search

element-hq / riot-android

A glossy Matrix collaboration client for Android
Apache License 2.0
1.4k stars 396 forks source link

Feature request: App password and encrypted database #746

Open ghost opened 7 years ago

ghost commented 7 years ago

Evaluate whether it makes sense to provide the option for users to secure the app with a password and to encrypt on-disk data with SQLCipher (https://guardianproject.info/code/sqlcipher/).

This could be useful for people who sometimes hand their phone to others but do not want them to have access to Riot, for people who do not have device disk-encryption enabled and want to protect Riot against forensic analysis, and for everyone in the light of the fact that Android disk encryption seems to have major weaknesses (https://twitter.com/matthew_d_green/status/801053866917765121).

Signal and Briar have similar features, so if Riot wants to appeal to their user demographics, it could be a plus. One could also look at these apps to see how they deal with receiving events in the background while the app is locked.

If implemented, it perhaps would make sense to make it configurable for how long the password unlocks the app unless it has to be entered again.

sladewin commented 7 years ago

I agree and would argue that this is more important than a P3 enhancement.

There are currently several unfortunate side effects of using "Sign Out" followed by "Log In" to lock or protect the app. This process negates the E2E keys and generates a new Device ID each time. A new Device then requires reverification by all interested parties. Additionally, if the E2E keys are not imported/exported properly each time then encrypted messages become unreadable and you may be locked out of private rooms.

If a locking system and encrypted storage was implemented then it would provide the following: 1. reduce the need for creation of new devices

  1. provide a viable alternative to importing/exporting E2E keys to local files
  2. provide an additional security layer for the messages and messaging app.
  3. Provide a secure store for use within the app

The lack of app locking is the only reason that I have not switched full-time to Riot.

As a further consideration I would ask that careful thought be given to separating any lock password from a signal account password. If the password across the two is shared or reused then aside from an obvious local attack vector, a change of account password would complicate/prevent access to the local crypto store.

Thanks, Slade.

zqad commented 6 years ago

+1 from me for this feature in general. In regard to "receiving events in the background while the app is locked", Signal seems to be receiving events just as normal, but not decrypt (or at least not show the decrypted content of) the messages. The notifications just says "Locked message", which seems like a resonable approach to me for Riot as well.

I added a bounty for this issue on Bountysource, in case others are as interested as me in getting this feature: https://www.bountysource.com/issues/39506656-feature-request-app-password-and-encrypted-database

eX00r commented 6 years ago

+1

ara4n commented 5 years ago

some refinements to this could include:

r4dh4l commented 5 years ago

some refinements to this could include:

* supporting multiple PINs. one could be a 'panic code' which vapes your account; another could be a dummy PIN which only shows non-sensitive rooms.

Or even better: "plausible deniability" that shows rooms with fake conversations generated by bots?! This would be something real unique as far as I know.

* you could conceivably hook up your phone to take photos of people who enter wrong pins and send them to a Matrix room for maximum paranoia against evil maids.

Well, nice idea but if I understood it right (the phone takes a fotos automatically) please consider special data privacy laws which prohibits such options on some countries. Usage of https://guardianproject.github.io/haven/ for example would be problem in countries like Germany.

tnyeanderson commented 5 years ago

In addition to a password/PIN unlock, there should definitely be an option to unlock with fingerprint as well per #2219