[HN Gopher] Show HN: End-to-end encrypted location sharing servi...
___________________________________________________________________
Show HN: End-to-end encrypted location sharing service like Google
Latitude
Author : apayan
Score : 72 points
Date : 2020-12-08 16:57 UTC (6 hours ago)
(HTM) web link (www.zood.xyz)
(TXT) w3m dump (www.zood.xyz)
| novok wrote:
| I'm unable to try out the android app, since I'm on iOS, but one
| idea that would be cool is to set the accuracy of the shared
| location. Some people just want to share what neighborhood, city,
| or even what country / state they're in, or only share accurate
| location to a specific set of people.
|
| Also another way to avoid using google / apple location services
| is offering a geoIP mode, which would mesh well with the optional
| rough location options.
|
| It's too bad you can't force location services to only use built
| in GPS vs pinging their internet servers.
|
| Apple also has an issue where they silently stop location
| tracking apps in the background, you might have to make a nag
| notification like arc app does do to keep it active.
| https://www.bigpaua.com/arcapp/
| apayan wrote:
| > _I 'm unable to try out the android app, since I'm on iOS_
|
| I don't have a formal list set up for this, but if you would
| like to be notified of when the iOS app is ready just send me
| an email [arash at zood dot xyz], and I'll send you a reply
| when it's ready.
|
| > _one idea that would be cool is to set the accuracy of the
| shared location_
|
| Great idea. I hadn't considered that. Using geoIP mode would
| also be worth investigating. I've often found geoIP to be quite
| inaccurate when on cellular networks (e.g. reporting that I'm
| in San Jose when I'm actually in Los Angeles). Any thoughts
| about that?
|
| > It's too bad you can't force location services to only use
| built in GPS vs pinging their internet servers.
|
| My understanding is that on Android if you only use the
| platform location services instead of the Google Play Fused
| Location Provider, it will only access satellite positioning
| (GPS, GLONASS, etc.). It will also use up your battery faster,
| but I think that's tangential. So, at least on Android, I can
| code a path to only use location services.
|
| > Apple also has an issue where they silently stop location
| tracking apps in the background, you might have to make a nag
| notification
|
| That has been a real pain in my side on iOS and Android. So
| many deceptive apps have abused the location system for so many
| years, that Apple (especially) and Google are making legitimate
| use cases of background location very inconvenient. I can't say
| I blame them either.
| bradbeattie wrote:
| > Any thoughts about [GPS accuracy]?
|
| Unless I'm missing something, couldn't you just fetch the GPS
| location and truncate the precision to 1/2/3 decimal points?
| There are subtler ways of doing this that mitigate
|
| A: Oscillation of a user on the border between X,Y and X,Y+1
|
| B: Distortion of precision area near the poles
|
| but I'm sure you get the gist.
| novok wrote:
| It would probably be a power user option wrt to geoIP. Maybe
| add a tag to the location to denote that this isn't very
| accurate / a geoIP location. You could even detect if your on
| wifi or not to say if it's a cellular geoIP, so it's extra
| inaccurate or similar.
|
| You could even go full original whatsapp and add a status
| string thing :P
| gizumo wrote:
| Looks like it has potential. As a somewhat hopeless security-
| minded user, I appreciate the genuine privacy interest from
| developers. Gotta try it out more before deciding whether it
| stays on my phone or not.
| mike-cardwell wrote:
| I had an idea for a location sharing app, years ago. Never built
| it. It would share privately using encryption, as this one does,
| but _also_ , people could easily see a log of who looked up their
| location and precisely when.
|
| The benefit of this would be that you could ask your family
| members to install it on their phone, for emergencies. And if you
| have a teenage kid who is concerned about you "stalking" them or
| "invading their privacy", you will be able to say, "you will be
| able to see in the app whenever I look up where you are, so you
| will know that I'm not checking up on you constantly"
|
| It would also be a deterrant against you abusing your powers. You
| wouldn't want to look up where they are unless absolutely
| necessary, as you wouldn't want to create that log entry on their
| phone, as you'd have to explain it.
|
| Free idea, for anyone who wants it.
| dessant wrote:
| This is a wonderful service and it's laudable that your heart is
| in the right place! Please introduce a paid version early on,
| people are lenient about the early rough edges when you have such
| an admirable mission statement. Also don't be afraid to release
| the paid version under AGPL, your users will be happy to pay you
| for the convenience of an app store installation and hosted
| infrastructure.
| apayan wrote:
| Hi everyone. I wanted to start a company that builds privacy
| preserving/enhancing products+services. The first product was
| this location sharing service (scratching my own itch), and my
| friend said I should just put it out there to see if anybody is
| actually even interested in it. The code is AGPL [1], the crypto
| is based on libsodium and the mobile apps are all native.
|
| I'd like to find a way to charge for this service so I can spend
| more time on it, and building other privacy preserving services,
| but I'm not sure of some things: * Is this a
| service you would use? * Would you pay for it? *
| Would you or your company sponsor it?
|
| Happy to answer any questions you may have. Any feedback is
| appreciated.
|
| P.S. I'm sure you may be wondering "where is the iOS app?". It's
| coming. Real soon. Now'ish. Later. It's currently undergoing a UI
| overhaul, and because all of the people I share with are Android
| users, it hasn't been as high of a priority.
|
| [1] https://github.com/zood
| dangerboysteve wrote:
| How is this any better than using Signal and sharing location.
| apayan wrote:
| Signal allows you to explicitly open the app, get your
| current location, and send that snapshot of your location to
| someone immediately. That's definitely fine for some use
| cases.
|
| Zood Location lets you share your location with other people
| without having to do anything on your part (besides accepting
| the initial friendship). Then your friend can simply open
| Zood Location on their phone and they'll be able to see where
| you are and you won't have to do anything. It's very useful
| for families trying to coordinate dinner plans after work,
| determining how soon your partner might be back home to help
| with the kids and other seemingly trivial things that usually
| require multiple disruptive calls and text messages.
| CobrastanJorji wrote:
| Maybe I'm missing something, but where's the product part? The
| app looks free. There's no discussion of paying. Where's the
| part where you make money? Is there idea that I install and
| start using it now, and then once enough people sign up, you
| yank the free version and begin to charge?
| apayan wrote:
| It's a fair question. I want this to be sustainable, and you
| want the services you rely on to be sustainable.
|
| In truth, I'm trying to determine a pricing model right now
| via this Show HN. I don't intend to "yank the free version"
| from anyone. Maybe I'll be able to find a freemium model,
| maybe I'll be able to acquire sponsorships, maybe there will
| be a way to simply charge for it... I don't know. But folks
| that start using it now will be grandfathered in, so you
| don't have to worry if you don't want to pay.
|
| I don't (and won't) have any investors that I need to
| satisfy. So there's no VC breathing down my neck, pressuring
| me to squeeze users.
|
| I hope that's a satisfactory answer to your question and that
| it allays your fears. :-)
| huhtenberg wrote:
| Excellent stuff. I especially like that this focuses on solving
| an actual, very specific problem rather than being some
| amorphous platform.
|
| That said and if I read you correctly, the backend must be some
| sort of a dumb relay that just routes blobs of data between
| clients based on how they are grouped. Correct?
|
| If so, then nothing restricts you from relaying _any_ type of
| data, which is a _fantastic_ foundation to have.
|
| Do you have any details on how two clients would establish
| trust, exchange keys, if there's a replay protection, etc.? It
| would make for a good read.
|
| PS. One thing I'd change is the name. It's just... not nice,
| unpleasant. It also doesn't help that it means an "itch" (zud)
| in some languages, the kind you get from not taking a shower
| for a month.
| apayan wrote:
| Hi huntenberg. Thanks for the thoughtful reply. :-)
|
| > _That said and if I read you correctly, the backend must be
| some sort of a dumb relay that just routes blobs of data
| between clients based on how they are grouped. Correct?_
|
| You're correct. It is just a dumb relay. That's the reason
| why it's so difficult (impossible?) to come up with a
| freemium monetization strategy. The server can't see the
| contents of your communications, so it can't restrict
| functionality.
|
| > _If so, then nothing restricts you from relaying any type
| of data, which is a fantastic foundation to have._
|
| I suppose so. What did you have in mind?
|
| > _Do you have any details on how two clients would establish
| trust, exchange keys, if there 's a replay protection, etc.?
| It would make for a good read._
|
| I don't have anything written up about this (other than the
| code in the repositories), but if there's interest, I could
| compose a blog post about it. For the time being, users can
| verify the privacy of the communication with another friend
| by comparing the safety number of the friendship (tap the
| friend's avatar on the map, in the info panel that pops up
| click the triple dots at the top right, then select 'View
| safety number'). If you're safety numbers match, you know
| your share with that friend is secure. I got the idea from
| Signal messenger.
|
| > _PS. One thing I 'd change is the name._
|
| Yeah, I'm still reconsidering the name. I've already changed
| the company name once, but I may have to change it again.
| It's just hard to come up with an easy to remember+spell name
| that also has an available domain.
| 0x53 wrote:
| My wife and I currently use Google maps to share locations with
| each other. I really hate doing this because I really dislike
| Google having access to my location. So yes I would use it. I
| would probably pay $15-20 once or a $1-2 a month for something
| like this
| thewojo wrote:
| No JS on the website (so far)...nice.
|
| Interesting. Been thinking about something like this. You
| mentioned other privacy preserving services; which products do
| you think are most in need of privacy preserving alternatives?
| apayan wrote:
| For Zood Location, I'd like to add a 'Find my phone' feature.
| It's already mostly done in the Android client (I don't think
| it's possible on iOS). I just need to implement a landing
| page on the web that folks can use to log in and make their
| phone start ringing.
|
| Re: other services.
|
| I'd like to implement something akin to Google Photos but
| where all your images are encrypted before going up to the
| cloud for storage. All the fun face recognition features and
| indexing would have to happen on your phone, but phones are
| plenty powerful enough these days to do that while you're
| sleeping and your phone is plugged in and charging.
|
| I'd like to implement a simplified personal assistant like
| Google Now, that doesn't depend on sending your personal data
| into the cloud. Again, phones are so powerful and they
| already know so much about you based on local context, that I
| think there's a big opportunity for making a "good enough"
| assistant that doesn't compromise your privacy.
|
| More mundane, but I think still very useful, is being able to
| store your contacts in the cloud, but making sure they're
| encrypted with a local key you control, so the storage
| provider (e.g. Zood) can't see your contact list.
|
| An actually trusthworthy VPN provider. Mozilla entered this
| space a couple months ago, and I think it's great that there
| is at least one trusthworthy VPN brand now. It's a very
| confusing market for people to navigate, but I'd like to earn
| the trust of people so a Zood VPN product would become a
| viable service.
|
| Along the theme of helping people extricate themselves from
| the advertising and surveillance economy, a service that
| helps people remove themselves from these junk snail mail
| lists. You can do it on your own right now, but it can be
| overwhelming.
|
| I have lots of other little ideas, but they aren't quite
| ready for discussing. :-)
| novok wrote:
| There is also https://www.mylio.com which E2E encrypts
| photos on the cloud, is iOS, Android, Windows and macOS and
| is very performant. There is also photostructure, but they
| don't seem to be planning to make mobile clients any time
| soon :|
|
| One thing I've actually not seen is E2E contacts &
| calendars. Everything seems to be based on CalDAV & CardDAV
| which I think forces you to sync them with a server in
| plaintext. Email is mostly a lost cause, the closest you
| could approach it is something like protonmail AFAIK.
|
| Also as far as 'good' VPN providers, I think PIA & Mulvad
| have fairly good reps. Mulvad even lets you pay in mailed
| in cash.
| mceachen wrote:
| > There is also photostructure.com, but they don't seem
| to be planning to make mobile clients any time soon :|
|
| Sorry about that. I certainly get the appeal of "one app
| to rule then all," but as an indy solo dev, I have to
| focus on building features that give my users the best
| bang from my limited time.
|
| File sync is surprisingly hard to do cross-platform--most
| apps have pretty abysmal app store ratings, including the
| built-in ones from NAS manufacturers.
|
| I personally use Resilio Sync as a one-trick-pony that
| just copies my smartphone photos to my NAS. There are
| several other apps to that do this, as well:
| https://photostructure.com/faq/how-do-i-safely-store-
| files/#...
|
| PhotoStructure's sync process then automatically finds
| and imports new files into my library.
|
| A homepage bookmark icon on my phone that links to my
| personal PhotoStructure library works well.
| wh33zle wrote:
| Re Google Photos:
|
| Checkout "Stingle Photos" [1], very similar stack to what
| you described.
|
| [1]: https://stingle.org/
| vorpalhex wrote:
| > Is this a service you would use?
|
| Yes! I already use a non-privacy centric service like this, and
| would very much like to swap it out.
|
| > Would you pay for it?
|
| Yes. I'd be willing to pay $30/year for quicker updates. Maybe
| have a freemium model of an update per 30 mins or 60 minutes, a
| middle tier of 5 minute accuracy (good enough for most users)
| and then a premium tier of ~30s accuracy. Maybe play around
| with the amount of people in a group too - it makes sense to
| charge more if you're sharing with a small family versus a
| single friend.
|
| As always with subscriptions, please make them have clear
| pricing, an option to pay annually (even if there's no savings)
| and allow auto-renew to be opt-in instead of by default.
|
| On the monetization front, you likely can leverage the same
| infrastructure for an Enterprise version of the app. What many
| companies want is a rough geofence app that can let them know
| when someone is abroad for work and give them location specific
| information - "Oh hey, you're near the Ohio office. The alarm
| code is XYZ, and your badge has been given temporary access for
| the next 3 days."
|
| Especially if you can assure employees that they're only giving
| rough location information to their employer ("Mary is in
| Nevada" and not "Mary is at So-and-so brothel in Las Vegas")
| then it feels like an acceptable tradeoff of information and
| benefit.
| JoshTriplett wrote:
| I would _absolutely_ use this, particularly with map
| integration and messaging /Signal integration. I'd also love to
| use this to trigger events (e.g. turning off lights when
| everyone leaves, turning them on when anyone gets home).
|
| Regarding payment: I would get value from this, but primarily
| in conjunction with a higher-level service built atop it
| (providing features such as those mentioned above), and I'd
| want to pay for the higher-level service with this integrated,
| rather than paying for the building block. (That'd mean either
| you're providing the higher-level service and getting paid
| directly, or providing the building block and getting paid by
| the higher-level service rather than by the end user.)
| apayan wrote:
| Thanks for the feedback JoshTriplett. :)
|
| Could you describe in more detail what you have in mind
| regarding "map integration and messaging/Signal integration"?
|
| I totally get what you mean about triggerring events based on
| location (turning off lights, etc.).
| JoshTriplett wrote:
| The most common thing I'd want to do with location
| information is display it on a map. For instance, I'd love
| to use this to help coordinate meeting up with someone, so
| that we could each see each other on a map. I'd also like
| the client-encrypted private historical record for a
| variety of purposes; everything from "what path did we walk
| on that romantic evening?" to the mundane "where did we
| park?" or "where did I leave my phone?". All of those need
| map integration, and that map integration needs to not
| compromise the privacy properties of the location service.
| _That_ would be well worth paying for.
|
| The issue is that I wouldn't want to use a _separate_
| mapping application for that. I don 't want to use Google
| Maps for directions/navigation/restaurants/etc, and a
| separate app for location sharing. I also don't want Google
| Maps to have my location information/history. I'd pay for
| an all-encompassing map service with this feature, and
| privacy would motivate me to happily pay for that even
| though Google Maps is "free".
|
| But I can't honestly say I'd pay for _just_ the location
| feature if I still have to use a different (and non-
| privacy-preserving) mapping service for everything else. If
| I can have a single "Maps" application on my device, and
| that application preserves privacy, I'd _love_ to pay for
| that; if that app also has location sharing, that 's even
| better.
|
| Messaging or Signal integration would be for the same kind
| of "meet up" purpose: send someone a link that gives them
| time-bounded access to a subset of location information
| (most commonly live information about current location).
| apayan wrote:
| I see. Thanks for the follow up.
|
| Yeah, I'd happily pay for a privacy preserving mapping
| app as well. While building this, I felt the need for
| such a service, and as I pondered it, I felt overwhelmed
| by the effort to bring such a thing to market. It would
| also need a significant amount of notoriety to get people
| to contribute by updating business and city information.
| The other challenge is that Google Maps is just SO GOOD!
| I realize it's not great for privacy reasons, but it's
| simply so easy to use and useful. That's a high threshold
| of quality and functionality for a new entrant in the
| mapping space to achieve. That's not even taking into
| consideration that this new entrant would be charging for
| something that Google gives away for free, and has had
| years to perfect. We can see an example of this struggle
| with Apple Maps.
|
| > _send someone a link that gives them time-bounded
| access to a subset of location information (most commonly
| live information about current location)._
|
| You might be happy to know that that functionality is
| already present in the app. :-) Simply click the floating
| action button at the bottom right of the main screen of
| the app, and a timed sharing dialog will appear. Toggle
| the switch to turn it on, and your location will be
| broadcasted to a drop box that can only be accessed by
| the key encoded in a URL that you can copy or share to
| any app (Signal or otherwise). You can adjust the
| expiration time of the link based as well. It's
| particularly useful if you're running late to a meeting
| and you're stuck in traffic, and you want to let the
| person you're meeting know where you are in real time.
| lambda_obrien wrote:
| I would pay/donate up to $20 once, or $1 a month or something,
| if you created a (very easy) containerized deployment I could
| deploy on my home server and limit to only the phones I choose
| to allow access, that way only my wife and I (and later my son)
| can hook into this and share locations with each other. I
| already have our phones setup to VPN home when off the home
| WiFi, so this would be great for privacy.
|
| I would pay that much for the cloud offering if you had a
| contractual/legal obligation NEVER to sell my data EVER, or to
| sell the service to any company without wiping ALL of my data
| first.
| growse wrote:
| It's a little bit of configuring, but it sounds like
| OwnTracks can do exactly that. You can deploy the recorder
| container wherever you like and then post / share locations
| to it from iOS/Android apps, as well as see the last location
| posted by others on the same instance. Enabling / disabling
| sharing on the app is a single button press.
|
| (I help maintain the OT Android app)
| apayan wrote:
| Thanks for the feedback lambda_obrien.
|
| Zood Location only sends your location to users that you have
| explicitly added, and your location data is end-to-end
| encrypted before leaving your phone meaning that the data can
| only be decrypted by the person your sharing it with (i.e.
| your wife or your son.
|
| As for your personal data, Zood doesn't get any of it because
| of the end-to-end encryption. All the server [1] does is
| accept blobs of effectively random bytes (encrypted) from
| users to deliver to other users.
|
| Even if I wanted to sell user data, there wouldn't be
| anything to sell. Everything is encrypted before it leaves
| your phone. It's just like Signal in that regard.
|
| [1] https://github.com/zood/oscar
| fitblipper wrote:
| I would like more information on what information exactly
| zood receives and stores.
|
| Does zood know who is sharing with whom? Is the data usage
| to username logged?
|
| Is the amount of data sent to zood increase as a function
| of 1. How many people you are sharing your location with 2.
| If you are traveling quickly 3. If you are on battery saver
| or not?
| apayan wrote:
| Hey fitblipper. Good questions. :)
|
| > _I would like more information on what information
| exactly zood receives and stores._
|
| When you sign up, the Zood Location server receives
|
| * the username you picked
|
| * (optionally, if you provided it) your email address
|
| The server also stores a backup of various pieces of data
| for you, but this data is encrypted on your phone before
| being backed up to the server. It's exactly like how a
| password manager backs up your passwords to the cloud so
| you can access them from any machine. THIS DATA IS ALL
| ENCRYPTED ON YOUR PHONE with a key DERIVED FROM YOUR
| PASSWORD before the blobs are sent to the server.
|
| The encrypted data includes:
|
| * your symmetric key
|
| * your asymmetric key
|
| * your password salt
|
| * the algorithm used for your password derived key
| (currently, argon2id)
|
| * your friends list and their public keys (for TOFU
| reasons)
|
| Again, all that data is encrypted in the app on your
| phone before it ever leaves your device. This is no
| different than using a password manager.
|
| > _Does zood know who is sharing with whom?_
|
| The most information that the server can ever see is that
| some user sent some communication to a particular user.
| The contents of the message are unknown. Location sharing
| actually happens through "drop boxes" to make it more
| difficult for the server to see when and how often users
| send communications. When a friendship is established,
| the friends agree upon drop box addresses to use for each
| other, and they simply place encrypted data in the drop
| box for the other user to check whenever it wants.
|
| In theory, I could perform metadata analysis to try to
| statistically determine friendships, but I still wouldn't
| know anybody's location. The server code is available,
| and not terribly complicated so it's easy to verify that
| no analysis is happening there [1].
|
| > _Is the data usage to username logged?_
|
| For debugging purposes, I can have the server log to
| stdout when a user makes a REST call to drop an encrypted
| blob on the server, or when a REST call is made to send
| an encrypted blob to another user, but that's off in
| production. It was there to help me build the thing.
|
| In general, thwarting metadata analysis by the person
| running the service is tough. I look to what the Signal
| messenger folks are doing in this space to improve
| things.
|
| > _Is the amount of data sent to zood increase as a
| function of 1. How many people you are sharing your
| location with_
|
| If you have more friends, your phone will send more
| encrypted blobs to different drop boxes on the server.
| The reason is that though you only physically exist in
| one point of space at a time, because communication with
| each friend is end-to-end encrypted, your phone will
| encrypt the location info payload for each friend with
| their own public key. So if you have 5 friends, every
| time your location changes, your phone will encrypt the
| payload 5 different times and place it in five different
| drop boxes on the server.
|
| > _2. If you are traveling quickly_
|
| That's based on your phone's operating system and
| version. Google and Apple are always tweaking how often
| location updates are reported to apps. But if a location
| update comes in, Zood will encrypt it and upload it.
|
| > _3. If you are on battery saver or not?_
|
| I don't really use battery saver, but I think location
| services is disabled when your phone is in that state, so
| Zood wouldn't get any location updates at all. I could be
| wrong about that.
|
| [1] https://github.com/zood/oscar
| rasengan wrote:
| This is a hell of an idea and very important. I have a question
| though - by enabling location sharing on device, is the
| location not being leaked to Apple and Google regardless?
|
| Either way, awesome idea and love to see what you're doing.
| apayan wrote:
| Thanks for the supportive words rasengan. :)
|
| My current understanding is that location data is not leaked
| to Google or Apple by just enabling location services (I'm
| always happy to be proven wrong :-) ).
|
| In the case of Google/Android, they make it very easy to
| unknowingly opt-in to sharing your data with them, but it's
| not too hard to double check that and disable+delete the data
| it if was on [1].
|
| I know there has been much news about Google providing police
| with a list of devices near the time and location of a crime,
| and I believe that data is coming from the Location History
| feature of Google accounts. But that's something that can be
| turned off.
|
| Apple more explicitly requests the data via app permissions
| on your iPhone, so it basically comes down to what Apple apps
| to which you've given location permission [3].
|
| [1] https://support.google.com/accounts/answer/3467281 [2]
| https://support.google.com/accounts/answer/3118687 [3]
| https://support.apple.com/en-us/HT203033
| StavrosK wrote:
| It is, to get back coordinates you have to use Google's
| location API, which tells Google where you are. That's why
| the actual app doesn't matter to me (a privacy advocate)
| because no matter how private your app is, Google will
| always have my location.
|
| Nowadays I just keep the GPS off unless I need to use Maps,
| hopefully that does something.
| dzelzs wrote:
| I would pay for something like that, if i could integrate it with
| my Matrix homeserver. One of the features that is lacking, and
| for exactly the reason (atleast AFAIK) that private location
| sharing doesn't exist.
| apayan wrote:
| > _if i could integrate it with my Matrix homeserver_
|
| Could you describe in more detail what kind of integration
| you're considering? Would you just want to be able to see your
| friend's location published in a channel as they move?
| jackpea wrote:
| Would love to see an RSS feed for the blog
| apayan wrote:
| So would I. :-)
|
| It's on my TODO list.
| thoughtfunction wrote:
| I'm glad that other people are thinking of making 'the privacy
| company', it's something that has been itching at the back of
| mind to do too, along with research into what is currently
| around:
|
| * https://thoughtfunction.com/2020/05/my-e2ee-apps/
|
| * https://thoughtfunction.com/2020/05/e2ee-note-taking-app-res...
|
| * https://thoughtfunction.com/2019/10/why-mylio/
| tobib wrote:
| Love the idea, it's exactly what we need. I go on long walks and
| I'd like my partner to know where I am so she knows when I'll be
| home or to surprise me along the route.
|
| So far we've always shared via Whatsapp which recently stopped
| working for some reason. But I also don't want to use Google maps
| or Whatsapp for privacy reasons. If you could find a way to make
| 100% sure Google won't "intercept" the location and store it
| anyway, that would be great.
|
| I'd use it probably 3-4 times a week. I'd be happy to pay for it
| but please don't do the standard 10 bucks a month thing, I won't
| even bother then. How about a model based on usage? 10c/hour or
| something for the one sharing? (Being shared with could be free).
| If I had to commit to a subscription, I'd probably not sign up if
| it's more than 2 bucks a month.
| digisocialnet wrote:
| Interesting idea! The users locations are completely private to
| the service?
| apayan wrote:
| Correct. The servers never see anybody's location.
| dividuum wrote:
| But the embedded google map (especially when zoomed in or
| slowly panning across multiple map tiles) provides an
| approximate location to google regardless. Maybe that's
| irrelevant, but something to consider. Avoiding this might be
| tricky without hosting your own tiles and adding explicit
| obfuscation when requesting tiles.
| apayan wrote:
| You hit the problem right on the head. The only way to
| really solve it is to host my own tile server (expensive)
| and add some sort of 3rd party proxy service between the
| app and the Zood tile server (so Zood could not surveil
| your tile loads).
|
| I'd like to host my own tile server in the future, but it
| depends on revenue, which is just not there right now.
|
| Also, and this is just my opinion, I don't think Google is
| trying to surveil people via tile loading patterns. I'm not
| saying it's impossible, but there are far easier ways to
| surveil users than examining tile loading patterns. So for
| the time being, I'm ok using the Google Maps SDK.
|
| Privacy, like trust, is not binary, but a spectrum. My hope
| is that Zood Location can start increasing the amount of
| privacy people enjoy in their digital lives, and over time,
| the app can be improved to increase that level of privacy.
| myself248 wrote:
| Very tangentially related, a distributed tile service
| could be interesting. I'd love to just download a virtual
| appliance, point it at some disk space, and tell it how
| much bandwidth to use. Maaaaybe tell it what region to
| focus on, if I want to use my own local tile server for
| my own local projects because it won't ratelimit me
| because I'm me.
|
| But if I could just do that, and with no further admin
| overhead, contribute to some sort of tile-cloud, I'd find
| that a lot more meaningful than seeding my favorite
| distro's torrents, you know?
| novok wrote:
| I don't know if openstreetmaps provides a free tile
| server, but I could see that as an option for the more
| privacy minded. Or to preload a basic map so your not
| querying a tile server, and to go even further, preload a
| more detailed map like older offline GPS apps.
|
| In the iOS app you can also add an option to use apple
| maps instead too.
| myself248 wrote:
| You're not supposed to use OSM's free servers in
| production, and the options for running your own are
| assembly-required to such a degree that I can't even
| assess how far beyond my own skills they lie.
| some_furry wrote:
| I took a quick look at the source code. It's providing end-to-end
| encryption with libsodium, using crypto_box [1],
| crypto_secretbox[2], and crypto_pwhash for password-based key
| derivation [3].
|
| The public key model appears to be TOFU [4]. It's doing a
| distinct crypto_box per notification [5]. It doesn't use an
| authenticated key exchange or offer key rotation or forward
| secrecy, but that's probably fine for this use case. Not too long
| ago, I wrote a guide to end-to-end encryption [6], and I would
| classify the "end-to-end encryption" here as meeting the minimum
| definition (data is encrypted between devices, rather than in a
| client-server architecture where the server has access to
| plaintext), even if it's not suitable for more sensitive threat
| models.
|
| One thing I didn't see was message padding of location data prior
| to encryption, to prevent side-channel attacks via ciphertext
| length. [7] I don't know if I missed this, or if it was omitted.
|
| [1]
| https://github.com/zood/george/blob/52ddae2b5f65d324e1785c2d...
|
| [2]
| https://github.com/zood/george/blob/52ddae2b5f65d324e1785c2d...
|
| [3]
| https://github.com/zood/george/blob/52ddae2b5f65d324e1785c2d...
|
| [4]
| https://github.com/zood/george/blob/52ddae2b5f65d324e1785c2d...
|
| [5]
| https://github.com/zood/george/blob/52ddae2b5f65d324e1785c2d...
|
| [6] https://soatok.blog/2020/11/14/going-bark-a-furrys-guide-
| to-...
|
| [7] https://ioactive.com/ssl-traffic-analysis-on-google-maps/
| apayan wrote:
| I love the comment! Thank you some_furry. You're a quick code
| reader.
|
| You're correct that it doesn't offer key rotation or forward
| secrecy. That's something I definitely want to add (assuming
| anybody actually finds this service useful).
|
| > _One thing I didn 't see was message padding of location data
| prior to encryption, to prevent side-channel attacks via
| ciphertext length. [7] I don't know if I missed this, or if it
| was omitted._
|
| You didn't miss it. It's not there. It's something I should
| add.
| some_furry wrote:
| If you're interested in using the X3DH handshake that Signal
| specified, I ported a slight variant of it (which uses
| libsodium) in TypeScript not too long ago:
|
| https://github.com/soatok/rawr-x3dh
|
| There's no low-level crypto code here, just high-level
| protocol stitching. This is still something you'd want to
| hire experts to review if you built it in Java, of course.
| proactivesvcs wrote:
| According to Exodus Privacy[1] the app uses Microsoft and Huawei
| telemetry/analytics. Are the reports correct?
|
| I saw the web site has a laudable privacy policy. Do you have a
| published privacy policy for the app?
|
| [1]https://reports.exodus-
| privacy.eu.org/en/reports/hr.ersteban...
| apayan wrote:
| That's not my app. Zood Location has zero analytics or telemtry
| [1]. The app id in the link you provided is some banking app
| with an id of 'hr.erstebank.george'.
|
| Zood Location's app id is 'xyz.zood.george'. The only thing
| they have in common is the word 'george' in their app
| identifier string.
|
| Zood Location also has a privacy policy. [2]
|
| [1] https://github.com/zood/george
|
| [2] https://www.zood.xyz/privacy/mobile-apps
| 1996 wrote:
| For people who do not care so much about the privacy, you should
| consider a "simpler" mode.
|
| This would also let you work around the network effect: simply
| send a text (for people without dataplans but infinite text) or
| an email with the GPS coordinates + a link to the google map (or
| OSM, or bing maps..) in one click. Not much data required.
|
| Even better: add a "tracking" mode to automatically send the
| coordinates every minute, as an email reply (to create a thread)
| which could be useful when you are going to roam the bars and
| don't want (or won't be sober enough) to update your friends of
| where to meet.
|
| I would also like GPG encoding: again, to work around the network
| effect, GPG encode the email before sending it. Useful for
| emailing myself or hacker friends.
|
| I would seriously pay for that, especially with the option to run
| the AGPL backend on my own server (the client should have a field
| to optionally select another server)
___________________________________________________________________
(page generated 2020-12-08 23:01 UTC)