Tor & Encryption

[eragmus]

Hi, I'd posted an issue with Breadwallet about the following, as well as separately let Airbitz know, so I thought I'd also mention it to ArcBit, since you are upping the ante!

First, has there been any work or thinking done on Tor for ArcBit (iOS)? I've noticed a Tor implementation by a single app on iOS (ChatSecure), which allegedly supports Tor right now.

ChatSecure, as of version 3.0 on Jan. 5, 2015, has had Tor support. See here: https://chatsecure.org/blog/chatsecure-ios-v3-released/

"Right now (to my knowledge) we are the only messaging app on the App Store that supports Tor. Although the current implementation appears to be functional, please only use it for testing purposes until it has been studied further by security professionals. In other words, do not rely on it for strong anonymity, and use something like TAILS instead.

During our journey to add Tor support, we first tried to extract the Tor management code from Mike Tigas’s Onion Browser, but discovered it was too tightly coupled with the rest of the app. We also investigated Tor.framework by Hive Wallet but it required some awkward patching of the Tor source code, and has since been deprecated by the original developers. Eventually we discovered Claudiu-Vlad Ursache’s CPAProxy, a more modern attempt at a thin Objective-C wrapper around Tor’s control port. Although it is currently missing a few features like customizable bridges and pluggable transports (and a security audit), I would encourage other developers who are interested in adding Tor support to their iOS apps to help us improve CPAProxy."

Relevant links:

• https://github.com/chatsecure/onionkit
• https://github.com/ChatSecure/Tor.framework
• https://github.com/ursachec/CPAProxy
• https://github.com/ChatSecure/CPAProxy

Downsides of Tor support in ArcBit:

• Slow Tor speed --> This would seem to be an issue only when syncing the wallet, not when receiving transactions or sending transactions to the network. So, is it possible to sync the wallet with the network without Tor (I don't imagine any identifying data is sent during the sync, or am I wrong?), but use Tor for the other purposes?

---

Second, on another note, how does ArcBit encrypt its data, if at all, or does it only rely on iPhone's encrypted storage?

I ask because of ChatSecure's notes on 'encrypted storage', where they say:

When ChatSecure iOS v2.0 was released over a year ago, it contained a major overhaul of the internal data model to support Core Data, Apple’s solution for data persistence. We originally planned on utilizing the MITRE Corporation’s encrypted-core-data project, which adds a customized NSPersistentStoreCoordinator backed by Zetetic’s SQLCipher. Unfortunately working with Core Data can be terribly frustrating, especially when you cannot debug its closed-source internals.

Fortunately we discovered YapDatabase by Robbie Hanson, an Objective-C key-value-collection store built on top of sqlite. It has all sorts of nice features like a coherent concurrency model, fast full text search, easy binding to UITableView, and more. If you develop iOS apps, I strongly encourage you to check it out, especially in conjunction with something like Mantle. Because it is built on top of sqlite, it was relatively straightforward for us to add SQLCipher support (use the YapDatabase/SQLCipher Cocoapods subspec).

"all content is locally encrypted in a SQLCipher database"

Can, or should, the same approach be used to 'better' encrypt ArcBit data on iOS?

[stequald]

I would really like to add Tor support to ArcBit, but as mentioned above there isn’t yet a perfect solution to easily integrate Tor into iOS apps. I would only be willing to integrate Tor if there is an official high level Tor library for iOS where I can simply drag and drop into ArcBit and use easily with high confidence of it’s security.

There is no syncing of wallet data in ArcBit. All your private keys are stored on your device and they do not leave ArcBit (unless you choose to use iCloud). You can check what data gets sent over the network by looking in the APIs folder of ArcBit.

ArcBit uses the RNCryptor library to handing the encryption of the wallet data before storing it in the iPhone file system. In addition ArcBit also stores your BIP39 passphrase it the iPhone keychain.

[eragmus]

Got it, thanks for the response. (sorry, I read the reply ages ago, but forgot to acknowledge it!)