Secure Storage and Transmission¶
As part of the Security by Design mandate, StoryMaker will implement secure storage and transmission of media created and processed within the application. The threat model assumes the device could be physically compromised as well as compromised remotely through the network or a malicious application.
Secure Storage¶
To ensure the security of the media at rest, StoryMaker will utilize the Guardian Project's IOCipher library which provides a private encrypted store for media. When activated, the secure storage location must be unlocked with a password. [Impl detail: This will likely occur with the user logs into the app upon boot]
It should be noted that not ALL media will be able to be securely stored. Media created with other camera/recorder applications will surely be placed insecurely on the sdcard. When processing this media, StoryMaker will move the media to its private secure storage location, but since that media has already been written to the sdcard, some traces will always remain given determined forensic analysis.
As media creating applications (cameras, audio recorders, etc) that store media securely by default become available, users should be encouraged to use these tools.
The highest level of security cannot be achieved within StoryMaker alone. For maximum security it is highly recommended that the device use Full Disk Encryption (FDE) and a strong password/PIN screen lock. FDE is the last line of defense, if FDE is enabled and the password sufficiently strong, a simple battery pull will render the contents of the phone inaccessible (except through unfortunate application of rubberhose cryptography or legal coercion).
Eventually we hope to support emergency secure wiping, but that is not planned for the initial release.
Secure Transmission¶
Once the media is processed and rendered out to a file, the user must be able to securely upload the file to a remote media hosting service.
There will likely be non-secure methods of exporting the media from StoryMaker, for example by saving it to the sdcard or uploading to facebook or youtube. These alternative methods may or not be secure. The discussion in this section only refers to transmission to the official StoryMaker web platform. [Users should probably be aware of this, or we should disable non-secure export (kind of a PITA)]
The transmission mechanism will rely on several layers to achieve the four desirable properties: confidentiality, integrity, anonymity (optional), and censorship circumvention (optional).
The first layer will be an enforced strong TLS (HTTPS) connection to the web platform. This will ensure confidential (encrypted) and authenticate (only to bonafide servers) transmissions. Non-TLS (cleartext) connections to the platform will be rejected. The web platform server will have a proper CA signed certificate that will be pinned inside the StoryMaker application. This protects against CA compromises (ala DigiNotar and Comodo) issuing "valid" certificates enabling an adversary to MITM transmission traffic. The TLS negotiation will fail closed if an invalid certificate is encountered, that is, the user will NOT be able to bypass certificate errors manually. This strong TLS support will be provided by Guardian Project's Onionkit.
The second layer will provide optionally anonymity and/or censorship circumvention. The most straightforward usecase here will be using the OrbotHelper features in Onionkit to force all transmissions through the Tor network. However, more advanced use cases will be supported through other proxy or VPN services that will provide censorship circumvention but not strong anonymity. For the Tor usecase, there will be an option in StoryMaker preferences that allows the user to require Tor for all network communications. Additional proxy/VPN settings have not yet been designed and likely will not make it into the initial version.
[Impl Detail: we should allow Tor option at registration+login screen]
Fundamental Limitations¶
There are fundamental security limitations in the mobile environment, especially on Android, that must be made explicit. If an adversary gains physical access to the device while powered on, most bets are off. Additionally, a rooted phone poses a crucial security risk, as all security precautions StoryMaker takes assume the integrity of the Android Security Model, which are thrown out the window once apps are allowed root access.
With these in mind the following guidelines should be adhered:- Do not root the phone
- Use FDE with a STRONG password
- Disable 3rd-party apps
- Disable USB debugging
(3) and (4) can be temporarily enabled to install necessary applications or perform debugging functions, but should be DISABLED immediately after use.