 All right. So what is this? Technically it is one of the lockdown projects. So you may ask why anybody needs yet another kind of a diary application. My particular use case, I don't mean to say that this is the only use case for the application of this. There might be many, many, many more, but I wanted to track things related to my personal well-being, like literally what I ate, how I slept, what was the outcome the next day, was I productive, was I not. And obviously it is nothing super security critical, right? But still it's lots of details about you personally and you probably don't want Google, any sort of policy application vendors or insurance companies to whom they can resell this data, know about this, right? And also it is a purely personal thing. So you don't want to normally to share such things with your friends and it's not like the weight loss tracking application when you boast about every cage you lost, right? It's all for your eyes only. So I did a little bit of research and found that there is nothing really on the market. And the vast majority of such applications unfortunately are online and online has certain implications that somebody pays for the infrastructure and they somehow put the cost on you either by bothering you with meaningless advertisement or in the worst case by doing some data mining on the data you submit there. And for me in particular because I also do or rather I did and hopefully will do a bit of traveling in parts of the world where mobile coverage is not so good. It was important to be able to work with application entirely of the grid that is you shouldn't need anything other than your mobile. So I didn't find anything suitable. I decided to write my own one again some spare time doing the lockdown etc etc. For the platform or birthday the choice was enjoyed because it is much more friendly to deal with development tools are free and also it would be easier to use for many people around the globe if anybody wants to use it because it requires a basic functionality from your smartphone. It works on anything starting from Android 4.4 which is almost non-existent by now. So yeah that's why I decided to spend some time and make my own one. I apologize I cannot figure out how to maximize my slides here so we probably will have to leave with a small view. So now important statement on any kind of security applications on smartphones. There's no such thing as security on the smartphone. If any data can get you in any kind of serious trouble keep this data in your smartphone as far away from each other as possible and also there's no such thing as social and secure at the same time. It's just as a general warning. So talking about security obviously we cannot protect from everything. We need to be clear about what is our threat model what we are taking seriously and what we just ignore. So what I wanted to protect myself from is most of all indiscriminate data mining but by whoever parties might be in control of my phone that is Google with Android or any other applications installed on the phone or another important case if somebody gets hold of your phone and wants to read what you wrote in your superdupersecret diary. Obviously we are not even trying to protect from any professional actors targeting you specifically. So again as I said there are no real secrets on mobile device just by definition. So the next question obviously is how do we achieve all these things but before in the true spirit of open source software we want everything to be verifiable. So the source is available on GitHub. There is a link in the end and for Android applications specifically it is also a good practice to check what permissions this application is asking for. So this application asks only for location permission and even this is an option which you need to turn on if you want to go tag your records in addition to time stamping them. So it does not have any network permission at all. It allows you to share records from your diary if you want to via the standard Android sharing mechanism but the component which actually will be doing the sharing will be something else. The application does not have any permissions to leak your data anywhere. Now for the technical implementation. For storing the data I chose to use SQLite database which resides in a space which is private for your applications that is provided Android is working normally and does what it should do. No other application ever should be able to access this database on your application and then draw it itself obviously. So since I personally don't trust Google Mesh as well so I want the data to be encrypted at rest and the easiest approach seems to be to encrypt the specific text field in text fields in the database. And the database itself is actually very simple it consists of records and also you can tag records. So there are only two text fields the record itself and the tags these are encrypted. The encryption is an encryption provided by Android by modern standards. Well you probably don't want to expose it to the whole world and use the latest and greatest hardware and try to decipher it but for the threat model described previously this seems to be sufficient. A few more bits and pieces as you know when you have multiple applications running on your mobile device and you swap between the applications you can see the screenshot what your application was showing. Luckily there is a special flag in Android application which is typically used in say online banking applications which does not allow your screenshot to be displayed in this situation and which also prohibits anybody from taking screenshots from your application in general. Another useful feature obviously would be login timeout that is once you enter your password you can read your records and add new records after some time of inactivity times out and you need to explicitly unlock it. Last but not least everybody wants to have some backup copy or maybe you even want to do some analysis on your diary records later so you want to be able to still get out all the data out of your secret diary for further processing and it seems that the most secure way to do this is to assemble it all inside your application in a password protected zip file. Again this is a standard zip encryption which is probably not super duper strong by modern standards but still it's good enough and does the job and then once this zip file is generated you can share it via any mechanism available on your phone and probably one of the more secure ways would be directly share it via bluetooth to your trusted device be it your laptop or whatever else and there on your laptop you will need all obviously to enter the same password to decrypt the zip file and get the content which can be either a text file or a json file for any kind of fancy processing and as I already mentioned any sharing of the data outside of application is only technically possible by users deliberate action by sharing this encrypted zip file with backup or by manually sharing a single record using the android standard sharing mechanism. One other little note is that if you are seriously seriously paranoid you probably don't want to trust on-screen keyboard as well because as we all know it learns from what you type and the exact details about how it learns and where the data goes they are not very well publicized so if you want your diary to be even more secure you might wish to use an external keyboard either USB standard USB keyboard which work with I think any android device now just as normal cable keyboard or slightly less secure bluetooth. So for the demo unfortunately I won't be able to do this because the tiny laptop I'm sitting on now is unable to run the emulator at the same time but there is a link in the end so you can just install the application or build it from source and try it for yourself. So as I said the application is very simple you create the record it is timestamped it is optionally tagged and you can add your arbitrary tags to this record which allows you to have a nice cross section like if this record is related to say sleep quality next time by clicking on this tag you will bring up all records which are related to your sleep quality for instance and last but not least here is a link to the application in google play store and here is the link to the sources and if anybody has any interesting proposals or any other interesting use cases github gives a good way to communicate any such things and whenever I have time I'm happy to bring forward and do something more about it in its current form it pretty much suits most of the needs I developed it for but if it is useful for anybody else for instance I'll just give you a shout and that's pretty much it for my application any questions any feedback anything does this work can stress to the more recent Android thing because 4.4 I have no idea what is the latest but does this actually work the same in the new one uh yeah so it works on anything from 4.4 and above the phone I'm running it on now I believe it runs Android 11 and just let me double check I think it's 11 uh sorry 10 so it definitely runs on Android 10 but there's no super offensive function analysis which I would expect to change from one major release of Android to another so don't think there might be any breaking changes within your versions I try as much as possible to avoid anything non-standard oh actually I have one thing I think I think when you plug in a USB keyboard it also still goes through the uh the keyboard software on Android if I remember correctly this might depend on your particular phone model and settings because some they are still you can enable all these fancy predictions and learning even with a manual keyboard but I believe that by default it is turned off or at least it's definitely turned off on my phone but the more physical it is the less of an application it is the more secure it is from data gathering potential at least this is a hope okay thanks I had a comment on the uh encryption of the zip file yeah you suggested that it wasn't necessarily all that great I think you're perhaps underestimating so the the complication this is a the nice thing about standards is that there are so many choose wrong situation there are at least three possibly four or five encryption systems in use in zip files in particular picaware of winsip uh didn't see i'd arrive a number of years but AES has AES 256 has been standardized for years and is will open on just about everything and so long as you specified at the time you encrypt it as AES 256 you've then got something that is authorized or certified by most governments for anything up to secret level classification so it's pretty bloody solid the problem that you've got as ever is the key management not the encryption algorithm and that then it doesn't matter what software you've got that's the bigger problem yeah well I'm just being uh generally cautious of with such statements uh when quantum computers are somewhere just around the corner and the thing is that in android at least in the library I used for zip there's no way to explicitly specify the encryption parameters and also if you'll try to do something uh uh non-standard there chances are that on your particular machine and your particular version of zip it might be uh unable to decrypt itself so I use the standard option if you can't specify then you of course you have a problem but it's AES 256 is it's been part of the standard for a long time so it's it's something that should work on just about every implementation but sure yeah encryption is a database and the encryption of a zip file are obviously different yes all right any more questions uh if you have any questions you can ask them Alex now um yeah so I just posted the slide deck on Facebook group if you're interested that's great thanks all right thank you I think that'll be it so that's it for all the talks today I think we'll have we have some time to mingle uh so yep this room will remain open