I'm creating a service which sends audio files via Whatsapp to it's users daily.
The thing is that i want to prevent people from sharing the audio files, so i thought of password protection of each audio file sent, with passwords composed by the user's sensitive information (example: social security number or equivalent, so that the user would be discoraged to pass along his own password to strangers online).
I've been looking for a solution (without success so far) with 4 requirements in mind:
1) It needs to encrypt the file itself, not a folder that contains it
2) Audios must be easily sent and accessed via Whatsapp
3) Audios must be opened by customers without requiring the installation of apps. Just tap in the password and that's it.
4) It needs to work offline.
If there are other solutions to prevent or at least make file sharing more difficult without getting in the way of the user experience, please point out. Just keep in mind that it has to work in a Whatsapp broadcasting context, both in Android and IOS.
I know that everything online can and will be pirated, but i want to just make an effort to protect the product.
Related
Let me start by saying that i do not have any knowledge of cryptology. My question regarding images etc in whatsapp arose because a developer friend said that its the messages which are encrypted. Images, video files which get saved in a whatsapp folder, can be seen by opening the local device folder anytime without going through whatsapp, can be forwarded to any contact not on whatsapp cannot be encrypted in the same sense as chats are.
Another point he said was that as whatsapp keeps images, video files for few days for meeting some 'legal requirements', if these were encrypted, irrespective of legal requirements, whatsapp would not be able to see those images and video. So keeping these images for sometime wouldnot help whatsapp in meeting those legal requirements.
May i request the brainy community here to enlighten me on
If images, videos, audios, docs shared through whatsapp and which get saved in local folder on device can be considered end to end encrypted?
What does the technical document shared on whatsapp website from signal whisper systems mean when it talks about end to end encryption of all attachments?
Insight would be helpful in devising an App where end to end encryption is needed.
CLARIFICATION
I think i could not put my question properly. Let me clarify.
I am not talking about MIM attach atall. I am aware of chats being E2EE. Thus you will not be able to locate chats in your device folder. And you will not be able to share chats to 3rd person outside whatsapp directly from folder. But images/videos in whatsapp get saved in a device whatsapp folder. And you can send those images/videos directly to 3rd person outside whatsapp directly from your folder. If images too were E2EE, these couldnt not be shared, just the way chats cant be shared from any folder.
Whatsapp saves images/video for sometime. What use is saving these if these are encrypted? Even if there were legal requirements, whatsapp cant decrypt them, if these were E2EE! So can E2EE attachments be saved outside the whatsapp in some local device folder and shared outside whatsapp directly?
Could i clarify myself?
Am new to stackoverflow. Pardon a few transgressions.
I haven't seen WhatsApp source code so cannot say for sure, but if they use E2EE the way it's supposed to be used, that would mean the data secrecy is protected while in transit. However, it is not encrypted before sending and decrypted after transmission. Otherwise the receipient wouldn't be able to open an image etc. Moreover, if you save received images/videos to photos outside of WhatsApp, this is where WhatsApp encryption has nothing to do with them any more.
I am a young female developer, but currently i am building a project for a big client in our company,
I have a question, actually one of you can probablly lead me in the right direction:
I have a firebase account and an app with in app purchases - the thing is in app purchases will actually contain videos which i would like to store on firebase servers and download uppon purchase! Can someone lead me in the right direction on how to implement this the easiest way?
Ps., I know i am a rookie but i really do not want to look like an idiot on next months meeting ; )
Warm regards, Lana
Theres honestly no easy way to achieve protecting a file/folder for a specific group of users with firebase cloud storage. You can do checks by changing the folders metadata or using custom tokens, but then you need a server for that etc...
If you wish to remain in a firebase only environment, the easiest way would probably be to have the protected videos hosted in a protected folder from all clients. When the user purchases a video, then send a request a CloudFunction along the lines of..
userClaimsToHaveBoughtAccessToVideo(userId, sku, token, videoId){
// 1. use the googlePlay billing API to verify that the user did indeed purchase the item
// 2. if they did, then store that in read-only node of the database like: /purchasedVideos/userId/videoID/
}
Then if a user wants to download a video, create a function along the lines of...
userWantsToDownloadAVideo(userId, videoId){
// check the database to see if the user has the video
// if they do, copy the video file to a folder like /userId/videos/...
}
Then the video will appear in a personal folder for which the security rules are easy to setup.
When the user downloaded the video to their device send a call to a function along the lines of..
userDownloadedVideo(userId, videoId){
// delete video from the user's folder, to save space
}
Another option would be to host the videos on a different platform entirely, one that has an API and allows it's files to be password protected. (then simply store the access password after verifying IAP in the database, read only for the user), so they can use the other API to download the videos. For security you might want to have a daily job which regenerates the password every day and updates the database..
I have a client who has a crimestoppers' website. They want to provide visitors a means to submit anonymous crime tips, which would then be forwarded to a pre-established email address at the local police department.
What is the best / easiest way to accomplish this? The sender's IP address needs to be hidden. My client also needs to be able to pull reports showing how many tips were submitted and forwarded.
Many thanks!
A simple contact form can be used. It's up to the developer's trust to hide the IP. The submitter won't see anything what is being done using PHP.
You can then update a database with the tips being posted before sending the mails.
In terms of development, you can use a plugin such as Contact Form 7 and then use its hooks to save the tips submitted before sending the mails.
While it is rather simple to set up a contact form that submits to an email address (just use the excellent ContactForm7, as rrikesh's answer suggests). However, getting anonymity right (especially against a party that has as much power and resources) is tricky. You need to be clear about the level of anonymity that you can provide. Log files, document metadata or your ISP can easily give a lot of information away.
Here are two project that have different approaches. They're both not ready-made solutions to your question, but still relevant:
PrivacyBox:
This is a web service run by the German Privacy Foundation. It's basically a message relay like the one you want, except that the user has to trust the Foundation, not you. This model highly depends on the institution providing this service. I'm sure there are other, US-based services like this.
Briefkasten:
An open source software tool used by the German newspaper Die ZEIT.
a reasonably secure web application for submitting content anonymously. It allows to upload attachments which are then sanitized of a number of meta-data which could compromise the submitters identity. Next, the sanitized files are encrypted via GPG and sent via email to a pre-configured list of recipients. The original (potentially 'dirty') files are then deleted from the file system of the server. Thus, neither should admins with access to the server be able to access any submissions, nor should any of the recipients have access to the unsanitized raw material.
This is an attempt to automate the crucial steps to strip any identifying data from the submission and encrypt it, so only the intended recipients can access it.
You would have to host this yourself, though. And it's a Python app.
I have a cross platform Qt application i'd like to add e-mail capabilities for. Given that the user grants his/her permission to the application and provides the e-mail/server/password information to the application, i'd like to:
Programmatically send e-mails using that account
Scan the inbox looking for certain e-mails i'd be interested to download (search strings inside subject lines)
Be able to download attachments from e-mails i deem interesting.
Ideally, i'd like to be able to interface to popular e-mail services like GMail, Hotmail, (IMAP) so that my users have an easy configuration (e.g. "I have gmail, here's my ID/password").
Is there any Qt library that can assist in that task?
You may want to take a look at this
make sure that you may need to change some stuff over there, such as:
socket->connectToHost( "smtp.yourserver.com", 25);
for the gmails (for instance) smpt server,etc...
I have been asked by my (pananoid!) boss to do two things
1. Detect when a user uploaded files to the net using HTTP. So for example how can I detect if a user uploads fire to a free webserver somewhere and can hense steal company data
Detect that a user is copying files to a USB device and what the name of these files are. Also if they copy a zip file to log the contents of the zip file, in case someone just zips up some company files and takes it like that.
Firstly is number 1 possible? and for number 2 can i detect the file names that are copied?
Secondly, any likes to software that does this?
Note that I am the network admin and everyone who I will monitor has local admin rights on their computer and we do not want to further restrict users access.
Thanks a lot
"Note that I am the network admin and
everyone who I will monitor has local
admin rights on their computer and we
do not want to further restrict users
access."
You can have liberty or security, but not both. The number of paths to get data out of an unlocked box are too many to enumerate. Someone zipped up the files and put them on a thumb drive? What if they used tar or shar or pasted them into a Word document, or printed them to a PDF file and sent it out via e-mail steganographically embedded in pornography?
Yeah, a former coworker was stupid enough to send a huge set of huge, logged e-mails to his future employer a couple of days prior to leaving, but you can't count on people being quite that stupid.
What your boss wants isn't possible given a moderately motivated thief and not wanting to "further restrict" access.
Given freely available cryptographically secure tools like OpenSSH (ssh, scp) are usable by almost anyone, what he's asking for is not possible.
I agree with all of you, websense, a DLP, a proxy, a network monitoring, can help you to identify and stop activities not permited by your policies. By the way, a tech should be sustained by a policy on information security and an awareness program. So you have two fields to build-up. one way people must be warned because of the information security policy and constantly informed by the awareness program, then (second) if someone breaks the policy, the technology has to do its work. warn you.
There's basically no way to prevent a malicious employee from stealing and exporting data, short of strip searches when entering and leaving the building and no outside network access whatsoever.
Your boss should be more concerned with accidental data leakage (ie, mistyped email address or mistaken reply alls) and breach containment. The series of technologies dedicated to the former are called Data Leakage Prevention. I'm not hip to all their jive, but I bet more than a few companies would be willing to promise you the world if you showed interest.
The latter is mostly done by closely following the "least privilege" mindset. A guy from sales should not be able to use CVS to check out the source code to the product, and a developer shouldn't be able to access the payroll database. Always only grant the minimum amount of access required to someone in order for them to do their job.
Short answer: No. Not unless you're willing to "further restrict access".
The access restriction for http uploads would be a filtering internet proxy. Make everyone go through Websense or something, and you have a log of everything they did online.
For the USB devices, no. Your option there, and how companies with security needs of that magnitude deal with that issue, is to tightly lock down the clients and disable USB key use. (as well as CD burners, floppy drives if you still have those, etc) Again, that's going to require intrusive software, something like Landesk, + removing local admin so users can't take the software off.