Implement support for PanicKit/receiving panic alerts and reacting

[jacksingleton]

Panic Button (https://panicbutton.io/) is a neat project to trigger a number of actions when someone finds themselves in trouble.

The basic use case is immediately sending a message to a few other people letting them know you're in danger.

Recently, they've been adding integrations with other apps and services in order to, for example, immediately invalidate all sessions, lock, or even delete an entire account (https://dev.guardianproject.info/projects/panic/wiki/PanicKit)

Obviously, Panic Button and Sandstorm should integrate :)

[paulproteus]

The thing seems cool! I read through https://dev.guardianproject.info/projects/panic/wiki/PanicKit and it talks about an Android app, so I'm a little confused though.

As I understand it, the flow is:

• User installs Panic Button app on their Android phone
• User does something to connect their Panic Button app to other apps on their phone -- presumably this means that there would have to be a Sandstorm Android app (?)
• The Sandstorm Android app (?) would, upon receiving a panic, do something like mark the user's account on a server as disabled, so the user can avoid having an attacker read their data

Is that the right idea? Let me know what I'm missing.

[jacksingleton]

Hmm I was imagining that for now Panic Button would (attempt to) make an http call to an api offered by a Sandstorm instance, but I don't actually see that documented.

@jmatsushita -- is an http api something you've thought about?

Apart from my imagination, @paulproteus, yeah it looks like this might have to wait until there is a Sandstorm Android app.

[Hillside502]

Panic Button needs to get its act together regarding security.

The website:- Panic Button https://panicbutton.io/

"achieves" the FAIL grade at Qualys:-

SSL Server Test: panicbutton.io (Powered by Qualys SSL Labs) https://www.ssllabs.com/ssltest/analyze.html?d=panicbutton.io

[Hillside502]

Further to the above, https://panicbutton.io/ has a link to https://iilab.org/ also a FAILURE:-

SSL Server Test: iilab.org (Powered by Qualys SSL Labs) https://www.ssllabs.com/ssltest/analyze.html?d=iilab.org

IMHO, the dealbreaker is the following from Panic Button:-

You should be able to use Panic Button from Android Gingerbread (2.3.3) to KitKat (4.4.2)

Panic Button (Beta) – Android Apps on Google Play https://play.google.com/store/apps/details?id=org.iilab.pb

shows that the app has not been updated since 20 April 2015

All in all, a potential timewaster!

[jmatsushita]

Oops... Looking into the SSL problem now.

With regards to activity, there are newer APKs in flight in an Alpha group on the playstore. Let me know if you'd like to access it. There's also some work in branches that haven't been merged. Including an untested Android 6.0 version that deals with the new runtime permission system

We are a tiny team with very little capacity. Maybe we can graduate from timewaster to needs help ?

Will get back to the http api question once SSL is dealt with.

[paulproteus]

Hi @Hillside502 and thanks for joining this discussion! I would like it if, on this ticket tracker, we could all stay optimistic and reach out to communities that are working in good faith to create useful software, so that we can can all stay motivated. By contrast, when I see your comment use the word "timewaster", I read it as dismissing the work that the Panic Button team has put into building this piece of open source security software and giving it away for free to the world.

I did take some time to investigate the technical issues you raised.

For the Android version issue: I checked the Play Store and it told me it was compatible with my Nexus 5X, which runs the latest version of Android. Therefore, it seems that the "Android Gingerbread (2.3.3) to KitKat (4.4.2)" is a documentation bug rather than a dealbreaker. Similarly, the fact that there isn't a new version published in the last year doesn't bother me if it's useful software.

For the HTTPS issue: it's indeed a real issue. I figured I should report it to them, so I went to the Panic Button website and found a contact email address and sent them a note, to which they responded within less than an hour. I'm now fairly impressed with the team's responsiveness once issues are brought to their attention.

Thanks @jmatsushita for commenting here as well! I'm grateful that you'll look into the HTTPS issue and I'm looking forward to further conversation. And @Hillside502 I'm indeed happy to have you in the conversation as well - thanks for reporting these issues and I'm hopeful we can see them resolved.

[Hillside502]

@paulproteus is right about the "documentation bug" as, looking on Play Store at my 8 Android devices, just the WiFi only and the pre-2.3.3 are incompatible --- a 6.0.1 device is compatible.

Very pleased that BOTH @jmatsushita and @paulproteus prioritize the HTTPS issues.

@paulproteus Point taken as regards "stay optimistic and reach out ... we can all stay motivated" --- looking forward to helping, where I can, in a more encouraging way!

[jmatsushita]

@paulproteus Thanks a lot for reaching out and your kind words. I was tagged in the github issue but it flew under my radar.

We really want to publish some of the code that's not yet released but we are missing a product manager that can help us ship the new releases in a professional way. We have a community of users that are in developing countries and we need to have due diligence in how we release new features (particularly those that change the trigger mechanism).

Yes, indeed. There is a documentation bug. But if you're using Android 6 with your Nexus 5X then the app won't work properly because of the runtime permissions problem. https://github.com/PanicInitiative/PanicButton/issues/203

New shiny A+ on the iilab.org site (the panicbutton only gets an A but I'll bump it up when I move it no our new infrastructure).

With regards to the HTTP API. We have made a conscious decision to not request internet access permissions to reduce the attack surface.

What I mentioned to @jacksingleton is the great work of @eighthave with panic kit which opens up the following possibilities:

• Have a sandstorm panic receiver which would react to a trigger and deal with calling an HTTP API.
• Use one of the 2 (currently) triggers (Ripple or - soon - Panic Button) to trigger the panic mode.
• This will result in the Trigger sending an event to all the receivers who can choose to react accordingly (Panic Button sends SMSes - soon it should be able to send them through Zom/ChatSecure).

Note that the Panickit integration work also hasn't been merged or released yet for the reasons explained above.

If you're interested in the PanicKit work then do spread the word, as more apps could be able to react in a smart way to a panic state notified by the user. There are some great usability challenges (harmonising the UX throughout the different apps) as well as potentially great new work to be done with different levels of alertness or panic (the first 5 presses of the button might set the level to "aware" which would trigger a number of non destructive events like logging out - while a further "5 presses and maybe a confirmation press" could send out a sequence of more destructive events like wiping sensitive data and deleting or locking accounts).

Just a final note to say that I really appreciate the feedback, even when it's showing tough love :) We do have a responsibility to our users and I take these issues very seriously. Any further help and feedback is much appreciated.

[ocdtrekkie]

As a spectator: F to A+ in nine hours is some pretty good response. :)

[eighthave]

One quick way to hook up PanicKit apps to sandstorm's server is to make a really tiny Android app that receives the standard PanicKit trigger, then makes the required HTTP calls to trigger the panic response.

To follow up on what @jmatsushita said, PanicButton is just one of the PanicKit apps. PanicButton and Ripple are both "trigger" apps, they send out the panic as a trigger message to all apps that are set up to receive panic triggers. Then each app handles the panic event as is appropriate. For example, Silence/SMSSecure and ChatSecure both lock and shutdown when they receive it.

[eighthave]

If you give me Android/Java code for calling the Sandstorm API in the way that it should for a panic event, I'll turn that into a demo app for you. I would take me no more than an hour or two.

[ocdtrekkie]

Closing since PanicButton died in 2017: https://iilab.org/news/2017-09-02-panic-button-retiring-the-app.html and the Google Play app and website are gone.

[eighthave]

iilab's Panic Button is no more, but Panic Kit and the apps that implement it are still going strong. Here's a panic trigger app: https://play.google.com/store/apps/details?id=info.guardianproject.ripple

And here's the full docs: http://guardianproject.info/code/panickit

[ocdtrekkie]

@eighthave I guess my question is, is this a service people are actively interested in using with Sandstorm? I know that as a selfhosted alternative to traditional cloud providers like Microsoft, Google, etc. we offer a compelling alternative for groups worried about prosecution by hostile governments.

Is there a lot of apps implementing PanicKit responder support? (https://dev.guardianproject.info/news/271/ seems to be the relatively light answer at the moment) I notice that while the F-Droid version is updated, the Play Store version has languished at a 2016 version. And of course, the entire standard is built around being Android-only.

Assuming there was a Sandstorm app on Android (there isn't) or some quick shim of sorts for a Sandstorm app, so that Ripple could trigger it, what would Sandstorm do with a panic instruction? Delete a given user's account? Delete a given server? If the goal is just to cut off access to a Sandstorm server for an account, it might be easier: Since all Sandstorm accounts use either an email, GitHub, or Google account, disabling those accounts should disable access to Sandstorm as well.

Presumably even once we find a way to send a panic alert to Sandstorm, either individual Sandstorm apps would need to add features to respond to panics or Sandstorm would need to build a way to respond to panics, both of which are likely a lot of engineering. And of course, the big change since this issue was originally opened is that Sandstorm-the-company ran out of money, so engineering resources are pretty thin around here.

I will reopen this and rename it to something that isn't gone, though I am very skeptical about the likelihood of this happening anytime soon, unless someone is passionate about contributing the necessary work.