PanicKit¶

PanicKit is a collection of tools for letting panic trigger and panic responder apps safely and easily connect to each other. The trigger apps are the part that the user will actual engage when in a panic situation. The responder apps initiate an action when they have received a trigger signal from a trigger app.

Core Concepts¶

• non-destructive vs destructive responses
• app should have a default response
• default responses should be non-destructive
• users send the panic with a "trigger" app
• "responder" apps receive the trigger message and do something in response
• the user must opt in to destructive responses via "connecting" a trigger and response app
• the trigger method can include things like a text message, email addresses, phone numbers, etc. which a panic receiver app can use to send the message.
• responder apps should do something without any configuration, but that default response can be limited to trusted trigger apps
• the trigger app can ignore any given responder
• a responder app can ignore all triggers

Pairing Arrangements¶

Since this is an Android-specific framework, it builds upon core ideas to Android OS, like Intent, Activity, and Service. The panic trigger message is an Intent that can be sent to either an Activity or a Service.

Technical Details¶

• the Service must be an IntentService or started with startService(Intent) in order to receive the panic trigger Intent

Assumptions¶

• every panic receiver must accept ACTION_TRIGGER Intents as the trigger
• each app has only one Activity that receives ACTION_TRIGGER
• each app has only one Activity that receives ACTION_CONNECT
• each app has only one Activity that receives ACTION_DISCONNECT
• the panic trigger app sends ACTION_CONNECT, ACTION_DISCONNECT, and ACTION_TRIGGER to the panic receiver
• the panic receiver app sends ACTION_CONNECT and ACTION_DISCONNECT to the panic trigger
• only the user can trigger ACTION_CONNECT to be sent
• the Activity that accepts ACTION_CONNECT will TOFU-trust the app that sent the Intent based on the user's OK
• the Activity that sends ACTION_CONNECT will TOFU-trust the receiver, if it replies with Activity.RESULT_OK
• ACTION_TRIGGER will only be sent to trusted receivers (either pinned or TOFUed)
• ACTION_TRIGGER will only be accepted from trusted senders (either pinned or TOFUed)
• either panic trigger or receiver can send ACTION_DISCONNECT at any time
• receiving ACTION_DISCONNECT does not result in user interaction
• a panic trigger app can send ACTION_TRIGGER to zero or more apps
• a panic receiver app can receive ACTION_TRIGGER from a single app
• one user panic button press can send multiple trigger events

UX patterns¶

Configuration¶

• the config screen has two final actions: 1) confirm changes 2) cancel changes
  • when disconnected, clicking confirm creates the connection
  • when disconnected, clicking cancel makes no connection
  • when already connected, clicking confirm will change the settings and keep the connection
  • when already connected, clicking cancel will discard changes to the settings but keep the connection

Trust modes¶

It is possible to require strict checking of panic senders and receivers. For example, a panic trigger message might include a private message, the location, and a list of trusted contacts. This is sensitive information, so the trigger app should only send it to apps that the user has allowed to receive it. Also, many panic responses include destroying data or sending messages to trusted contacts. These actions must require the user to opt-in, granting a specific trigger app the privilege to trigger those sensitive responses.

The enhanced trust relationship between trigger and responder can take two forms:

Trust-On-First-Use (TOFU) App¶

A user goes into the settings of either a panic trigger or receiver, and configures which apps to connect to. In this process, the apps remember the other apps they are each connected to, and base their trusted sending on that initial connection.

Pinned Trusted App¶

Using trusted pinning methods like APK signing key, a panic trigger and panic receiver can automatically configure themselves to connect to all installed apps that are signed by a given key. This gives a panic setup with zero configuration. For example, Courier Reader could automatically connect to Amnesty Panic Button based on signing key.