Experimental app to improve privacy in location sharing
Posted on January 29, 2015
| Hans-Christoph Steiner
As part of the T2 Panic effort, I’ve recently been diving deep into the issues of sharing location. It is unfortunately looking really bad, with many services, including Google, frequently sharing location as plain text over the network. I’ve started to write up some of the issues on this blog.
As part of this, I’ve put together an experimental Android app that aims to act as a privacy filter for all ways of sharing location.
[Read More]
First working test of IOCipher for Obj-C
Posted on January 26, 2015
| Hans-Christoph Steiner
Every so often, we revisit our core libraries in the process of improving our existing apps, and creating new ones. IOCipher has become a standard part of our apps since it provides a really easy way to include encrypted file storage in Android apps. And we are now working on spreading it to iOS as well, headed up by Chris Ballinger, with the first preliminary tests of IOCipher for Obj-C. Testing and contributions are most welcome!
[Read More]
Sharing your location privately
Posted on January 23, 2015
| Hans-Christoph Steiner
Facebook location sharing embeds the location in every single message, providing a detailed log to the recipient, Facebook, and anyone Facebook shares that data with One handy feature that many smartphones give us is the ability to easily share our exact position with other people. You can see this feature in a lot of apps. Google Maps lets you click “Share” and send a URL via any method you have available.
[Read More]
2015 is the Year of Bore-Sec
Posted on January 2, 2015
| n8fr8
Over the last few months, the Guardian Project team has been thinking about how to approach the next five years of our work. An idea of “security so easy and seamless, that it is boring” came to the surface through some discussions. This led us to look for inspiration in important inventions and innovations of the past, that provide safety and security to all on a day-to-day basis, without the users of these technologies hardly thinking about them.
[Read More]
Reducing metadata leakage from software updates
Posted on October 16, 2014
| Hans-Christoph Steiner
Update: now you can do this with Tor Onion Services
Many software update systems use code signing to ensure that only the correct software is downloaded and installed, and to prevent the code from being altered. This is an effective way to prevent the code from being modified, and because of that, software update systems often use plain, unencrypted HTTP connections for downloading code updates. That means that the metadata of what packages a machine has installed is available in plain text for any network observer, from someone sitting on the same public WiFi as you, to state actors with full network observation capabilities.
[Read More]
CipherKit updates: IOCipher and CacheWord
Posted on September 26, 2014
| Hans-Christoph Steiner
We’ve been on a big kick recently, updating the newest members of our CipherKit family of frameworks: IOCipher and CacheWord. There also are is a little news about the original CipherKit framework: SQLCipher-for-Android.
IOCipher v0.2 IOCipher is a library for storing files in an encrypted virtual disk. It’s API is the exact same as java.io for working with files, and it does not need root access. That makes it the sibling of SQLCipher-for-Android, both are native Android APIs that wrap the SQLCipher database.
[Read More]
Question: central server, federated, or p2p? Answer: all!
Posted on September 18, 2014
| Hans-Christoph Steiner
There are many ideas of core architectures for providing digital services, each with their own advantages and disadvantages. I break it down along the lines of central servers, federated servers, and peer-to-peer, serverless systems.
a central service with clients connecting to it Most big internet companies operate in effect as a central server (even though they are implemented differently). There is only facebook.com, there are no other services that can inter-operate with facebook.
[Read More]
ChatSecure for Android v14 is FINALLY here!
Posted on September 10, 2014
| n8fr8
I am so happy to announce that ChatSecure for Android v14 IS FINALLY HERE!
BUT This is our first “release candidate” of v14 for public use, and while we love it dearly, you may want to wait for 14.0.1 for us to work out any hiccups.
The update should be out on Google Play shortly, and FDroid in the next few days. Otherwise, you can always download the APK direct from us:
[Read More]
ChatSecure 13.2: Important Beta!
Posted on August 5, 2014
| n8fr8
Today is the first public beta of ChatSecure v13.2, an important update of the user interface, networking code, and overall stability. We’ve spent the last six months tracking down crashes, memory leaks and performance issues, and have reached a stable, functional point which we want to share for public use. Reliability and simplicity our the goals, as we move towards v14 in the next few months.
This beta also features a new account setup wizard that we are eager for feedback on.
[Read More]
Introducing TrustedIntents for Android
Posted on July 30, 2014
| Hans-Christoph Steiner
Following up on our research on secure Intent interactions, we are now announcing the first working version of the TrustedIntents library for Android. It provides methods for checking any Intent for whether the sending and receiving app matches a specified set of trusted app providers. It does this by “pinning” to the signing certificate of the APKs. The developer includes this “pin” in the app, which includes the signing certificate to trust, then TrustedIntents checks Intents against the configured certificate pins.
[Read More]
New Official Guardian Project app repo for FDroid!
Posted on June 30, 2014
| Hans-Christoph Steiner
We now have an official FDroid app repository that is available via three separate methods, to guarantee access to a trusted distribution channel throughout the world! To start with, you must have FDroid installed. Right now, I recommend using the latest test release since it has support for Tor and .onion addresses (earlier versions should work for non-onion addresses):
https://f-droid.org/repo/org.fdroid.fdroid_710.apk
In order to add this repo to your FDroid config, you can either click directly on these links on your devices and FDroid will recognize them, or you can click on them on your desktop, and you will be presented with a QR Code to scan.
[Read More]
Recent news on Orweb flaws
Posted on June 30, 2014
| n8fr8
August 2014: New browser development news here, including Orfox, our Firefox-based browser solution: https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html
On Saturday, a new post was relased by Xordern entitled IP Leakage of Mobile Tor Browsers. As the title says, the post documents flaws in mobile browser apps, such as Orweb and Onion Browser, both which automatically route communication traffic over Tor. While we appreciate the care the author has taken, he does make the mistake of using the term “security” to lump together the need for total anonymity up with the needs of anti-censorship, anti-surveillance, circumvention and local device privacy.
[Read More]
Our first deterministic build: Lil’ Debi 0.4.7
Posted on June 9, 2014
| Hans-Christoph Steiner
We just released Lil’ Debi 0.4.7 into the Play Store and f-droid.org. It is not really different than the 0.4.6 release except in has a new, important property: the APK contents can be reproduced on other machines to the extent that the APK signature can be swapped between the official build and builds that other people have made from source, and this will still be installable. This is known as a “deterministic build” or “reproducible build”: the build process is deterministic, meaning it runs the same way each time, and that results in an APK that is reproducible by others using only the source code.
[Read More]
Orbot now at v14.0.0 build 100!
Posted on June 7, 2014
| n8fr8
The latest Orbot is out soon on Google Play, and by direct download from the link below:
Android APK: https://guardianproject.info/releases/orbot-latest.apk
(PGP Sig)
The major improvements for this release are:
Uses the latest Tor 0.2.42.22 stable version Fix for recent OpenSSL vulnerabilities Addition of Obfuscated Bridges 3 (Obfs3) support Switch from Privoxy to Polipo (semi-experimental) and much more… see the CHANGELOG link below for all the details.
The tag commit message was “updating to 14.
[Read More]
Automatic, private distribution of our test builds
Posted on June 6, 2014
| Hans-Christoph Steiner
One thing we are very lucky to have is a good community of people willing to test out unfinished builds of our software. That is a very valuable contribution to the process of developing usable, secure apps. So we want to make this process as easy as possible while keeping it as secure and private as possible. To that end, we have set up an FDroid repository of apps generated from the test builds that our build server generates automatically every time we publish new code.
[Read More]
Reset The Net!
Posted on June 4, 2014
| n8fr8
We’re making the Internet more secure, by taking part in #ResetTheNet https://resetthenet.org
Security in a thumb drive: the promise and pain of hardware security modules, take one!
Posted on March 28, 2014
| Hans-Christoph Steiner
Hardware Security Modules (aka Smartcards, chipcards, etc) provide a secure way to store and use cryptographic keys, while actually making the whole process a bit easier. In theory, one USB thumb drive like thing could manage all of the crypto keys you use in a way that makes them much harder to steal. That is the promise. The reality is that the world of Hardware Security Modules (HSMs) is a massive, scary minefield of endless technical gotchas, byzantine standards (PKCS#11!
[Read More]
Eric Schmidt Awards Guardian Project a “New Digital Age” Grant
Posted on March 10, 2014
| n8fr8
An interesting turn of events (which we are very grateful for!)
**
FOR IMMEDIATE RELEASE
Diana Del Olmo, diana@guardianproject.info
Nathan Freitas (in Austin / SXSW) +1.718.569.7272
nathan@guardianproject.info
Get press kit and more at: https://guardianproject.info/press
Permalink:
https://docs.google.com/document/d/1kI6dV6nPSd1z3MkxSTMRT8P9DcFQ9uOiNFcUlGTjjXA/edit?usp=sharing
GOOGLE EXECUTIVE CHAIRMAN ERIC SCHMIDT AWARDS GUARDIAN PROJECT A “NEW DIGITAL AGE” GRANT
The Guardian Project is amongst the 10 chosen grantee organizations to be awarded a $100,000 digital age grant due to its extensive work creating open source software to help citizens overcome government-sponsored censorship.
[Read More]
Tweaking HTTPS for Better Security
Posted on February 12, 2014
| Hans-Christoph Steiner
The HTTPS protocol is based on TLS and SSL, which are standard ways to negotiate encrypted connections. There is a lot of complexity in the protocols and lots of config options, but luckily most of the config options can be ignored since the defaults are fine. But there are some things worth tweaking to ensure that as many connections as possible are using reliable encryption ciphers while providing forward secrecy. A connection with forward secrecy provides protection to past transactions even if the server’s HTTPS private key/certificate is stolen or compromised.
[Read More]
Improving trust and flexibility in interactions between Android apps
Posted on January 21, 2014
| Hans-Christoph Steiner
Activity1 sending an Intent that either Activity2 or Activity3 can handle. Android provides a flexible system of messaging between apps in the form of `Intent`s. It also provides the framework for reusing large chunks of apps based on the `Activity` class. `Intent`s are the messages that make the requests, and `Activity`s are the basic chunk of functionality in an app, including its interface. This combination allows apps to reuse large chunks of functionality while keeping the user experience seamless and fluent.
[Read More]