Problem with 2 separate pins

[OlivierHokke]

Problem 1: If your friends/police dp know about the existence of our app, but you want to hide some data from them, but they find the app on your phone, you could give them your fake pin. However, they know that there is such a thing as a fake pin. They will then ask you "if this one is real, then show us the fake, because then we are sure that this one is real". Your response: "no I won't show you my fake, not necessary! Don't you trust me?", or something of the sort. But now it is pretty obvious that you are hiding the real data still.

Problem 2: You have hidden data on your app that you want to share with someone, but there is also other hidden data that the other person is NOT allowed to see. You'd have to be careful not to show your screen as you log in to the app and share some files.

Solution: Don't use the concept of 2 pins where 1 gives real data and number 2 is fake and gives dummy content (provided by the user). Instead give the user the ability to make multiply sets of hidden data, e.g.: porn; riots in egypt; pictures of your marihuana farm and stacks of money in the cellar; and finally one or more dummy content sets.

Each set has their own pin and there is no direct way of finding out the existence of one of the other. Only the owner knows of them. all you have to say is: "I only have this set shows privately recorded porn".

But, what then to do with panic/extreme mode?

• Perhaps 3 wrong tries -> data gets deleted. How to know which set is being tried? Well perhaps we should do a pin + name combo (note: annoying to fill in every time you open the app). So to enter you have to fill in the name of the set and a pin.
• Or, when entering extreme mode you select your fallback/dummy set(s?) (by entering its pin, as there is no way of acquiring a list of available sets of course..), and all other sets are disabled. Then, you get/set a dialer code or pin to unlock all sets, and you get/set a dialer code or pin to delete all those locked sets.

[OlivierHokke]

OK so an improvement to that last point, instead of getting/setting 2 pins: You get 1 pin that brings you to the fallback set when entering upon opening the app, and deletes everything (also disables extreme mode). The original pin of that fallback set is the safety pin that you can use to safely enter the app and disable panic/extreme mode.

[jzvandenoever]

I'm a little uncertain but does this mean you have to go out of panic mode to actually access any data then? Or just the fallback data?

[OlivierHokke]

Well in this case, yes. But of course we can forget about "disabling" the other sets. Meaning all sets are available, but in panic mode you just get 1 extra pin that simply deletes everything and brings you to a fallback set.

[jzvandenoever]

I think that would be the simplest solution. Without really losing any security.

[OlivierHokke]

BTW: The idea of having separate sets of hidden data can easily be accomplished by simply grouping the data by encryption pin. Upon entering pin X, you get the files locked with pin X, upon entering pin Y, you get the files locked with pin Y. Then when adding new files from your image gallery on your phone, you press share to share to our stealth app, after which you enter the encryption pin. This could be pin X, or Y, so that you add it to one of those groups, or a complete new pin, basically creating a whole new set automatically.

When getting/setting the "epic panic delete pin" (or something like that) it basically internally translates to the fallback pin, with the added functionality that the rest gets deleted.

[OlivierHokke]

But, what is then the point of panic mode? Can't we just always have the possibility of a fallback pin that deletes everything? You'd just have to enable the feature so you can set the pin, but that's all. So there is no concept of "modes", just the feature of adding a delete pin.

[jzvandenoever]

Because that means you have yet another pin to remember. Instead of just remembering the fallback pin.

Secondly the sets stuff.... why not use folders in our content manager? Using folders you can stop folks from seeing everything. I mean just share specific folders and it's really not that hard to limit the view of your screen before sharing.

Just wondering if we're not adding a lot of complexity with this for something that might not be needed.

[OlivierHokke]

Folders could add complexity with simplicity (as in, nice to organize stuff, but needs extra buttons for creating/deleting/editing folders and moving files). With the grouping idea you have no extra buttons at all.

Plus if you enter your pin and someone steals your phone when logged in, he has access to all.

[jzvandenoever]

What do you mean add complexity with simplicity?

And if someone steals your phone I hope it is locked. Which should most likely mean our app is closed. We don't want it to be open when it isn't being used. Move out of the app? It closes. Because it won't be in the recent apps list. Don't want it showing in the running apps list either.

[OlivierHokke]

I meant: simplicity, as in: you organize your files which makes it easy to find your files. complexity, as in: needs extra buttons and interfaces for creating/deleting/editing folders and moving files, also requires much more user interaction.

Leaving out these extra buttons makes the app much simpler. Less buttons = yaay, we'd only have those of core functionality.

EDIT: if you are entering the app and after entering your pin your phone gets stolen as someone was watching you and waiting for you to enter the pin, you are screwed, because he steals the phone while it is logged in. Also, he was watching, so he could have read the pin when it was entered anyway. (or perhaps it's your friend that is actually an a**hole and just wants to screw you by checking all your other files after you logged in and gives back the phone afterwards). Having sets simply makes your other files slightly safer.

Then to prevent the dude that stole your phone from using brute force or something else in order to get your other sets: 10 failed pin attempts = everything gets deleted. (can be enabled in settings?)

[OlivierHokke]

Ok, so, if an extra pin is a problem, we could also allow the user to set the fallback set to be a 'detonating' set: upon entering the fallback set next time, everything gets deleted.

So user has 3 options:

• no delete pin (basically our secure mode)
• separate delete pin (basically a safer version of panic mode, say: soft panic mode)
• detonating fallback set (basically our panic mode)

One could disable the "detonating fallback set" by changing this above setting in the settings from any other set.

[OlivierHokke]

I must say, I personally love the grouping of hidden data by PIN, it's simple, elegant, easy to understand, more secure and useful.

To summerize: Simple No need for extra buttons and interfaces for creating/deleting/editing folders and moving files. Only one button needed at most: "change pin" in order to move files over to other groups (requires decryption of file with old pin and encryption with new pin) Easy to understand As long as we make clear that a gallery is showing all files of that pin, the user will understand they can create multiple "sets". For clarity we can indicate this in the tutorial: "When entering the app with a PIN, only the files that are encrypted with that pin are shown. Thus, one could create different sets of hidden data by a using a different pin for each group." More secure If one set is compromised (for instance, someone grabs your phone while you were logged in with a pin, or someone figures out your pin), the rest is still secure. One could even create a pin for each separate file if necessary. (you'd have to use some trick in order to remember all pins, but if you want this, you can do it) Elegant & Useful See above. It's simple, powerful, allows flexibility and adds security.

[jzvandenoever]

So after the discussion with experts we kind of came to the conclusion of not grouping data by pins right? Because unless I am remembering that wrong we can close this issue.