The Guardian Project has announced a new initiative designed to help users and developers ensure that the third party applications they are using on their smartphones or other devices are safe. The project, called the Weather Repo provides a weather report of sorts, on the security of a given application.
Essentially, the Weather Repo will be like a Yelp for app security. Users, researchers, or hackers can post information they know about applications to help others learn about their overall security. This is the latest idea from the Guardian Project which works transparently with a team of users, activists, and open source security hackers to help keep the internet a little more secure. The projects put forward for smartphones typically focus on the Android platform which is open source and allows for this kind of work, although there are some limited partnerships with others working on iOS.
“People are getting sold on secure apps and that claim is not always true, Snapchat is a key example of that, because users think their pictures are expiring but others can take pictures of the photos or rename them so they stay online,” explains Mark, a technologist at the Guardian Project in an interview with CivSource.
In the beginning they are asking for users to help them report on known issues with certain apps, and they hope companies themselves will start to add information to the repository. To that end they’ve created both an API and a sandbox to allow for methods testing. They’re also working with designers to create a standard of iconography around app safety. Sort of like public health grades but for app security.
“Angry Birds asks for access to your contact list, and not a lot of people pay attention to that. But why do they need access to your contact list? People need to know what the point of these exchanges are and how to navigate them,” he says. “For activists, or in the human rights context, people are downloading what they think are secure applications and they are proving themselves not to be, a lot of that is trial and error.”
For users that want to report a threat, the repo has a fairly simple form that asks for details about the problem. According to the official blog post from the Guardian Project, they have plans to help promote the most secure apps in the future.
The project is also an outgrowth of their support for the open metadata project backed by the Open Integrity Index, of which the Guardian Project itself is a founding member. Metadata is essentially the data, about the data of a given application. Because it is a sub-layer of data, metadata is most often hidden from users, and sometimes even skilled hackers, but it provides key locating information about the your data. (See recent coverage around the NSA spying scandal and metadata here and here. A more technical explanation of metadata is here.)
“People don’t realize how easy it is for someone to spoof an app like WhatsApp and download all of your messages. Secure chat is easier on Android because the platform is open source and you can see where the holes are and patch them, but with iOS it is more difficult because you can’t see where they are on the closed system,” Mark notes.
He explains that for developers, the API will help them discover best practices around security for app development. “Security isn’t always front of mind for a lot of apps, but this makes it easy to embed.”