Feature request: export/import (backup/restore) of conversations/threads

[ghost]

AFAIK, the only current mechanism for doing this is to long press on each message, thereby copying it to the clipboard, and then to paste it into another app. That is not user-friendly, if the user wishes to export a whole conversation - or even several conversations.

Perhaps it is also possible via debug logging or similar, but the same applies: not hugely user-friendly.

I am aware that there may be a view that all ChatSecure conversations are intended to be ephemeral and that export/import functionality is inappropriate. I don't share this view, however, and would point out that as ChatSecure already uses persistent storage and already allows export by copying (see above) and import by pasting. Therefore, adding a robust, user-friendly import/export feature would merely formalise and add convenience to existing functionality, and make ChatSecure into an even better app than it already is! :-)

N.B. It might be nice if the import/export feature could integrate with OpenKeychain or similar, so that the backups are encrypted. Also, it may make sense to somehow use XEP-0313: Message Archive Management or XEP-0136: Message Archiving. These implementation details are just suggestions, however, and not an integral part of my feature request.

[chseluv]

I agree with you, although as far as I know not many users export conversations from other apps like Whatsapp.. current expectation is that messages are simply stored in your app and not lost like SMSes. However any noteworthy desktop Jabber client makes it possible to save conversations (thus breaking the ephemeral characteristic of this kind of communication) and it would make sense that ChatSecure did too. The only major concern is: are we sure that Android or iOS won't take a peep at your exported logs? If a secure embedded encrypted storage for exported logs is not possible I'd rather keep ChatSecure as it is. It's already good. Remember that its major security threat is the spying environment it lives in and the current app meets general public's expectations in this respect since a very few will want this. I'd say that if ever deployed such feature should be some kind of encrypted database dump in the advanced settings so that not many people will risk their privacy by dumping their conversation into plaintext general storage (for Google or Apple to read), like Pidgin does for instance.

[ghost]

On 07/11/2015, chseluv [email protected] wrote:

I agree with you

Good :)

although as far as I know not many users export conversations from other apps like Whatsapp.. current expectation is that messages are simply stored in your app and not lost like SMSes.

[Citation needed]

However any noteworthy desktop Jabber client makes it possible to save conversations thus breaking the ephemeral characteristic of this kind of communication and it would make sense that ChatSecure did too.

Exactly. Plus, if the app stores the conversations, then they aren't ephemeral anyway.

The only major concern is: are we sure that Android or iOS won't take a peep at your exported logs?

Surely the OS has visibility of the conversations whether they have been exported or not.

If a secure embedded encrypted storage for exported logs is not possible I'd rather keep ChatSecure as it is.

Android and iOS both have the ability to encrypt the device's storage (internal and/or SD card).

It's already good.

It's already good unless the user needs to keep a record of conversations for easy future reference.

Remember that its major threat is the environment it lives in and the current app meets general public's expectations in this respect since a very few will want this.

If you mean that very few will want to keep records of their conversations, you are mistaken. SMS Backup + is just one of many Android apps for exporting/archiving SMS conversations, and it has 50,000+ reviews and over 1,000,000 installs.

I'd say that if ever deployed such a feature should be some kind of encrypted database dump in the advanced settings so that not many people will risk their privacy by dumping their conversation into plaintext general storage (for Google or Apple to read), like Pidgin does for instance.

See my previous point: unless I'm very much mistaken, the OS already has visibility of the data. That means Google or Apple probably have access to it too (and possibly the carrier or handset manufacturer as well). The only way around this that I know of is to use an OS distribution that is adequately independent of those parties, e.g. Replicant.

Thanks for your interest in ChatSecure :)

[ghost]

As long as ChatSecure continues not to enable easy export/backup of conversations, and as long as it expects users to use it on corporate-controlled Android/iOS, then it is effectively saying to the user, "Google/Apple can export your conversations at will, but you can't, so there!"

That's not very liberating.

As for protecting the exports, ChatSecure could potentially require the presence of AndroidPrivacyGuard/OpenKeychain/GnuPrivacyGuard/etc in order to encrypt the exports.

[n8fr8]

All of the message and media data in ChatSecure is encrypted using SQLCipher and IOCipher. If you set an app passphrase on setup, then that will protect the key that it is encrypted with. If you skip that step, then the key will be protected with a default passphrase. The OS doesn't have visibility to the data in a typical way, though with root permissions of course, you can do just about anything.

That said, the desire to easily export/import data is a valid one, and something we should better support.

[n8fr8]

Just as a general question, would you prioritize export per conversation, or a full app data export/import ? Is this a backup desire, or do you want to save specific conversations?

[fubsan]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

If I may add my opintion on that question too, backup desire, thanks :)

On 11/09/2015 11:44 PM, Nathan Freitas wrote:

Just as a general question, would you prioritize export per conversation, or a full app data export/import ? Is this a backup desire, or do you want to save specific conversations?

— Reply to this email directly or view it on GitHub <https://github.com/guardianproject/ChatSecureAndroid/issues/701#issue comment-155207620>.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJWQSR8AAoJEL5Ul9ESPts4fPIH/AloHqeFoEEGcXoMvYQpelI9 W2+zZP2K23irGRFqJLt5IwezAIuZQJZ06+6i/2h+Fz9HoOTjXwyblZzA57GAM3jo 6DDBeomWPv7PLwc4vlxVlYcBcj9CuZdlFPVle2hDz0oxlMs/10UwvHvGB5JBYhHw 38L/GRAckoF6DmfyUroVrsFga4oFN0E7/H67oqPktihMHuKpqZ4zZ7j6blfUiLyK 7TULjq/iLxYTV2mdPYaBbkNXdu1Fwg1OZ+5DGpEKEVkug5V+4b1Nqor7SRZBmBOs rTRK9ke9S7XPd8M9fnjM68XmcXa5R8PwWvRlDyoL8g3Oyunt4RBZSdqxXiSBReI= =VijX -----END PGP SIGNATURE-----

[ghost]

On 09/11/2015, Nathan Freitas wrote:

All of the message and media data in ChatSecure is encrypted using SQLCipher and IOCipher. If you set an app passphrase on setup, then that will protect the key that it is encrypted with. If you skip that step, then the key will be protected with a default passphrase. The OS doesn't have visibility to the data in a typical way, though with root permissions of course, you can do just about anything.

I'm not sure what you mean by "the typical way". And the OS obviously has root permissions.

The OS could, for example, read (and write) the memory locations where the decrypted messages are stored after the user has decrypted them. It could also intercept the characters of the passphrase as the user enters them, so as not to need to wait for the user if it wants to decrypt them in future.

Simply put: unless I am very much mistaken, ChatSecure as currently realised cannot protect you from your OS.

Therefore, if your OS is under the control of a third party (e.g. the OS vendor or handset vendor, or a malware distributor who has achieved root permissions on your handset), then ChatSecure cannot protect you from that third party.

The only way for a user to reduce that attack vector is to use a more open, trustworthy OS that is less likely to be under the control of a third party. In the mobile world, that means avoiding mainstream Android and iOS, and choosing instead something like Replicant or maybe Openmoko Linux or SHR.

That said, the desire to easily export/import data is a valid one, and something we should better support.

Great! :)

Just as a general question, would you prioritize export per conversation, or a full app data export/import?

Depends on the implementation. I would think that dumping contacts and threads into e.g. JSON or some other plain text machine-readable and reasonably human-readable format would be the sensible approach. That way, the user could relatively easily extract conversations from a fuller backup using other tools - even just a text editor - if desired.

Naturally, it makes sense for ChatSecure to make that export happen via a trustworthy encryption app rather than simply exporting a plain text file onto the handset's storage; but if the user later decrypts the export, then the result should probably be a plain text file of the kind described in the paragraph above.

Is this a backup desire, or do you want to save specific conversations?

I think for most people, the former would be the priority. If you're in the middle of an important conversation, but you've backed up recently, and then your handset gets lost/stolen, it would be nice to be able to restore to a new handset from encrypted backups, and pick up the thread of the conversation with only the most recent messages lost (if any).

Thanks for working on ChatSecure!

[n8fr8]

Yes, if your device is powned, there is little we can do. I think that is true of pretty much any security software, including Tor, GnuPG or pretty much anything. Replicant is great - any non-Google AOSP firmware is a good start.

Ultimately, we primarily focus on network threats, and low-level on device threats like non-root malware, or defending against unintentional cloud backup of plaintext, etc.

If you feel your threat model includes Google, Apple or a third-party malware targeting your to the extreme they are reading encrypted data or keys from memory, or intercepting key strokes, then you should definitely additional precautions, as documented and implemented here: https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy https://github.com/mission-impossible-android/mission-impossible-android

[ghost]

On 10/11/2015, Nathan Freitas [email protected] wrote:

Yes, if your device is powned, there is little we can do. I think that is true of pretty much any security software, including Tor, GnuPG or pretty much anything. Replicant is great - any non-Google AOSP firmware is a good start.

Right. My point was just that whatever you meant by "the typical way", an OS running ChatSecure does generally have visibility of that ChatSecure instance's data.

Ultimately, we primarily focus on network threats, and low-level on device threats like non-root malware, or defending against unintentional cloud backup of plaintext, etc.

Exactly.

If you feel your threat model includes Google, Apple or a third-party malware targeting [you] to the extreme they are reading encrypted data or keys from memory, or intercepting key strokes, then you should definitely [take] additional precautions

I completely agree.

And, to bring the thread back on-topic: looking forward to seeing export/import (backup/restore) of conversations/threads in ChatSecure :) Thanks again for your time!

[fmsuchanek]

I'd also be grateful to have an export or backup feature in ChatSecure. I can see that there are different view points on this, but for me, the chats are a part of my digital life that I wish to backup like I backup all the other parts (pictures, emails, letters). Anyway, thanks for the great work!