Full walkthrough with comments - view on YouTube (slightly outdated but core principles are there).
Firestore database. If you're able to crack it open and decode encrypted secrets - please share so that we can fix any vulnerability.
Apps
Download from PlayStore (Android).
Download from AppStore (iOS).
Features:
- Register. Sign up with only
primary password. It will be used for very sensitive operations, as secret deletion, backups, etc.
- Add new secret. Black screen is biometrics authentication - it's not shown in the recording on purpose.
- Preview Secret's data.
- Update Secret's Name, Note or Code.
- Delete secret.
- Backup all your secrets from DB to locally encrypted file
- Auto backup all your secrets from DB to locally encrypted file on app start. It's extra safety layer to protect user in case someone obtained data in the Firestore and they've somehow messed it up. User will always be able to access their
backupslocally. Black screen is biometrics authentication - it's not shown in the recording on purpose.
- Delete backups. Everything will be deleted from the local storage.
- Login via key (recover account). Recover your account by using generated key during registration process.
- Data in Firestore. Everything is encrypted or hashed.
I've combined years of experience in Tech. land and Flutter and decided to give back to the community.
At first Secretum started as a personal project, but with time, I've decided I want to do more.
Since increasing popularity of blockchain and cryptocurrencies, people tend to have very hard time securing their private keys. And these keys easily can get lost, if stored offline (although offline storage is the most secure). Secretum makes it easier to store private keys online with full leverage of hashing and encryption technologies.
User creates their own Firebase project thus allowing only them to access the project. Since it's their own project, their individual firestore database reduce chances for it to get compromised.
- User creates an account with entering only
password. Thispasswordis used for sensitive information, such assecret.codeupdate, backup generation, etc. - Random key is generated and provided to the user. This key is stored locally using Flutter Secure Storage and it used for encrypting/decrypting data. Furthermore, this key is the only way to recover the account if one deletes the app or logs out.
- User's
passwordandkeyare hashed withSHA256and data is stored in thefirestore. - User enters the app and can create their
secrets. Before sendingsecrettofirestore, data is encrypted usingkeyand only then it's sent tofirestore. - In order to read encrypted data from
firestore, all data is being decrypted, so that in the app it would be readable.
This way ensures that all the data is either encrypted or hashed and even with knowing raw data from firestore, there is no way, without knowing the key, decrypt anything.
Additional functionality includes backups:
- On app start,
all user's secretsare stored in the local text file within phone device. That file data is encrypted (same as infirestore).- User can access each backup via app
- User at any moment can wipe all locally stores backups
- This backup mechanism ensures that in case of data is being compromised, user can still always access their latest non-compromised data-set
- User can backup their
secretson demand
And the best part - if you want to recoved your account - all you need is to:
- Enter your
key - If
hashed keyis found in the firestore, you will be recovered with that account's data
Unfortunately I don't have iOS/Android device with Face Recognition therefore I was not able to test authentication flow with it. It might give some unexpected behaviour.
Furthermore, if device does not have any biometrics/pattern lock - it might misbehave.
Secretum has Firestore configuration files ignored. If you would like to clone the project and run it on your own Firestore, you can make it easily by:
- Clone the project
- Create a new Firebase Project. You can specify very random name (for instance using some generator. It will greately reduce chance by someone guessing your project and trying to exploit it
- Create Android and iOS apps. Within package/bundle id specify
com.secretum - Download
google-services.json(Android) rename it togoogle-services-prod.jsonand put it to../secretum/tools/environment-generator/directory - Follow the guide of how to correctly reference
GoogleServices-Info.plistfor iOS (very important, drag-n-drop instead of copy-paste) - Download second copy of
GoogleServices-Info.plist, rename it toGoogleServices-Info-prod.plistand put it to../secretum/tools/environment-generator/directory - Go to
../secretum/tools/environment-generator/and runnode environment-generator prod. Firebase configs (prod) will be copied into right places with additional parameters. You can also builddevif you'd like to have second, independent Firebase project to work on (perfect for development) - Go to your Firebase project and enable
anonymous authenticationwithinAuthentication - Go to your Firebase project and enable
Firestore Database - Set up Firestore rules up your preference
- Delete existing
Secretumapp and build app from source - Check logs after registration - make sure to create right indexes (URLs are provided in console from Firestore)
After you've set-up Firebase and linked its configuration - now you should be able to run the build locally. After you will create your user, all data will be linked to your Firestore.
My hope is that some of you might find this project useful. If you do - feel free to share your appreciation via donations:
- Bitcoin
bc1q6ze04kw5s6dvptk22m9l0yjk43uewykfeks0tj - Nano
nano_3pozzop44i7kyz4afg7teno41w4sm8q1genyu9rwdxmidfszpzjxitxq4js7 - Monero
44yBuwJXmTmc1fEDaxSKTwVz9As3FkzyHZDqmwCXSnNSWi9tUyieeyt2mgnpzusHFRRKcp7p31jAh9CN1G6dZb3F2MT2j3J