Modernizing Expectations for the Nouveau Secure Mobile Messaging Movement
Posted on July 16, 2013
| n8fr8
The tl;dr of this lengthy (tho entertaining and immensely important!) post is this: Stopping with “We support OTR” or “We support PGP” is not enough anymore. There are at least seven, if not more, very important security features that any app claiming to provide secure messaging must implement as soon as possible, to truly safeguard a user’s communication content, metadata and identity.
Note: The names “Gibberbot” and “ChatSecure” are used interchangeabley below, as we are in the midst of an app rebrand.
[Read More]
Building, Securing, and Anonymizing Android Apps
Posted on July 5, 2013
| mark
Calling all Android devs: Tuesday, July 9, 2013 - 12:30 PM to 1:30 PM Live on the web: livestream Live in person (with RSVP) Pivotal Labs 841 Broadway, 8th Floor, New York, NY (map) Please join us for lunch and crypto-talk with Hans-Christoph Steiner of the Guardian Project. Hans will talk about the how and why of building secure mobile applications that keep the user's data encrypted and hidden from prying eyes.
[Read More]
A Weather Report On Security
Posted on June 14, 2013
| mark
How’s the weather outside? Sunny with a chance of IP blocking.
We recently launched a new initiative we’re calling: The Weather Repo. The goal of the project is for organizations to have a more accurate method of understanding whether the apps they’re using are “safe”. It’s hard to know whether apps that claim to be secure really are. Have they been vetted by a third party? Are there existing case studies?
[Read More]
Carrier Grade, Verizon and the NSA
Posted on June 12, 2013
| lee
Last week Glenn Greenwald at The Guardian broke the news that Verizon has been providing the NSA with metadata about all of the calls over a subsidiary’s network. This subsidiary is called Verizon Business Network Services. It is a privately held company that “owns, operates, monitors, and maintains data and Internet networks in North America, Europe, Asia, Latin America, Australia, Japan, and Africa. The company provides converged communication solutions, such as local and long-distance voice, messaging, and Internet access services.
[Read More]
The Only Way to Visit Strongbox on a Phone
Posted on May 16, 2013
| mark
The New Yorker magazine just launched Strongbox, a whistleblower submission system that’s hosted on a hidden website. There’s only one way to access the hidden site on a phone or tablet, and that’s with our Orweb app. Here’s a simple breakdown of how to do securely and anonymously blow the whistle, explained in an interactive tutorial: Visit guardianproject.info/howto/strongbox for an interactive tutorial on using Strongbox on your phone. The website exists as a hidden site on what is widely known as the darknet, since you are going there hidden or “in the dark.
[Read More]
GnuPG for Android progress: we have an command line app!
Posted on May 9, 2013
| Hans-Christoph Steiner
This alpha release of our command-line developer tool brings GnuPG to Android for the first time!
GNU Privacy Guard Command-Line (gpgcli) gives you command line access to the entire GnuPG suite of encryption software. GPG is GNU’s tool for end-to-end secure communication and encrypted data storage. This trusted protocol is the free software alternative to PGP. GnuPG 2.1 is the new modularized version of GnuPG that now supports OpenPGP and S/MIME.
[Read More]
Security Awareness Party
Posted on April 26, 2013
| mark
In the security world, there’s a pesky belief that a tool can either be secure or easy to use, but not both. Some experts also argue that training people to be safe online is too hard and doesn’t accomplish much (see Bruce Schneier’s recent post Security Awareness Training). Without a thoughtful approach, that’s usually how it plays out. But it doesn’t have to be that way! We’re committed to making online security fun to learn and fun to use, and we’re launching a new series of interactive tutorials to make it happen.
[Read More]
Gibberbot v11 is not just secure, its also simple, snappy and super fun!
Posted on March 8, 2013
| n8fr8
Gibberbot v11 is now final as of RC3 release: https://github.com/guardianproject/Gibberbot/tree/0.0.11-RC3. From here, the only changes to v11 we will be making will be critical bug fixes. We are now focused on our v12 release, which you can track here: https://dev.guardianproject.info/versions/39
_Please promote our new Gibberbot how-to interactive tutorial available here: https://guardianproject.info/howto/chatsecurely/_
If you have been tracking our efforts here for the last few years, you will know that Gibberbot, our secure instant messaging app, started out as a big old mess of an app called “ORChat” as and then “OTRChat” and then “Gibber” (or “Jibber”?
[Read More]
Lower Bounds of The Narrow Bands
Posted on February 22, 2013
| lee
Voice is becoming a standard feature of any messaging app on mobile phones, in various forms using many different protocols. There’s the old guard, whom I will refer to as “Skype”. Some tough questions have been thrown their way by many groups who support a free Internet. There’s Google Voice, which is not really VoIP. Apple is playing around in the hedge maze inside their walled garden with iChat. There’s also Facebook, who is rolling out voice calling in Canada and the USA in their Messenger app on iOS.
[Read More]
IOCipher beta: easy encrypted file storage for your Android app
Posted on February 7, 2013
| Hans-Christoph Steiner
At long last, we are proud to announce the first beta release of IOCipher, an easy framework for providing virtual encrypted disks for Android apps.
does not require root or any special permissions at all the API is a drop-in replacement for the standard java.io.File API, so if you have ever worked with files in Java, you already know how to use IOCipher works easiest in an app that stores all files in IOCipher, but using standard java.
[Read More]
report on IOCipher beta dev sprint
Posted on January 31, 2013
| Hans-Christoph Steiner
We are just wrapping up an intensive dev sprint on IOCipher in order to get the first real beta release out, and it has been a wonderfully productive session on many levels! Before we started this, we had a proof-of-concept project that was crashy and ridiculously slow. We’re talking crashes every 100 or so transactions and 9 minutes to write 2 megs. Abel and I were plodding thru the bugs, trying to find the motivation to dive into the hard problems in the guts of some of the more arcane parts of the code.
[Read More]
Mumble and the Bandwidth – Anonymous CB radio with Mumble and Tor
Posted on January 31, 2013
| lee
The journey towards anonymous and secure voice communication is a long one. There’s lots of roadblocks to get your voice from point A to point B over the Internet if you need to prevent eavesdropping or censorship. There is the limited bandwidth of mobile data connections. There is the high latency of the TCP protocol. To achieve anonymity via Tor, there’s even more latency added to each packet.
Mumble is a non-standard protocol that was originally designed for realtime voice chat for video games.
[Read More]
InformaCam wins Knight News Challenge
Posted on January 27, 2013
| n8fr8
WITNESS and The Guardian Project, the mobile security and app development experts, have just been awarded a Knight News Challenge grant from the John S. and James L. Knight Foundation for InformaCam – the first app seeking to address issues of authentication for digital media. In total, the funding was for ~$320,000 USD, with about one third of the funding going directly to software development and testing. The rest of the funding will be applied to deployment, partnerships, awareness building, and all the other necessary things you must do to turn a “great idea” into something with real adoption and use.
[Read More]
Voice over Tor?
Posted on December 10, 2012
| patch
Voice calls over Tor are supposed to be impossible. It seems this may no longer be the case.
Without being able to do voice over IP (VOIP) conversations over the Tor network, people are prevented from being able to route calls outside of censored networks. People ask us if there is any way they can route voice traffic through Tor to avoid blocks. To our surprise, we tested Skype and found that it can work acceptably over Orbot.
[Read More]
Proposal for Secure Connection Notification on Android
Posted on November 15, 2012
| n8fr8
A major problem of mobile applications being increasingly used over web-based applications, is that there is no standard established for notifying the user of the state of security on the network connection. With a web browser, the evolution of the “lock” icon when an HTTPS connection is made, has been one that evolved originally out of Netscape’s first implementation, to an adhoc, defact industry-standard way of letting the user know if their connection is secure.
[Read More]
Orbot v11 is out!
Posted on October 26, 2012
| n8fr8
After previous fits and starts, we’ve stabilized Orbot v11 now with the RC6 release. Our core testers and public users via the Google Play distribution are back to happy and stable states of being.
The latest version can be found:
1) In Google Play:
https://play.google.com/store/apps/details?id=org.torproject.android
2) In our F-Droid repo:
https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/
3) Our via direct APK here:
https://guardianproject.info/releases/Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
(.asc)
As always you can file bugs on trac.torproject.org or the guardian
[Read More]
ToFU/PoP in your Android App! (a.k.a. extending Orlib to communicate over Tor)
Posted on September 20, 2012
| harlo
In doing my research for InformaCam, I learned a couple of neat tricks for getting an app to communicate over Tor. Here’s a how-to for app developers to use depending on your threat model, and how you have your web server set-up. Enjoy, and please post your comments/questions/suggestions below…
Before we begin… You’re going to need some basic stuff up-and-running for this to work. Before you get coding, make sure you have the following:
[Read More]
Sometimes the best solution is a library, not an app
Posted on August 27, 2012
| Hans-Christoph Steiner
Our general approach to software development starts with surveying existing solutions that are available and in use, to see if there is already enough of an ecosystem or whether we need to seed that. When there is already an adundance of tools and apps out there, we work to find the good ones, provide feedback and auditing, and then build apps and tools to fill in any gaps. For example, this was our approach in the Open Secure Telephony Network.
[Read More]
From #HOPE9: Your Cell Phone Is Covered in Spiders! – Practical Android Security
Posted on July 19, 2012
| n8fr8
Cooperq gave a great talk on Android security late Saturday night at the recent Hackers on Planet Earth Number 9 aka Hope9 gathering. You can find the slides/src on Github and video up on Vimeo. Cooper wrote some notes, as well:
This talk was given at hope 9. Please feel free to give it yourself, repourpose it, add to it or do whatever you want. I release this talk to the public domain.
[Read More]
Threats and Usability of Secure Voice
Posted on July 10, 2012
| patch
In my previous post I found that end-to-end encryption with OSTN is both effective and usable. There are two important things the user must be aware of when using OSTN. They must confirm with each phone call that the encryption icon is present and they must correctly complete SAS verification dialog boxes. So on a basic level, encrypted voice just works. But, what does this all mean? This post looks at the threats to security and usability of encrypted ZRTP phone calls in CSipSimple.
[Read More]