Encryption

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data transmission
    is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

··· -- Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

#1 - somewhat correct.

You should also ensure that device debugging (via adb) is disabled when
collecting data, as that can enable users to "adb pull" data from the
device after it has been successfully booted (when the sdcard encryption
key is entered). i.e., if the debugging interface is enabled, someone
could steal the device, connect it to a laptop, and pull data off it as
long as it has not been shut down -- they don't need to successfully unlock
the device's lock screen to gain access.

Note that many applications allow you to send attachments, and many file
manager tools provide this functionality. There is always the possibility
of installing a not-yet-banned trojan from Google Play that could zip up
the content of the sdcard and send it somewhere.

Ultimately, you need to trust and train your data collectors so that they
are aware and practice good security hygiene.

#2 - iff you configure the server with SSL. AppEngine automatically
provides SSL; other hosting solutions require you to configure it.

#3 - if you root the device, I believe this protection is impacted.

Also, if you install the APK directly via the debugging interface and "adb
install" (and larger deployments do this to protect themselves from bad
software updates and manage their update cycles themselves), then this
verification mechanism is circumvented. We maintain a file of SHA-256
signatures of the downloads we provide on our site -- available via a link
on the downloads page (text at the top of the page)

··· ------------ And you also need to consider the security of your ODK Aggregate server and its database. To mitigate that risk, we support encrypted forms, which are stored as blobs on the server, and need to be downloaded to your desktop via ODK Briefcase and decrypted from there.

As a side benefit, the use of encrypted forms makes the collected data
unreadable on the device after the form has been finalized (at least for
ordinary mortals). For extended data collection of sensitive data with
infrequent transmissions, this can reduce the risk of data access via
device theft and/or a compromised device lock screen.

On Fri, Nov 13, 2015 at 7:14 AM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data
    transmission is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

And to clarify, if you have a removable SD Card, the encryption of that is
a separate step from encrypting the device's internal storage.

That is available on some devices; not sure if it is now available on all
devices.

··· On Fri, Nov 13, 2015 at 9:39 AM, Mitch Sundt wrote:

#1 - somewhat correct.

You should also ensure that device debugging (via adb) is disabled when
collecting data, as that can enable users to "adb pull" data from the
device after it has been successfully booted (when the sdcard encryption
key is entered). i.e., if the debugging interface is enabled, someone
could steal the device, connect it to a laptop, and pull data off it as
long as it has not been shut down -- they don't need to successfully unlock
the device's lock screen to gain access.

Note that many applications allow you to send attachments, and many file
manager tools provide this functionality. There is always the possibility
of installing a not-yet-banned trojan from Google Play that could zip up
the content of the sdcard and send it somewhere.

Ultimately, you need to trust and train your data collectors so that they
are aware and practice good security hygiene.

#2 - iff you configure the server with SSL. AppEngine automatically
provides SSL; other hosting solutions require you to configure it.

#3 - if you root the device, I believe this protection is impacted.

Also, if you install the APK directly via the debugging interface and "adb
install" (and larger deployments do this to protect themselves from bad
software updates and manage their update cycles themselves), then this
verification mechanism is circumvented. We maintain a file of SHA-256
signatures of the downloads we provide on our site -- available via a link
on the downloads page (text at the top of the page)
http://opendatakit.org/downloads/


And you also need to consider the security of your ODK Aggregate server
and its database. To mitigate that risk, we support encrypted forms, which
are stored as blobs on the server, and need to be downloaded to your
desktop via ODK Briefcase and decrypted from there.

As a side benefit, the use of encrypted forms makes the collected data
unreadable on the device after the form has been finalized (at least for
ordinary mortals). For extended data collection of sensitive data with
infrequent transmissions, this can reduce the risk of data access via
device theft and/or a compromised device lock screen.

On Fri, Nov 13, 2015 at 7:14 AM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data
    transmission is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Thanks Mitch, great answer!

··· On Fri, Nov 13, 2015 at 12:39 PM, Mitch Sundt wrote:

#1 - somewhat correct.

You should also ensure that device debugging (via adb) is disabled when
collecting data, as that can enable users to "adb pull" data from the
device after it has been successfully booted (when the sdcard encryption
key is entered). i.e., if the debugging interface is enabled, someone
could steal the device, connect it to a laptop, and pull data off it as
long as it has not been shut down -- they don't need to successfully unlock
the device's lock screen to gain access.

Note that many applications allow you to send attachments, and many file
manager tools provide this functionality. There is always the possibility
of installing a not-yet-banned trojan from Google Play that could zip up
the content of the sdcard and send it somewhere.

Ultimately, you need to trust and train your data collectors so that they
are aware and practice good security hygiene.

#2 - iff you configure the server with SSL. AppEngine automatically
provides SSL; other hosting solutions require you to configure it.

#3 - if you root the device, I believe this protection is impacted.

Also, if you install the APK directly via the debugging interface and "adb
install" (and larger deployments do this to protect themselves from bad
software updates and manage their update cycles themselves), then this
verification mechanism is circumvented. We maintain a file of SHA-256
signatures of the downloads we provide on our site -- available via a link
on the downloads page (text at the top of the page)
http://opendatakit.org/downloads/


And you also need to consider the security of your ODK Aggregate server
and its database. To mitigate that risk, we support encrypted forms, which
are stored as blobs on the server, and need to be downloaded to your
desktop via ODK Briefcase and decrypted from there.

As a side benefit, the use of encrypted forms makes the collected data
unreadable on the device after the form has been finalized (at least for
ordinary mortals). For extended data collection of sensitive data with
infrequent transmissions, this can reduce the risk of data access via
device theft and/or a compromised device lock screen.

On Fri, Nov 13, 2015 at 7:14 AM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data
    transmission is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

Some of my thoughts on top of Mitch's answer:

#1 - Here, I am assuming that you guys will enable the SD card encryption
and set the passcode for each device manually before the project rollout.
This means you will take care of mapping each device passcode and the
device itself (somehow labeled with Unique ID) on the server (This is for
recovery just in case the data collector forgets the passcode). Here are
the difficulties with this assumption:

a. it will be cumbersome once you pass few number of devices (like 50),
so large scale will be a nightmare.
b. You are locking down the device with a single passcode access, which
means it is not possible to share devices among data collectors unless they
share the same passcode
c. account recovery procedure still be difficult.

If you are assuming the data collector to setup the SD card encryption, I
would like to hear how you manage the account and data recovery procedure
when they lost their passcode.

As Mitch stated, once the device is unlocked, the data is available to all
installed apps. If you have a malicious app by chance, it can easily
compromise the data. In addition, the encryption feature is not available
in all devices, for instance: Android 4.0 (ICS) does not have the ability
to encrypt removable storage
https://groups.google.com/forum/?fromgroups=#!topic/android-security-discuss/vZy-cHC0Dnw
.

#3. No. The ODK binary is signed (self-signed) by the project (if it is
customized app) or by ODK (the default). The play store doesn't sign the
app, instead it uses a tool called "bouncer" to simulate the app and checks
against some known malicious behavior. Google introduced this tool to
mitigate the high rate of malicious app in the play store (used to be
around 220%, after the tool, it is estimated 40%).

The signing is for keeping the integrity of the app, for updates signed by
the app owner, and process/userID sharing among multiple apps signed by the
same key. The Android platform enforce the this during app installation and
updates. On rooted device, this function still exist, but as Mitch said, it
is impacted. If you are considering rooted device, I will be more concerned
with SD card encryption (which heavily relied on platform security feature).

We have come a long way to address the security issues in mobile data
collection systems. Here is a reference:
https://bora.uib.no/handle/1956/10652 and testing is underway to provide
some of the security features on ODK. If you are concerned with data
protection while data is at rest or in transit (No CA certificate is
needed), user authentication (both local and remote, multi-user support per
device, recovery both data + account), we can have further discussion.

Best,

Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

··· On Fri, Nov 13, 2015 at 4:14 PM, Tom Smyth wrote:

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data
    transmission is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

http://www.uib.no/persons/Thorkild.Tylleskar#profil

Very interesting Samson, thank you.

Is it possible to tell ODK to store its files on internal storage?

··· On Fri, Nov 13, 2015 at 5:35 PM, Samson Gejibo wrote:

Some of my thoughts on top of Mitch's answer:

#1 - Here, I am assuming that you guys will enable the SD card encryption
and set the passcode for each device manually before the project rollout.
This means you will take care of mapping each device passcode and the
device itself (somehow labeled with Unique ID) on the server (This is for
recovery just in case the data collector forgets the passcode). Here are
the difficulties with this assumption:

a. it will be cumbersome once you pass few number of devices (like 50),
so large scale will be a nightmare.
b. You are locking down the device with a single passcode access, which
means it is not possible to share devices among data collectors unless they
share the same passcode
c. account recovery procedure still be difficult.

If you are assuming the data collector to setup the SD card encryption, I
would like to hear how you manage the account and data recovery procedure
when they lost their passcode.

As Mitch stated, once the device is unlocked, the data is available to all
installed apps. If you have a malicious app by chance, it can easily
compromise the data. In addition, the encryption feature is not available
in all devices, for instance: Android 4.0 (ICS) does not have the ability
to encrypt removable storage
https://groups.google.com/forum/?fromgroups=#!topic/android-security-discuss/vZy-cHC0Dnw
.

#3. No. The ODK binary is signed (self-signed) by the project (if it is
customized app) or by ODK (the default). The play store doesn't sign the
app, instead it uses a tool called "bouncer" to simulate the app and checks
against some known malicious behavior. Google introduced this tool to
mitigate the high rate of malicious app in the play store (used to be
around 220%, after the tool, it is estimated 40%).

The signing is for keeping the integrity of the app, for updates signed by
the app owner, and process/userID sharing among multiple apps signed by the
same key. The Android platform enforce the this during app installation and
updates. On rooted device, this function still exist, but as Mitch said, it
is impacted. If you are considering rooted device, I will be more concerned
with SD card encryption (which heavily relied on platform security feature).

We have come a long way to address the security issues in mobile data
collection systems. Here is a reference:
https://bora.uib.no/handle/1956/10652 and testing is underway to provide
some of the security features on ODK. If you are concerned with data
protection while data is at rest or in transit (No CA certificate is
needed), user authentication (both local and remote, multi-user support per
device, recovery both data + account), we can have further discussion.

Best,

Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

On Fri, Nov 13, 2015 at 4:14 PM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data
    transmission is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

http://www.uib.no/persons/Thorkild.Tylleskar#profil

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

Absolutely.

If you make files in private mode, so that the files are accessible only by
the ODK. If you still consider rooted device, the internal storage works
just like as the SD card (no protection).

··· On Fri, Nov 13, 2015 at 11:47 PM, Tom Smyth wrote:

Very interesting Samson, thank you.

Is it possible to tell ODK to store its files on internal storage?

On Fri, Nov 13, 2015 at 5:35 PM, Samson Gejibo samson.gejibo@gmail.com wrote:

Some of my thoughts on top of Mitch's answer:

#1 - Here, I am assuming that you guys will enable the SD card encryption
and set the passcode for each device manually before the project rollout.
This means you will take care of mapping each device passcode and the
device itself (somehow labeled with Unique ID) on the server (This is for
recovery just in case the data collector forgets the passcode). Here are
the difficulties with this assumption:

a. it will be cumbersome once you pass few number of devices (like 50),
so large scale will be a nightmare.
b. You are locking down the device with a single passcode access, which
means it is not possible to share devices among data collectors unless they
share the same passcode
c. account recovery procedure still be difficult.

If you are assuming the data collector to setup the SD card encryption, I
would like to hear how you manage the account and data recovery procedure
when they lost their passcode.

As Mitch stated, once the device is unlocked, the data is available to
all installed apps. If you have a malicious app by chance, it can easily
compromise the data. In addition, the encryption feature is not available
in all devices, for instance: Android 4.0 (ICS) does not have the
ability to encrypt removable storage
https://groups.google.com/forum/?fromgroups=#!topic/android-security-discuss/vZy-cHC0Dnw
.

#3. No. The ODK binary is signed (self-signed) by the project (if it is
customized app) or by ODK (the default). The play store doesn't sign the
app, instead it uses a tool called "bouncer" to simulate the app and checks
against some known malicious behavior. Google introduced this tool to
mitigate the high rate of malicious app in the play store (used to be
around 220%, after the tool, it is estimated 40%).

The signing is for keeping the integrity of the app, for updates signed
by the app owner, and process/userID sharing among multiple apps signed by
the same key. The Android platform enforce the this during app installation
and updates. On rooted device, this function still exist, but as Mitch
said, it is impacted. If you are considering rooted device, I will be more
concerned with SD card encryption (which heavily relied on platform
security feature).

We have come a long way to address the security issues in mobile data
collection systems. Here is a reference:
https://bora.uib.no/handle/1956/10652 and testing is underway to provide
some of the security features on ODK. If you are concerned with data
protection while data is at rest or in transit (No CA certificate is
needed), user authentication (both local and remote, multi-user support per
device, recovery both data + account), we can have further discussion.

Best,

Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

On Fri, Nov 13, 2015 at 4:14 PM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

  1. ODK stores data on the sdcard, so if the sdcard is encrypted by
    Android, then all ODK data on the phone is as secure as the phone's
    encryption system
  2. ODK data is sent to the server via SSL, so all ODK data
    transmission is as secure as SSL itself
  3. The ODK binary is signed by the Play store so we can assume it is
    genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

http://www.uib.no/persons/Thorkild.Tylleskar#profil

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

http://www.uib.no/persons/Thorkild.Tylleskar#profil

Great discussion! I've added links to Samson's dissertation at
https://opendatakit.org/about/security-and-privacy-statement

Yaw

··· -- Need ODK consultants? Nafundi provides form design, server setup, in-field training, and software development for ODK. Go to https://nafundi.com to get started.

On Sat, Nov 14, 2015 at 6:01 AM, Samson Gejibo samson.gejibo@gmail.com wrote:

Absolutely.

If you make files in private mode, so that the files are accessible only by
the ODK. If you still consider rooted device, the internal storage works
just like as the SD card (no protection).

On Fri, Nov 13, 2015 at 11:47 PM, Tom Smyth tom@sassafras.coop wrote:

Very interesting Samson, thank you.

Is it possible to tell ODK to store its files on internal storage?

On Fri, Nov 13, 2015 at 5:35 PM, Samson Gejibo samson.gejibo@gmail.com wrote:

Some of my thoughts on top of Mitch's answer:

#1 - Here, I am assuming that you guys will enable the SD card encryption
and set the passcode for each device manually before the project rollout.
This means you will take care of mapping each device passcode and the device
itself (somehow labeled with Unique ID) on the server (This is for recovery
just in case the data collector forgets the passcode). Here are the
difficulties with this assumption:

a. it will be cumbersome once you pass few number of devices (like 50),
so large scale will be a nightmare.
b. You are locking down the device with a single passcode access, which
means it is not possible to share devices among data collectors unless they
share the same passcode
c. account recovery procedure still be difficult.

If you are assuming the data collector to setup the SD card encryption, I
would like to hear how you manage the account and data recovery procedure
when they lost their passcode.

As Mitch stated, once the device is unlocked, the data is available to
all installed apps. If you have a malicious app by chance, it can easily
compromise the data. In addition, the encryption feature is not available in
all devices, for instance: Android 4.0 (ICS) does not have the ability to
encrypt removable storage.

#3. No. The ODK binary is signed (self-signed) by the project (if it is
customized app) or by ODK (the default). The play store doesn't sign the
app, instead it uses a tool called "bouncer" to simulate the app and checks
against some known malicious behavior. Google introduced this tool to
mitigate the high rate of malicious app in the play store (used to be around
220%, after the tool, it is estimated 40%).

The signing is for keeping the integrity of the app, for updates signed
by the app owner, and process/userID sharing among multiple apps signed by
the same key. The Android platform enforce the this during app installation
and updates. On rooted device, this function still exist, but as Mitch said,
it is impacted. If you are considering rooted device, I will be more
concerned with SD card encryption (which heavily relied on platform security
feature).

We have come a long way to address the security issues in mobile data
collection systems. Here is a reference:
https://bora.uib.no/handle/1956/10652 and testing is underway to provide
some of the security features on ODK. If you are concerned with data
protection while data is at rest or in transit (No CA certificate is
needed), user authentication (both local and remote, multi-user support per
device, recovery both data + account), we can have further discussion.

Best,

Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

On Fri, Nov 13, 2015 at 4:14 PM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

ODK stores data on the sdcard, so if the sdcard is encrypted by Android,
then all ODK data on the phone is as secure as the phone's encryption system
ODK data is sent to the server via SSL, so all ODK data transmission is
as secure as SSL itself
The ODK binary is signed by the Play store so we can assume it is
genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thank you Samson!

··· On Sat, Nov 14, 2015 at 10:29 PM, Yaw Anokwa wrote:

Great discussion! I've added links to Samson's dissertation at
https://opendatakit.org/about/security-and-privacy-statement

Yaw

Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to
https://nafundi.com to get started.

On Sat, Nov 14, 2015 at 6:01 AM, Samson Gejibo samson.gejibo@gmail.com wrote:

Absolutely.

If you make files in private mode, so that the files are accessible only
by
the ODK. If you still consider rooted device, the internal storage works
just like as the SD card (no protection).

On Fri, Nov 13, 2015 at 11:47 PM, Tom Smyth tom@sassafras.coop wrote:

Very interesting Samson, thank you.

Is it possible to tell ODK to store its files on internal storage?

On Fri, Nov 13, 2015 at 5:35 PM, Samson Gejibo <samson.gejibo@gmail.com wrote:

Some of my thoughts on top of Mitch's answer:

#1 - Here, I am assuming that you guys will enable the SD card
encryption

and set the passcode for each device manually before the project
rollout.

This means you will take care of mapping each device passcode and the
device

itself (somehow labeled with Unique ID) on the server (This is for
recovery

just in case the data collector forgets the passcode). Here are the
difficulties with this assumption:

a. it will be cumbersome once you pass few number of devices (like
50),

so large scale will be a nightmare.
b. You are locking down the device with a single passcode access,
which

means it is not possible to share devices among data collectors unless
they

share the same passcode
c. account recovery procedure still be difficult.

If you are assuming the data collector to setup the SD card
encryption, I

would like to hear how you manage the account and data recovery
procedure

when they lost their passcode.

As Mitch stated, once the device is unlocked, the data is available to
all installed apps. If you have a malicious app by chance, it can
easily

compromise the data. In addition, the encryption feature is not
available in

all devices, for instance: Android 4.0 (ICS) does not have the ability
to

encrypt removable storage.

#3. No. The ODK binary is signed (self-signed) by the project (if it is
customized app) or by ODK (the default). The play store doesn't sign
the

app, instead it uses a tool called "bouncer" to simulate the app and
checks

against some known malicious behavior. Google introduced this tool to
mitigate the high rate of malicious app in the play store (used to be
around

220%, after the tool, it is estimated 40%).

The signing is for keeping the integrity of the app, for updates signed
by the app owner, and process/userID sharing among multiple apps
signed by

the same key. The Android platform enforce the this during app
installation

and updates. On rooted device, this function still exist, but as Mitch
said,

it is impacted. If you are considering rooted device, I will be more
concerned with SD card encryption (which heavily relied on platform
security

feature).

We have come a long way to address the security issues in mobile data
collection systems. Here is a reference:
https://bora.uib.no/handle/1956/10652 and testing is underway to
provide

some of the security features on ODK. If you are concerned with data
protection while data is at rest or in transit (No CA certificate is
needed), user authentication (both local and remote, multi-user
support per

device, recovery both data + account), we can have further discussion.

Best,

Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

On Fri, Nov 13, 2015 at 4:14 PM, Tom Smyth tom@sassafras.coop wrote:

Hi folks. Are these assumptions correct:

ODK stores data on the sdcard, so if the sdcard is encrypted by
Android,

then all ODK data on the phone is as secure as the phone's encryption
system

ODK data is sent to the server via SSL, so all ODK data transmission
is

as secure as SSL itself
The ODK binary is signed by the Play store so we can assume it is
genuine.

Thanks.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

--
You received this message because you are subscribed to the Google
Groups

"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google
Groups

"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Samson Gejibo, PhD

University of Bergen | Department of Informatics
Thormøhelnsgt. 55, Postboks 7800
NO-5020 Bergen

Office: +4755584278
Mobile: +4745137535

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com