Disclaimer: The following info is the result of the analysis and observation of the app distributed by Tsunami Democràtic. It is published with pedagogical purpose and also to allow the citizens can make their own conclusions.
The new cycle started with court ruling regarding of the “Procés” that have been highlighted by the social media and instant messaging apps. If 15M was the result of several Facebook groups,
this Tsunami has started on Telegram with replicas to Twitter. But after the action of blocking the Prat airport, the entity surprised us with a new tool: an app, just for android, designed to coordinate pacific acts of civil disobedience.
From Pirates de Catalunya want to explain its operation from what we could gather and observe collectively. We consider this tool will have on its hands the security of thousands of Catalan men and women, so it must be under the most rigorous scrutiny possible.
Before we begin, we strongly emphasize that the absence of the original font code has made difficult this task. In ordinary circumstances, that would be enough reason to reject its use for not knowing what the application can do precisely. However, the message transmission system is free. In spite of being far away from our ideal, it is better than other options. Like Telegram, that only the client is open. Or social platforms that are entirely private and bound to the arbitrary criteria of a company, like Twitter, that its business is the exploitation of personal data collected for advertising and other purposes.
Retroshare: the keystone
We are not going to get deep in technical aspects regarding the user’s interface and the interaction with the device’s hardware (camera, microphone, GPS, etc.). Just point out, it is an application developed in Flutter and has parts in different languages. We are going to focus on something else, the core that has been already explained in social media and some mass media: Retroshare.
Retroshare is a free project that allows the creation of encrypted networks among friends to communicate, sharing files, videoconferences, etc. without any central server. It is based on the principle of Trusted Network, exchanging keys, preferably in person.
Here is an example to make it more understandable. Two people share the key of a box. One of them can close it, and the other one can open. That would be symmetrical since both parties have the same key. But in the case of an asymmetrical key, the box has a particular lock. It accepts two keys, one we call public, and the other private, and each person has one of each one. The box only can be opened with the correct key combination: the public one from one person and the private from the other. In the case of messaging services, person A can use the public key of person B to encrypt a text that person B could decrypt with his/her private key.
Retroshare is designed to have no central server. As well as IPFS, the technology used to replicate the 1O referendum website with no chance of censorship, the information is no centralized. The friends’ network of Retroshare allows spreading messages among them automatically, so all of them receive them. The network model works pretty close as BitTorrent or Bitcoin. But here, the network nodes are trusted people, each one with their own cryptographic identity, and the keys are not associated with their data. But, how is trust established? That is the primary role of QR codes and why it’s so crucial to no to share them carelessly. The network of trust loses its purpose if it’s not respected. QR codes are a tool to interexchange keys since they often are long text chains too complicated to write them down manually. You probably wonder if these keys have more useful purposes. They do to cipher messages and also to sign them. As we said earlier, messages are encrypted with the recipient’s public key, so that only could be read by the matching owner’s private key. Also, messages can be signed using the private key to validate a known public key sends them. The encryption implemented technology (GPG) is known and tested. Therefore, we have an application that turns a mobile device into a node of a network of people we trust. At the same time, they are connected to their trusted people’s networks to compose a vast network where a person can broadcast messages to all participants. It is a safe network on paper; however, the human factor always is the weakest connecting link of any secure system. That’s why we need to be careful with who we share our keys. No technology is 100% safe but reasonably safe, and that depends on its design and its users.
What can happen to me if I install the app?
We want to warn that from this point, there is certainly speculation. Since the absence of source code, we cannot check if some critical Retroshare characteristics are active. We beg you to understand that the following information has to be taken as prudent advice, not as a negative recommendation of the app.
Retroshare uses a DHT (Distributed Hash Table) to indicate each friend’s IP address. This information is public; therefore, it does connect our key with an IP address. Two integrations with anonymous networks (I2P and Tor) are available. They allow hiding the IP’s device, but as we said before, it’s not possible to confirm if it’s using this. We understand the people that developed the app would activate one of them, but here we are only speculating. If this is the case, both technologies are known and tested, especially Tor. In any case, we advise the use of a VPN as Mullvad in your device to hide your IP address.
What relevance does the association of a cryptographic identity with an IP address? A statal or superior adversary, with access to low-level communications (assuming they have internet providers cooperation), could relate a couple of keys with a person. It would be possible to cross data regarding the hours on Tsunami’s emissions are produced, the IP’s that participate in the network, etc. That said, this is an attack that requires a significant amount of resources as well as a complete intervention of the local internet infrastructure to be able to do traffic analysis. To a lower scale, they could do it targeting “suspect” users such as it would be in a telephone line intervention. These data that are not the content of the messages are called metadata, and different surveillance system uses them.
Beyond this and given the open and free nature of Retroshare, we understand that the messages travel encrypted end to end. But we don’t know what use they give to the data introduced into the app.
On the other hand, without access to the source code, we are not able to confirm the use of the microphone. We can speculate about possible access to VoIP communications, as Retroshare allows. Also, we can’t tell how the data introduced into the app is treated. They can store it outside of the device – that would add a non-desirable centralization factor – or it can be used to filter notifications on the device, according to the user-provided parameters. For things like this, we firmly defend both free software and hardware to know and verify the functioning of technology.
However, the main risk is not the tool itself but its distribution. The distribution of the APK file, installable binary format, downloaded from its web opens the gate to fake websites that distribute modified malware versions. Our advice is never install anything from an unknown origin. It is better to go to the official source and making sure that the address you are accessing corresponds to app.tsunamidemocratic.cat or another subdomain of theirs.
Conclusion
The Tsunami Democratic app makes use of a technically sound foundation. It improves the security of the tools that are being used at the moment massively for mobilizations (as Telegram and Twitter), but it is not a silver bullet. No completely secure technology exists; only reasonable safe tools exist, of which Retroshare seems one of them. Not having access to the app’s source code adds uncertainty. So it goes to the conscience of each one to decide to assume the inherent risks of its use. Let’s be clear; many other choices are taken daily without grasping risks threating our privacy and security. Like when you install the last trending app that modifies your face. But we’ll leave this subject for another day.
Pirates de Catalunya