Description: When someone tries to force me to unlock my status app/wallet, I want to enter a panic phrase in order to unlock a dummy version of my app that doesn’t contain any useful information for the attacker.
Use case: As a user, I want to know what to do when I get robbed/someone forces me to unlock my app/give away my passphrase.
Target user: Users potentially exposed to local threats/attackers
Why this is important: We do a lot to prevent powerful, network or intrusion based attacks where many devices/apps are compromised with more primitive means.
Any other comments:
Plausible deniability is a good feature to ensure security against life threatening. When crypto wallets become popular, more criminals would start targeting Status, and threatening users to unlock their crypto wallets.
In past, the password would hash against the master key, and there were no wrong password, but any password would get a unique key, which enabled this plausible deniability. This model does not work anymore, and what we need now is a way of creating a “hidden volume”, something like TrueCrypt 7.1a have:
This model is perfect because all users have a standard volume, encrypted by a password, which looks the same if a user have a hidden volume (encrypted by other password), therefore it’s impossible to proof a user have a hidden volume.
The truecrypt model have some drawbacks, such as, if a user have a hidden volume, it must always type both passwords, even if willing to write to the standard volume.
If Status implements this, I would suggest that the hidden volume contains the password of the standard volume, and everytime the hidden volume is mounted, the standard volume is mounted too.
If user opens their wallet with their standard volume password, the hidden volume is destroyed because new data would likely overwrite the hidden volume, therefore “panic locking” Status and permanently destroying the chat history.
Each volume would have its own wallet, chatid and database, and who uses hidden volumes would be encouraged to add dummy data and a couple of bucks to this standard volume, so it to look like it have something, but nothing interesting. Both volumes could be generated by the seedphrase, e.g., if a user creates a wallet with hidden volume, the seed phrase derives the dummy masterkey (wallet/chatid).
This article addresses some other considerations as well:
The next best-case scenario is that you have perhaps a few seconds or at most a minute to delete or otherwise protect your account. Signal is very good about this: The deletion option is front and center in the options screen, and you don’t have to input any data. WhatsApp and Telegram require you to put in your phone number, which is not ideal — fail to do this correctly and your data is retained.
What really needs improvement is emergency deletion when your phone is no longer in your control . This could be a case of device seizure by police, or perhaps being forced to unlock the phone after you have been arrested. Whatever the case, there need to be options for a user to delete their account outside the ordinary means.
Here are a couple options that could work:
Trusted remote deletion : Selected contacts are given the ability via a one-time code or other method to wipe each other’s accounts or chats remotely, no questions asked and no notification created. This would let, for instance, a friend who knows you’ve been arrested remotely remove any sensitive data from your device.
Self-destruct timer : Like Telegram’s feature, but better. If you’re going to a protest, or have been “randomly” selected for additional screening or questioning, you can just tell the app to delete itself after a certain duration (as little as a minute perhaps) or at a certain time of the day. Deactivate any time you like, or stall for the five required minutes for it to trigger.
Poison PIN : In addition to a normal unlock PIN, users can set a poison PIN that when entered has a variety of user-selectable effects. Delete certain apps, clear contacts, send prewritten messages, unlock or temporarily hard-lock the device, etc.
Customizable panic button : Apple’s emergency mode is great, but it would be nice to be able to attach conditions like the poison PIN’s. Sometimes all someone can do is smash that button.