New Partnership with Circle of 6 mobile safety app
Posted on January 19, 2017
| n8fr8
Circle of 6 Focuses on Security with Guardian Project Partnership
Safety App Will Get End-to-End Encryption and More To Support High-Risk Communities
New York, NY: Two innovative organizations have partnered to bring increased digital security and privacy capabilities to users interested in improved safety for their mobile devices. Tech 4 Good, the developer of Circle of 6, a highly regarded mobile safety app developed to promote safety and health through networks of trust, has partnered with Guardian Project, a leader in mobile security and privacy technologies.
[Read More]
Orfox 1.2.1 released
Posted on December 2, 2016
| n8fr8
We’ve released a new version of Orfox, our Tor Browser for Android, that contains an an important security update to Firefox.
This update is based on the latest release of Tor Browser, which was announced with this message:
The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well.
[Read More]
“If This, Then Panic!” Sample Code for Triggering Emergency Alerts
Posted on October 17, 2016
| n8fr8
Earlier this year, we announced the PanicKit Library for Android and Ripple, our basic app for alerts any compatible app that you are in an emergency situation. Rather than build a solitary, enclosed “panic button” app that only can provide a specific set of functionality, we decided, as we often do, to build a framework, and encourage others to participate. Since then, we’ve had over 10 different apps implement PanicKit responder functionality, including Signal, OpenKeyChain, Umbrella app, StoryMaker and Zom.
[Read More]
Orfox 1.2: An Overdue Update to Our Privacy-Focused Browser!
Posted on September 25, 2016
| n8fr8
Primarily this release is the first in a long while after improving our ability to stay up-to-date with core Tor Browser development. In addition, as Mozilla adds more and more features to the core Firefox, we must review them for any issues related to increased permission request, access to data, and privacy and network leaks. This is a slow, tedious job, so thank you for your patience. We expect to have more frequent, regular releases moving forward.
[Read More]
HOWTO: get all your Debian packages via Tor Onion Services
Posted on July 31, 2016
| Hans-Christoph Steiner
Following up on some privacy leaks that we looked into a while back, there are now official Debian Tor Onion Services for getting software packages and security updates, thanks to the Debian Sys Admin team. This is important for high risk use cases like TAILS covers, but also it is useful to make it more difficult to do some kinds of targeted attacks against high-security servers. The default Debian and Ubuntu package servers use plain HTTP with unencrypted connections.
[Read More]
OpenArchive: Free & Secure Mobile Media Sharing #DWebSummit
Posted on June 7, 2016
| n8fr8
I am excited to share another new “mini app” effort we have joined up with, as part of work we are doing to create simple, focused tools that solve a single issue. We also are aiming to builds apps that are 1 to 3MB in size, and work on Android phones back to version 2.3, in order to maximize accessibility for a global audience. OpenArchive is one of these efforts. It is a project led by Natalie Cadranel, who received a Knight Foundation prototype grant in 2014.
[Read More]
Building the most private app store
Posted on June 2, 2016
| Hans-Christoph Steiner
App stores can work well without any tracking at all
Attackers are increasingly seeing app stores as a prime attack vector, whether it is aimed at the masses like XCodeGhost or very targeted like in FBI vs Apple. When we install software from an app store, we are placing a lot of trust in a lot of different parties involved in getting the source code from the original developer delivered to our device in a useful form.
[Read More]
Data Usage and Protection Policies
Posted on May 4, 2016
| n8fr8
At a high level, it is easy say that “we know nothing”. We do not log data or include analytics in our websites or applications. When we do operate servers to support our applications, they are configured to store as minimal data as possible, usually just a username and password, if that is required. We also only recommend third party services, such as XMPP services, VoIP services, or Proxy and VPN providers, who abide by these same policies.
[Read More]
Copperhead, Guardian Project and F-Droid Partner to Build Open, Verifiably Secure Mobile Ecosystem
Posted on March 28, 2016
| n8fr8
Three open-source projects haved joined together to announce a new partnership to create an open, verifiably secure mobile ecosystem of software, services and hardware. Led by the work of the Toronto-based CopperheadOS team on securing the core Android OS, Guardian Project and F-Droid have joined in to partner on envisioning and developing a full mobile ecosystem. The goal is to create a solution that can be verifiably trusted from the operating system, through the network and network services, all the way up to the app stores and apps themselves.
[Read More]
PanicKit: making your whole phone respond to a panic button
Posted on January 12, 2016
| Hans-Christoph Steiner
Our mobile devices do so many things for us, making it easy to communicate with people in all manners while giving us access to all sorts of information wherever we are. But in times of anxiety and panic, it is difficult to quickly use them. Will you be too shaky to type in your PIN or lock pattern? Will you have enough time to find your trusted contacts and send them a message?
[Read More]
How to Migrate Your Android App’s Signing Key
Posted on December 29, 2015
| Abel Luck
It is time to update to a stronger signing key for your Android app! The old default RSA 1024-bit key is weak and officially deprecated.
What? The Android OS requires that every application installed be signed by a digital key. The purpose behind this signature is to identify the author of the application, allow this author and this author alone to make updates to the app, as well as provide a mechanism to establish inter-application trust.
[Read More]
Good translations are essential to usability
Posted on December 9, 2015
| Hans-Christoph Steiner
All too often, translation of an app are treated as an afterthought. It is not something that the app developers see, since they create the software in languages that work best for them. So the software looks complete to the developers. But for anyone using the software in a different language, translation is essential in order for the app to be useful. If you can’t understand the words that you see in the app’s interface, it is going to be difficult or impossible to use that app.
[Read More]
First Reproducible Builds Summit
Posted on December 9, 2015
| Hans-Christoph Steiner
I was just in Athens for the “Reproducible Builds Summit“, an Aspiration-run meeting focused on the issues of getting all software builds to be reproducible. This means that anyone starting with the same source code can build the exact same binary, bit-for-bit. At first glance, it sounds like this horrible, arcane detail, which it is really. But it provides tons on real benefits that can save lots of time. And in terms of programming, it can actually be quite fun, like doing a puzzle or sudoku, since there is a very clear point where you have “won”.
[Read More]
CipherKit reproducible builds
Posted on September 21, 2015
| Hans-Christoph Steiner
We have been on a kick recently with making our build process support “reproducible builds” aka “deterministic builds”. What is this reproducible thing? Basically, what that means is that you can run a script and end up with the exact same binary file as our official releases, be it a APK, JAR, AAR, whatever. That lets anyone verify that our releases are produced only from the source in git, without including anything else, whether deliberately or accidentally (like malware).
[Read More]
Orfox: Aspiring to bring Tor Browser to Android
Posted on June 30, 2015
| n8fr8
Update 24 September, 2015: Orfox BETA is now on Google Play: https://play.google.com/store/apps/details?id=info.guardianproject.orfox
In the summer of 2014 (https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html{.external}), we announced that the results of work by Amogh Pradeep (https://github.com/amoghbl1{.external}), our 2014 Google Summer of Code student, has proven we could build Firefox for Android with some of the settings and configurations from the Tor Browser desktop software. We called this app Orfox, in homage to Orbot and our current Orweb browser.
[Read More]
Building a trustworthy app store that respects privacy
Posted on June 2, 2015
| Hans-Christoph Steiner
One core piece of our approach is thinking about very high risk situations, like Ai Weiwei or Edward Snowden, then making the tools for operating under that pressure as easy to use as possible. That means that we might occasionally come across as a little paranoid. It is important to dive into the depths of what might be possible. That is an essential step in evaluating what the risks and defenses are, and how to prioritize them.
[Read More]
Hiding Apps in Plain Sight
Posted on May 7, 2015
| n8fr8
Beyond just thinking about encryption of data over the wire, or at rest on your mobile device, we also consider physical access to your mobile device, as one of the possible things we need to defend against. Some of our apps, such as Courier, our secure news reader, include a Panic feature, enabling a user to quickly delete data or remove the app, if they fear their device will be taken from them, whether by a friend, family member, criminal or an authority figure.
[Read More]
Getting Android tools into Debian
Posted on April 30, 2015
| Hans-Christoph Steiner
As part of Debian’s project in Google Summer of Code, I’ll be working with two students, Kai-Chung Yan and Komal Sukhani, and another mentor from the Debian Java Team team, Markus Koschany. We are going to be working on getting the Android SDK and tools into Debian, as part of the Debian Android Tools team, building upon the existing work already included from the Java and Android Tools teams.
[Read More]
Phishing for developers
Posted on February 24, 2015
| Hans-Christoph Steiner
I recently received a very interesting phishing email directed at developers with apps in Google Play. One open question is, how targeted it was: did anyone else get this?
It turns out that Google has been recently stepping up enforcement of certain terms, so it looks like some people are taking advantage of that. It is a pretty sophisticated or manually targeted phishing email since they got the name of the app, email address, and project name all correct.
[Read More]
Complete, reproducible app distribution achieved!
Posted on February 11, 2015
| Hans-Christoph Steiner
With F-Droid, we have been working towards getting a complete app distribution channel that is able to reproducibly build each Android app from source. while this may sound like a mundane detail, it does provide lots of tangible benefits. First, it means that anyone can verify that the app that they are using is 100% built from the source code, with nothing else added. That verifies that the app is indeed 100% free, open source software.
[Read More]