[guardian-dev] Encrypted address book / contact list application for Android?
Bernard Tyers - ei8fdb
ei8fdb at ei8fdb.org
Tue May 7 17:11:02 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7 May 2013, at 21:56, Bernard Tyers - ei8fdb wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 7 May 2013, at 18:38, Josh Steiner wrote:
>
>> Another use case that would be useful is to invert the flow of the data. Instead of client apps getting access to the contacts lists, the user runs the secure contacts list app, finds the user they want to get in touch with and the app passes only the contact method they select to the app of their choice via share intents or the clipboard (similar to have lastpass et all work), this way you could call or sms or email a user from your secured contact list without exposing the full list to any outside apps
>
> Josh, you've managed to explain it much better than I did :)
>
> It may be a big shift for users, but I have seen this approach before in the Nokia N800 Maemo addressbook/contact list. I can charge mine up and make some videos if you think it'd help.
>
> The contact list held all contact details: name, telephone, e-mail addresses, IM, VoIP, Skype, etc.
>
> They also kept details of the statuses of those presence service (eg Joe Bloggs is online on Skype, but away on MSN).
>
> All communications were initiated through the addressbook, instead of, for example going to Skype and contacting the user there.
>
> Actually, I've found a nice video showing the Maemo5 addressbook UI: https://www.youtube.com/watch?v=30kPxiyzrmI
>
> I don't know the operation of it below the hood, but the video did mention that the addressbook fetches the contacts directly from the IM services once you've signed in? Presumably that is carried out securely?
>
> As I said, it may require too be a shift for users the change their method of initiating communications with contacts, but if the goal of it was to provide encrypted contacts it might be worth it?
>
> By adding IM, Skype, VoIP details to contacts, that could prepopulate a list of authorised applications to access the addressbook, saving some manual configuration as I mentioned in the previous e-mail.
>
I don't know if its of help, but the Maemo 5 repos are available here:
http://repository.maemo.org/pool/maemo5.0/
The addressbook "osso-addressbook" in binary form is here:
http://repository.maemo.org/pool/maemo5.0/nokia-binaries/4bc37c7c77ebe90177c050b805a8dc79/nokia-binaries/o/osso-addressbook/
Bernard
>> -Josh
>>
>>
>> On Tue, May 7, 2013 at 7:29 AM, Hans of Guardian <hans at guardianproject.info> wrote:
>>
>> On May 7, 2013, at 8:45 AM, Abel Luck wrote:
>>
>>> Bernard Tyers - ei8fdb:
>>>> Hi Nathan,
>>>>
>>>> On 7 May 2013, at 01:21, Nathan of Guardian wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>
>>>>> On 05/06/2013 03:04 PM, Bernard Tyers - ei8fdb wrote:
>>>>>> Has anyone come across an encrypted address book / contact list
>>>>>> application for smartphone devices?
>>>>
>>>>> I had always considered building one, based on SQLCipher, but then
>>>>> never had the time to quite think through how you let other apps
>>>>> access the data (or not). So, I think "encrypted" is quite easy, but
>>>>> actually *secure* is not.
>>>
>>> I agree this app would be nice. But Nathan's concerns are right. The
>>> contacts app is fundamentally a server app accessed by many unknown
>>> clients. No real way to secure it.
>>
>> Just running with this idea here: if we find a way to make a custom address book, we could make a full paranoid mode where every access to the contacts database was controlled by a PIN and perhaps a whitelist of apps that could access it without a PIN.
>>
>> This is similar to the idea we've been working on for doing secure file transfer between apps using a ContentProvider. The key here would be to have a permission to access these secure ContentProvider streams, then audit apps that use that permission to make sure that they are not leaking data.
>>
>> I can't think of a way to handle this all transparently though...
>>
>> .hc
>>
>>
>>> Using Full Disk Encryption (FDE) is the best solution at this point, imho.
>>>
>>>>
>>>> Hmm, good point. My initial reasoning was how TextSecure allows access to SMS messages - installing the app, the user is asked to enter a passphrase, which is then cached for XX time period, but you're right: how would e-mail app, etc access it.
>>>>
>>>> What about creating a dialler application which stores the contacts in it? It would remove (?) the need to allow telephone dialler apps from accessing the contacts.
>>>>
>>>
>>> That would work for the simple case of dialing from the phone. But
>>> people use their contacts list in many other apps: Skype, VoiP apps,
>>> email just to name a few. Not supporting those pretty much precludes
>>> anyone from using an encrypted contacts+dialer app.
>>>
>>> ~abel
>>>
>>>>
>>>>> There was a developer we supported for awhile who built a version of
>>>>> the default Android app using SQLCipher, for a custom enterprise
>>>>> tablet device, but it was never released for anyone else.
>>>>
>>>>
>>>> Any more details?
>>>>
>>>> Thanks.
>>>>
>>>> --------------------------------------
>>>> Bernard / bluboxthief / ei8fdb
>>>>
>>>> IO91XM / www.ei8fdb.org
>>>>
>>>> _______________________________________________
>>>> Guardian-dev mailing list
>>>>
>>>> Post: Guardian-dev at lists.mayfirst.org
>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>
>>>> To Unsubscribe
>>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
>>>>
>>>> You are subscribed as: abel at guardianproject.info
>>>>
>>>
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>
>>> You are subscribed as: hans at guardianproject.info
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/josh%40vitriolix.com
>>
>> You are subscribed as: josh at vitriolix.com
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/ei8fdb%40ei8fdb.org
>>
>> You are subscribed as: ei8fdb at ei8fdb.org
>
> - --------------------------------------
> Bernard / bluboxthief / ei8fdb
>
> IO91XM / www.ei8fdb.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQEcBAEBAgAGBQJRiWpvAAoJENsz1IO7MIrrN40H/0qpIzAdtu8USBtrY25OKzWt
> gsBH3K9SVG8Cjr+YYG2XbTuduyGcpmnBROqQnxFdmifSCVEu7U5K+mTFy0zq1sf7
> rJeES8OTca6pgshIX5dPioIaljCS788b2qjEJz9FqWNxq5WD1H5BRJpaQoUO9qdE
> ohhvGf9jN9mfMoxq3eQ2kTzM/UST4aTYR/A7ydd+pATb2RX9+/QiH9hIDn582ViP
> xJBWRt0YC1w7JOQKUYIsTWG5Nj6gN4KYUj7jMtj3Uix+6RibqldqaLs9KOB+Zr60
> 8R/LNCfa6NBEN0TshymJX6sKmG7WxeEk4w51f5Ws7blyXubaBMyn5IJCNNduTzk=
> =sSyj
> -----END PGP SIGNATURE-----
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/ei8fdb%40ei8fdb.org
>
> You are subscribed as: ei8fdb at ei8fdb.org
- --------------------------------------
Bernard / bluboxthief / ei8fdb
IO91XM / www.ei8fdb.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJRiW3mAAoJENsz1IO7MIrrVAMH/iwA8zcGrMZamBULVXVFiyCf
JL9MC4KpoYR6zCkBRt2CFCKlnOMc5a/SMm2Suhabb90siUsIOqxysc3TftDuLE3w
FvU2PnhYarCwFgdWSHQI/CyWc/iZn91PGtxq1qW6XT+8qF5hMxL7OWqgVlop1tlO
FHMLpWMNOBqIE1BPkXI4kTQNJe7ErWCg8hqwoeiQCnMS+c4jugw9jh83TqcjsmJI
jacM3x+sp+0tODS16LYL6QOFhLF6yeMNycjsUI7GZSpGusGlHHaq+UmnjlZOtoKg
uWHaTq/OIXNN2/tRFSQBeMzGw1n649aLpuhA6ZHatVbVw47Bs+rcciHo/l7pg4g=
=W6us
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list