Writing Inspired Software Using Crypto

2009-06-07 20:00:00 -0400

Stephen and I were just interviewed by Dan Grigsby for this week’s Mobile Orchard podcast. The subject of the interview was SQLCipher, an SQLite extension that provides transparent page-level encryption for application databases. We talked mostly about how SQLCipher works, Strip (our iPhone security app built with SQLCipher), the iPhone build process, and DOC cryptography classification. We even managed to crack some NSA conspiracy theory jokes!

I realized afterward that we didn’t spend any time talking about why we like to work with cryptography and what drives us to do it. I suppose there are quite a few different motivations for us, but being that last week saw June 4th, the 20th anniversary of the Tienanmen Square Massacre, I found myself looking up Tank Man again. Mostly I was thinking about the legacy of his action and that iconic photograph, but I was reminded of why we value cryptography in software.

I have a number of friends who were in China during the recent Olympics for various reasons. One was there to document things that foreign media were forbidden to cover – like the many protests that were squashed outside the stadium. My buddy @noneck found himself in some “interesting” situations. He was eventually picked up by the authorities who went through his personal items, used his credit cards and forged his signature to deport him back to the U.S. You bet they went through his iPhone looking for potentially incriminating data.

Other friends were there to work with the Free Tibet movement, and they had iPhones, too. If they’d been picked up, and their phones contained incriminating information, notes, audio, contacts, etc, it could have severely compromised their freedom and safety, not to mention their particular mission. Obviously, these are chances that Noel and the others were all knowingly taking, but I’m glad they all made it home safe.

When they came back and told me their stories, I was struck by a thought. Smart phones present amazing capabilities, like video recorders and audio recorders, that can enable people to act as journalists and/or mobile broadcasters. Information is power but sometimes it is dangerous. Even having an audio interview on your phone could get you in a lot of trouble if you’re detained by people with an axe to grind.

Unfortunately the access code on an iPhone, like the on-screen locks of most mobile devices, is not a strong barrier to accessing data stored on the device. More and more of us are taking personal photos, videos, writing notes, storing valuable contact and business information, and utilizing applications to which we grant access to our online identities and social networks.

I want to create mobile software that treats this confidential data securely. That’s why we’ve been developing a suite of applications aimed at people who need to keep secrets. Strip, our password manager and data vault, can store all types of security credentials, financial and contact information. Codebook will soon fill the real need for a dedicated secure notes application, and will add some features that we feel are missing in the Apple Notes. We have a secure audio recorder under development, too.

More importantly, SQLCipher makes it possible for other iPhone applications to provide this kind of security without adding significant complexity. It’s open source and on on GitHub so we hope to see it used in other applications some day. The Mobile Orchard interview provides some details about how it works, and how we hooked into SQLite to provide the encryption. We’ll also be publishing a tutorial shortly describing how to set up the Xcode build process step-by-step.

If you’re going to Apple’s WWDC next week, and you find yourself looking to start a new app, we hope you’ll take a look at SQLCipher. Get in touch with us if you have any questions! We’re also eager to collaborate on development, especially with porting to other platforms (some folks have already show interest in Android, CoreData, etc).

blog comments powered by Disqus