How I stopped being afraid and started sharing secrets with my phone By Zoranin Blog - May 21, 2022 Comments: 0 Views: 205 I don’t know about you, but I can’t say that I love it, but I see a lot of benefit in introspection, or, in simple terms, self-observation. So, let's say the day before yesterday I woke up on my own, not too early, ate oatmeal, drank coffee without sugar, and my whole day was very productive. And yesterday I went to bed late, and I also had a bad dream, I won’t talk about what, I woke up only on the second alarm clock, I didn’t have time to have breakfast before work, and the rest of the day was messed up. If this happens several times, it’s probably some kind of regularity, a pattern, and I could think about what to do or not do in order to make my day productive - but for this you need to remember all this. Computers are much better at remembering than humans. The main thing is that the memorized can be retrieved when needed. It goes without saying to write it down somewhere on the phone, but where? It would seem that there are a lot of applications and services, I don’t want to write. But then the inner paranoid suddenly wakes up and starts asking uncomfortable questions. What is the business model of this service? If I write details about what I had in a bad dream there, will social networks show me ads that remind me of this? Or, let’s say, if I told the insurance company that I don’t drink at all, and yesterday, in fact, I not only went to bed late, but also went over a little, will the insurance company find out about this and will my insurance rise in price? Restless, in short. Yes, there are not very numerous applications that work offline, that is, all data is stored on the phone. Does it provide any guarantee of privacy? Perhaps, but hardly from the manufacturer of the OS or phone, because all data is stored in clear text. Well, are there any offline applications that encrypt stored data (or, as it is called in English, “encryption at rest”), and do it in a relatively convenient way? And here I was expecting a big bummer. Well, as they say, “if you want to do something well, do it yourself”. This is how my project “Paranoid Diary” was born . Well, since I personally prefer Android, the project arose on this platform. A small lyrical digression. Shortly after I published the app on Google Play, I found that the title, among other things, also attracts the real target audience (the real paranoids), so I advise you to be careful with the names :) The application starts with requirements. It is unrealistic to keep secrets from the NSA or the FSB, but you can at least protect yourself from the arbitrariness of IT giants, indiscriminate data mining and advertising. And this means that it is not necessary to encrypt everything completely - it is enough to encrypt the text part of the diary. The ciphertext has one problem - it is difficult to implement a search on it - we need to not only memorize, but also remember. Therefore, it is useful to search not by text, but by tags (#tags). The text of the tags themselves can also be encrypted, and searched for nothing saying ID. In addition, I would like to be able to search for entries by date (this is not a secret), and, if allowed, by geographical coordinates (“what I was thinking about, or what I did in this place before”). After that everything was simple. From the requirements, a solution was logically formed - the SQLite base, in which only text fields are encrypted - the text of the records and the label names. Without a key, you can only see that at time T, and maybe at a point with coordinates latitude, longitude, a certain record was made, which were assigned labels 1, 2, 3. Naturally, if all records are simply encrypted with one key, then the same records would have the same ciphertext. If an attacker can guess the content of the record, this could compromise us, so each record must be salted ( “salt”, “salt” is such a cryptographic term) with something random, then even for identical records the ciphertext will be different. After that, little things remained. Naturally, you need to enter a password for decryption, and it cannot be stored anywhere - only in memory while the application is running and the user is active. It is necessary to provide for the creation of a backup copy and recovery from it - this issue is solved by creating an encrypted zip archive. There is also a useful option, which is often used in banking applications, which prevents the OS from remembering screen previews or taking screenshots ( getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE)). Otherwise, even if access was closed after the user was inactive, when scrolling through the applications, the last active screen with all the contents will appear. As a result, “Diary of a Paranoid” turned out , which I, and some other users, have been using relatively happily for more than two years - and, perhaps, the time has come to share this project with the general public. Of course, no paranoid will trust unknown code, so all code is completely open for audit, self-assembly or customization. Happy paranoia!