rights video advocacy and training organization. This is the result of an open-source development cycle, comprised of multiple sprints (and branches), that took place over the last five months. This “v1” release is just the first step towards the complete vision of the project.

The goal of the SecureSmartCam project to to design and develop a new type of smartphone camera app that makes it simple for the user to respect the visual privacy, anonymity and consent of the subjects they photograph or record, while also enhancing their own ability to control the personally identifiable data stored inside that photo or video. Also, we think an app that allows you to pixelize your friends, disguise their faces and otherwise defend their privacy just a little bit, is a lot of fun and helps raise awareness about an important issue. In this first release we have focused on ‘obscura’ by optimizing the workflow of identity obfuscation in still images. Future releases will look at ‘informa,’ the process of properly gaining and recording informed consent from subjects, while also moving to video.

Lil’ Debi: Easy Installer for Debian on Android

Sat, 18 Jun 2011 04:22:52 -0400

Have an Android phone and want an easy Debian chroot running it?

Alpha test our new app, Lil’ Debi. It builds up a whole Debian chroot on your phone entirely using debootstrap. You choose the release, mirror, and size of the disk image, and away it goes. It could take up to an hour, then its done. Then it has a simple chroot manager that mounts and unmounts things, and starts/stops sshd if you have it installed. You can also then use ‘apt-get’ to install any package that is released for ARM processors. This includes things like GPG, Tor, TraceRouteTCP and other security and crypto tools.

Orbot 1.0.5.2 now available

Tue, 17 May 2011 19:43:30 -0400

Our flagship app, Orbot: Tor on Android, has been updated to version 1.0.5.2. It is available in the Android Market, or through direct download from the Tor Project’s website.

This release fixes a number of long standing bigs, includes the latest and greatest release of Tor itself, cleans up the user interface a bit, and adds some new advanced options (you can specify your exit node country!). It also fixes an issue with our “Tor Everything” capability, that allowed some Android system network traffic to leak and bypass the Tor routing. Finally, it provides for compatibility for CyanogenMOD 7, as well as Android Gingerbread and Honeycomb.

Announcing: SQLCipher for Android, Developer Preview r1

Mon, 09 May 2011 22:45:09 -0400

After some major breakthroughs during last week’s development sprint, we’re extremely excited to announce SQLCipher for Android, Developer Preview r1. SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. To date, it has been open-sourced, sponsored and maintained by Zetetic LLC, and we are glad to be able to extend their efforts to a new mobile platform. In the mobile space, SQLCipher has enjoyed widespread use in Apple’s iOS, as well as Nokia / QT for quite some time. Given that Android by default provides integrated support for SQLite databases, our goal was to create an almost identical API for SQLCipher, so that developers of all skill level could use it, without a steep learning curve.

Our Foolish Hackday!

Wed, 06 Apr 2011 21:51:12 -0400

We had a great group of people show up at our April 1st “Don’t Be Fooled” Hackday here at the OpenMobileLab in New York. There were users, there were devs, and all sorts of other people in between. We tracked some of the brainstormed ideas on an open etherpad at: http://piratepad.net/bQPFn6FOhN (text of this pasted in below).

The main outputs of the hacking were LilDebi, an updated Debian installer for Android, the beginnings of a Bitcoin digital currency client, and another called UpOn App, which uses the accelerometer and white noise generators in the device to stop your cellphone from spying on you.

Growing Mobile Test Lab and Library

Fri, 01 Apr 2011 00:32:08 -0400

At our new meatspace location in New York City, we are building up a library of mobile devices from around the world for open-source developers to use for testing, and specifically to help verify the security of apps running on different carrier configurations and hardware variables.

Mostly our collection has come from picking up what we can, when we can, always with an eye towards anything a few generations back from the state of the art. If you’ve got any mobile hardware to donate, we would love to have it.

April 26: “Advancing the New Machine” at UC Berkeley

Tue, 22 Mar 2011 20:20:56 -0400

I, along with a number of others from the Guardian Project core dev team, will be at the UC Berkeley’s Human Rights Center “Advancing the New Machine” conference at the end of April. I am on a panel regarding security in the context of human rights. We will also be presenting the Secure Smart Cam project with our partners at Witness. (https://guardianproject.info/apps/securecam/).

You can learn more about the event here:
http://www.law.berkeley.edu/HRCweb/events/TechConference2011/index.html

Guardian Project: General Update March 2011

Mon, 21 Mar 2011 05:18:48 -0400

We have recently updated our general presentation on the project, and thought we would share it with you here. Please post any comments, questions or feedback right here, and we will get back to you shortly.

You can find this presentation on Google Docs, where you can also find it in downloadable, offline formats.

Photos from our January Hackday

Thu, 10 Mar 2011 17:41:18 -0400

Back in January, we held a very excellent hackday at Eyebeam in New York. We rooted a NookColor, made encrypted calls over SIP, and generally had a full day of talking about the state of mobile security and privacy. Thanks to everyone who attended, and many thanks to _hc and Eyebeam for hosting!

View the full Flickr photo set.

Proxy Mobile Add-on 0.0.7 for Firefox on Android

Fri, 04 Mar 2011 00:01:24 -0400

We’ve updated our Proxy Mobile add-on for Firefox on Android that allows user to configure their proxy settings. We first released this back in November of last year, and have done our best to keep up with all the various beta updates of the browser. There are no features in this release, just a few small changes to make sure everything is running smoothly out there.

To install the add-on, just search for “Proxy” from the add-on search menu within the Firefox settings screen. You can also point your Firefox mobile browser to this link: https://guardianproject.info/downloads/proxymob-addon-0.0.7.xpi

Addressing a “Privacy Challenge” with Guardian

Wed, 02 Mar 2011 20:39:18 -0400

Organized by the ACLU, Tor Project, and PrivacyByDesign.ca, the “Develop for Privacy Challenge” is an interesting new software development challenge that was announced last month. Developers (teams or individuals) have until May 31st to come up with apps which address this goal:

Develop apps for smartphones or other mobile devices that educate users about mobile privacy and give them the ability to claim or demand greater control of their own personal information.

We don’t plan to compete in this contest ourselves, as we would rather support and encourage other developers to take a shot at it. Along those lines, we would really like to see developers use some of the apps we have built, and code we have released, as part of their solutions. We have been putting together a large number of “lego” building blocks over the last year, just waiting for someone to come and put them together in a revolutionary way. Here is a breakdown of some of our more useful components:

SECURED: HTC Wildfires get Guardian

Tue, 01 Mar 2011 23:23:14 -0400

As we’ve posted in the past, one of the services we provide at The Guardian Project is customizing off-the-shelf Android phones to be generally more secure, privacy minded and updated with a powerful suite of trusted apps. We’ve gotten our mitts on a number of devices over the last few months in this regard, including: myTouch 4G, Motorola Milestone (GSM Droid), HTC Desire GSM, TMobile G2, Samsung Galaxy S, Nook Color, and Viewsonic 10″ GTablet. Whew! And if there’s one thing we’ve learned, it’s that some devices are much much harder to crack than others (cough cough… Desire GSM’s hardened bootloader). With that in mind, we’ve recently added a Hardware page to our site that lists the devices that we recommend for ‘Guardianization’.

A note on funding and our mention in Wired

Wed, 23 Feb 2011 16:50:38 -0400

A message from Nathan Freitas, lead developer on Guardian, who has a life long bad habit of being misquoted or selectively quoted, a phenomenon he must now blame on himself, and not the reporters who interview him.

Some of you might have seen a story on Wired.com on which I am quoted, regarding the US State Department’s “Internet Freedom” agenda. In particular, I was asked to comment on the entrepreneurial angle they are taking. Overall, I think the article is good in laying out the challenges for activist technology projects to take funding from the Government. I also think the motivations of the State Department’s effort are authentic and there is great potential to benefit the overall health of the Internet.

Interviewed CHOMP.FM 007 Podcast

Sat, 19 Feb 2011 09:58:04 -0400

CHOMP.FM is a weekly broadcast on information freedom, internet privacy and cyberculture.

We were excited to be interviewed and including in the latest episode, CHOMP.FM 007. Many thanks to Nadim Kobeissi for featuring us in his super-interesting and relevant show.

You can listen to and download the mp3 directly.

Stickers!

Thu, 17 Feb 2011 13:44:05 -0400

If you see us in person, make sure to ask for one. Otherwise, if you really, really want some, we can mail them to you. Just fill out our “contact” form with your address, and we’ll do our best to pop a few in this thing called an envelope and they should get there in a week(!).

Create an encrypted file system on Android with LUKS

Wed, 02 Feb 2011 23:29:15 -0400

LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it not only facilitates compatibility among distributions, but also provides secure management of multiple user passwords.

Building off the work from other great sources, the Guardian Project hack team decided to take a crack at porting LUKS to Android recently, with the goal of creating a proof of concept build process that can be easily adapted to future projects.

Seeking Slightly Paranoid Android Developers for Hire and Internships

Wed, 10 Nov 2010 18:59:10 -0400

The Guardian Project is kicking off a three month project focused on finishing up our secure chat app, codenamed Gibber but also known as “OtRChat”. We are looking for developers of all levels to join us in this work. We have already implemented the primary “Off the Record” messaging functionality, and achieved interoperability with desktop clients such as Pidgin and AdiumX. From here, there is work to be done on implementing some unique features, cleaning up the user experience, and ensuring that the implementation is as secure as possible, providing all the necessary features for verifying and managing secure identities and sessions.

SECURED: T-Mobile myTouch 4G gets Guardian

Tue, 09 Nov 2010 23:26:59 -0400

One of the services we provide at the Guardian Project is taking any off the shelf Android phone and setting it up to be generally more secure, privacy minded and updated with a powerful suite of trusted apps. Today we were excited to get our hands on a myTouch 4G, manufactured by HTC and sold by T-Mobile. Really beautiful piece of hardware, and once we got our hands on it, a powerhouse of encrypted, anonymous and circumventing communications.

Proxy Settings Add-on for Firefox Mobile

Mon, 08 Nov 2010 03:43:24 -0400

The latest beta of Firefox 4 on Android is proving to be very usable, stable and an increasingly viable alternative to the built-in webkit browser. However, it is unfortunately lacking the ability to manually configure proxy settings through any sort of standard user interface. This is a common problem for Android, which also lacks the ability to set browser or system wide proxy settings. This has caused real issues for us with getting Orbot (aka “Tor on Android”) to work for un-rooted Android devices, because for routing through Tor to work, you must be able to set the HTTP or SOCKS proxy settings. Why this very basic feature keeps getting missed or ignored is a mystery to us.

Open Video Conference: Panel and Hackday

Thu, 30 Sep 2010 02:00:07 -0400

Nathan Freitas will be on a panel at the 2nd annual Open Video Conference in New York this Friday and Saturday. He will be on the panel entitled “Cameras Everywhere” led by our partners at Witness, on Saturday at 3pm.

Summary: Cameras Everywhere: Human Rights and Web Video – (2:45 PM – 3:30 PM)

Description: Once upon a time, video cameras were rare. Now they are ubiquitous—as are the opportunities to share, use, and re-use video. What are the limits and possibilities of an ethics of openness when it comes to human rights footage?

Orbot Release 1.0 in the Android Market!

Thu, 23 Sep 2010 22:21:06 -0400

It’s here! We’d like to officially announce the release of Orbot to the Android Market. After going beta back in March, we’ve seriously re-doubled our efforts for this release. By releasing Orbot to the Android Market, we suspect that our user base will eventually evolve towards the more ‘every day’ Android user – so our goal has been to create an experience that is simple yet informative, straightforward yet powerful. As a step towards that goal, we’ve spent some time creating a new setup wizard at Orbot start-up that walks you through the basics of what Orbot does and does not do. The last thing we want is for someone to be endangered because they didn’t understand how to protect themselves.

Orbot Update: New Setup Wizard at Startup

Thu, 29 Jul 2010 17:17:08 -0400

We’ve been working away at the 0.0.9 release of Orbot over the last few months, and have put a decent amount of effort into usability. Specifically, we hoped to better communicate to users what it means to run Tor on your Android phone. In addition, we wanted to clearly lay out how the various configuration options help to improve your mobile web anonymity and ability to circumvent web filters and tracking by your mobile service provider.

Calling all Guardians – Alpha Testers Needed!

Tue, 13 Jul 2010 20:50:31 -0400

Recently here at the Guardian Project we’ve been brainstorming & designing a new tool that we think will be core to enabling truly protected mobile communications . We think it will a big step in improving the user-friendliness of making your communications secure, anonymous and private , but we need your help to make it great.

While it may give some of us a certain satisfaction to manually cobble together a suite of secure applications that suites our needs, this is by no means a long-term, wider-market solution. The tech community often forget (willfully or otherwise) that there is a huge group of non tech-savvy users for whom security and privacy are top level priorities. The ability to secure ones mobile communications should be accessible to all, through a solution that is beautiful, engaging and idiot-proof in its design. As we try to build that solution, we’re looking for your help in making sure that it meets each of those criteria.

How To: Lockdown Your Mobile E-Mail

Fri, 09 Jul 2010 11:00:25 -0400

Update 2015-04-27: We now recommend OpenKeychain over APG, the app described in this blog post. The set up is drastically easier, so you probably don’t even need this HOWTO anymore. Start by downloading K-9 and OpenKeychain, then go into OpenKeychain and start the config there.

Over the past few years it’s become increasingly popular to sound the call that ‘email is dead{#y8a0}.’ And while many complementary forms of synchronous and asynchronous communication – from IM to social networking – have evolved since email first came on the scene, it’s hard to see email suddenly disappearing from its role as the most important way organizations communicate. I expect to be scooting around on my hoverboard by the time email goes the way of the dinosaur.

aPad / iRobot / Moons e7001 Teardown

Sat, 05 Jun 2010 13:38:23 -0400

This is the aPad or iRobot Android 7″ tablet device from www.hiapad.com. I decided to tear mine apart, as the unit I received has a battery issue, and I hoped to see if I could find a bad solder point. In addition, I was curious to see just how hackable or extensible the hardware was. In the end, I was mostly surprised by how much of the thing is put together with tape. I suppose that is what you get for < $200 Android tablet! You can find the full product overview on the Hiapad site. I have also pasted in the basic specs below.

How To: Setup a Private VOIP Phone System for Android

Wed, 26 May 2010 05:53:54 -0400

MAY 2011: Learn more about our new efforts on the Open Secure Telephony Network at https://guardianproject.info/wiki/OSTN – we currently recommend the CSipSimple Android app instead of SIPDroid, for secure voice calls.

Near the very top of Guardian’s open-source application suite wish list is something that might seem like a no-brainer for a secure mobile device: voice. When we take into account network performance and audio fidelity requirements, as well as the International nature of Guardian’s target users (everything from average citizens to multi-national journalists or humanitarian organizations), the prospect of a truly real-time secure VOIP solution starts to reveal itself as quite the challenge. Fortunately, a number of efforts have been underway for some time on the Android platform. The following is an introduction to one such effort, and this post provides a very easy step-by-step how to enable your very own private mobile phone system.

Sipdroid is an open-source SIP client that adds native SIP/VOIP to Android’s default dialer / contacts applications. You can find Sipdroid in the Android Market or alternatively can download it here. SIP (Session Initiation Protocol) is the Internet standard for real-time voice and video communications. It’s a fundamental building block for many popular consumer VOIP products that you may have used – Vonage or MagicJack are two examples. Once installed and configured properly, sipdroid allows you to make & receive calls over Wifi and 3G / EDGE data connections – which is a really powerful thing! A similar solution from Gizmo5 allowed many Android users to completely untangle themselves from mobile minutes and rely on a purely VOIP solution. Alas, new Gizmo signups were suspended after Google announced their acquisition – but we should all be excited to see what they can cook up as part of the official Google Voice team.

Tor on a Tablet

Tue, 25 May 2010 16:22:01 -0400

We recently acquired a Moons e-7001 “iRobot” tablet which runs Android 1.5. This device is also known as the “aPad”. It is a very basic iPad-clone, though honestly, it can’t really compare with the iPad in terms of quality of screen, build or general use. However, it does only cost $185, supports USB host mode, has a built-in camera, and it is running Android, an actual open-source operating system! It should also be pointed out that you can also now get the Archos 7 Android tablet, which is basically the same thing as this, from Amazon for $199.

Beem+Orbot: Mobile Instant Messaging over Tor

Mon, 10 May 2010 16:32:01 -0400

It is no secret that we are big fans of open-source here at Guardian. In fact, it is what we are made of. Guardian is not just a single app or just one phone, it is a vision for a more private and secure future for personal mobile telecommunications. As part of our work, we are constantly on the lookout other similar, like-minded projects that are developing open-source communications tools for the Android OS which we can make to work with our underlying security platform.

Ultimate Droid and Orbot

Sun, 11 Apr 2010 14:11:11 -0400

The InsecureSystem blog has a nice write-up on how to get Orbot running on your Droid:

I’ve always been a supporter of net privacy and Tor in particular, and a friend of mine got me interested in the guardian project, so I grabbed the beta version of Orbot just to try it out.. sweet, tor from my phone.

Unfortunately the Smoked Glass Rom I was using didn’t support the Iptables modules necessary for the transparent proxy method orbot used for tunnelling apps through privoxy/tor. So, I was forced to try out some other Roms and their respective kernels.. okay, forced is a bad way to put it, it was a lot of fun.

Ushahidi-Linda: “Testimony” + “Protection”

Wed, 10 Mar 2010 19:53:00 -0400

Ushahidi-linda (“Testimony” + “Protection” – disclaimer: we don’t speak Swahili so this was a shot in the dark!)

This is a fork of the Ushahidi on Android app, done as a way to prototype the implementation of increased security, anonymity and privacy for users viewing and submitting reports through Ushahidi.

Ushahidi is a platform that crowdsources crisis information, allowing anyone to submit crisis information through text messaging using a mobile phone, email or web form.

Orbot goes Beta

Thu, 04 Mar 2010 16:14:01 -0400

As announced on the Tor Blog, an important development:

The Tor Project has been working very closely with Nathan Freitas and The Guardian Project to create an Android release. This is an early beta release and is not yet suitable for high security needs. The Android web browser is not protected by Torbutton and we have not yet developed an anonymous browser on the Android platform. Please be cautious with this release, it’s probably pretty fragile and it’s certainly not ready for serious use.

MobileActive Helps Secure Citizen Journalists

Tue, 02 Mar 2010 17:28:30 -0400

While we appreciate the mention in this new guide from MobileActive, we appreciate even more the hard work put into documenting practical solutions for citizen journalists that are available today. This guide covers both low and hi-tech approaches to using a mobile phone to document and share media, while still trying to protect your identity and safeguarding communication:

Mobile phones are used to compose stories, capture multi-media evidence and disseminate content to local and international audiences. This can be accomplished extremely quickly, making mobile media tools attractive to citizens and journalists covering rapidly unfolding events such as protests or political or other crises. The rise of mobiles has also helped extend citizen journalism into transient, poor or otherwise disconnected communities.

Orbot main screen redesign

Mon, 01 Mar 2010 21:48:06 -0400

Here’s a few screenshots of the new “ACTIVATE ORBOT!” user interface. Just polishing up some of the features and doing a last few days of diligent testing before we release to the wider public.

Overall, we want Tor on Android to be a one touch type experience, while still offering all the necessary options for configuration of bridges, rate limiting, etc.

The coolest Android-only feature, which unfortunately requires your device to be rooted, is the ability to choose which apps on your device will be “Torified” automatically and transparently.

One Solution for Push-to-Talk

Thu, 11 Feb 2010 03:50:22 -0400

As part of rolling out the first-phase of The Guardian Project, I will be writing short reviews of existing applications for Android-based mobile phones that share our general goals or desired functionality. The goal of Guardian, in short, is to enable safe and secure communication for activists, organizers and advocates working for good around the world through the mobile phones they carry in their pockets.

The Guardian project has no official relationship with these apps or their creators, but as we work towards developing our own unique software, we want to make sure to shine the spotlight on existing efforts that we admire and which are currently available. We’d also happily collaborate with any of them (or *you* if you are a developer reading this), and have them join our open-source efforts.

Orbot: Initial Release (repost)

Wed, 10 Feb 2010 20:26:23 -0400

This was originally posted in October 2009.

I’d like to make this post without much fanfare. Just looking to share information on the work I’ve been doing with the fantastically radical team over at the Tor Project, as part of my work on the Guardian Project. We have successfully ported the native C Tor app to Android and built an Android application bundle that installs, runs and provides the glue needed to make it useful to end users…. secure, anonymous access to the web via Tor on Android is now a reality. (Update: Tor doesn’t magically encrypt all of your Internet activities, though. You should understand what Tor does and does not do for you.)

Ideas and Inspiration

Mon, 08 Feb 2010 05:34:33 -0400

Watch the video below to hear directly from Google’s Android Team about the benefits of an open-source mobile OS.

And now, another clip from one of our core, yet fictional, inspirations.

Alan Bradley: I still don’t get why you want to break into the system.
Kevin Flynn: [frustrated] Because, man, somewhere in one of these memories is the evidence!