Tor & Encryption

[eragmus]

Hi, I am cross-posting about two things previously shared with Breadwallet & ArcBit.

First, has there been any work or thinking done on Tor for Airbitz (iOS)? I've noticed a Tor implementation by a single app on iOS (ChatSecure), which allegedly supports Tor right now.

ChatSecure, as of version 3.0 on Jan. 5, 2015, has had Tor support. See here:
https://chatsecure.org/blog/chatsecure-ios-v3-released/

"Right now (to my knowledge) we are the only messaging app on the App Store that supports Tor. Although the current implementation appears to be functional, please only use it for testing purposes until it has been studied further by security professionals. In other words, do not rely on it for strong anonymity, and use something like TAILS instead.

During our journey to add Tor support, we first tried to extract the Tor management code from Mike Tigas’s Onion Browser, but discovered it was too tightly coupled with the rest of the app. We also investigated Tor.framework by Hive Wallet but it required some awkward patching of the Tor source code, and has since been deprecated by the original developers. Eventually we discovered Claudiu-Vlad Ursache’s CPAProxy, a more modern attempt at a thin Objective-C wrapper around Tor’s control port. Although it is currently missing a few features like customizable bridges and pluggable transports (and a security audit), I would encourage other developers who are interested in adding Tor support to their iOS apps to help us improve CPAProxy."

Relevant links:

https://github.com/chatsecure/onionkit
https://github.com/ChatSecure/Tor.framework
https://github.com/ursachec/CPAProxy
https://github.com/ChatSecure/CPAProxy

Downsides of Tor support in ArcBit:

Slow Tor speed --> This would seem to be an issue only when syncing the wallet, not when receiving transactions or sending transactions to the network. So, is it possible to sync the wallet with the network without Tor (I don't imagine any identifying data is sent during the sync, or am I wrong?), but use Tor for the other purposes?

---

Second, on another note, how does Airbitz encrypt its data, if at all, or does it only rely on iPhone's encrypted storage?

I ask because of ChatSecure's notes on 'encrypted storage', where they say:

When ChatSecure iOS v2.0 was released over a year ago, it contained a major overhaul of the internal data model to support Core Data, Apple’s solution for data persistence. We originally planned on utilizing the MITRE Corporation’s encrypted-core-data project, which adds a customized NSPersistentStoreCoordinator backed by Zetetic’s SQLCipher. Unfortunately working with Core Data can be terribly frustrating, especially when you cannot debug its closed-source internals.

Fortunately we discovered YapDatabase by Robbie Hanson, an Objective-C key-value-collection store built on top of sqlite. It has all sorts of nice features like a coherent concurrency model, fast full text search, easy binding to UITableView, and more. If you develop iOS apps, I strongly encourage you to check it out, especially in conjunction with something like Mantle. Because it is built on top of sqlite, it was relatively straightforward for us to add SQLCipher support (use the YapDatabase/SQLCipher Cocoapods subspec).

"all content is locally encrypted in a SQLCipher database"

Can, or should, the same approach be used to 'better' encrypt Airbitz data on iOS?

[swansontec]

Most of this stuff is iOS-specific. The Airbitz wallet core runs on iOS, Android, and desktop *nix, so we can't use any ObjectiveC or Apple-specific technologies in there.

The Airbitz wallet talks to three different types of servers. The login server has an HTTP/REST interface, and handles username lookup on first login, as well as checking the PIN on each PIN login, handling 2fa, and a few other chores like that. This server is zero-knowledge, meaning it doesn't actually know the username, PIN, or any other personally-identifiable data, just hashes. If the server goes down, users can still access their wallets locally via password login.

Airbitz connects to the Bitcoin network via libbitcoin servers. These servers use a ZeroMQ-based interface, and the libbitcoin project has efforts underway to enable Tor for these connections. If/when that work comes to fruition, we will most likely adopt it.

Airbitz also uses Git servers to sync files between devices. We use the HTTPS transport currently.

The libbitcoin idea for Tor is to run ZeroMQ over a SOCKS proxy, which then provides the Tor routing. This works great on Android, where the Tor client can literally be a separate process. On iOS we will have to host the Tor client inside our app's main process, but this shouldn't be too much work (just rename their main() function to startTor() or such and call it on a separate thread). Once we have a Tor proxy working for libbitcoin, we can probably run the other two types of connections over that as well.

We encrypt all our own data using AES256. We don't write anything to disk without encryption, aside from a few device-only files. These files are synced between devices using Git, as mentioned earlier. The username and password, when combined with salts stored on the login server, derive the first-level encryption keys for this data. These first-level keys then unlock the second-level keys, which unlock the data itself. This way, we can change the username and password without re-encrypting everything - we just need to re-encrypt the second-level keys. The second-level keys can also be unlocked using the PIN.

[eragmus]

Thanks for the response. Sorry for the late reply.