0

This would be a broad question - but I'm asking specific to the situation around an app that I've developed.

In short, I've written an app that allows users to persist their photos and videos to the 'cloud'.

In an effort to keep this brief I won't go into too much detail but, essentially, any media captured through the app will be sync'd to Azure blob storage. Should they wish to access this again in the future I have a bit of .Net that will generate a sas token.

That's fine, from what I understand it's a typical implementation for secure storage of media.

Question

As the developer - I can jump onto the Azure portal at any time and view any media that I want.

Even if I were to take on other developers in the future, naturally there'd be serious restrictions over the team accessing data in the prod environment, but still - somebody has access.

This doesn't feel quite right, am I missing a security/privacy measure here?

I'm thinking about pushing this app soon, potentially marketing it but, at first, simply handing the APK to family and friends for wider use and testing of the beta - I'll have access to their most personal memories. Is it a matter of trust or is there some way I can implement a certificate or something somehow for this?

Note: Obviously only the original authors can download via sas token, I don't just generate the sas token for anybody authenticated/anonymous.

DanDev
  • 23
  • 3

2 Answers2

1

am I missing a security/privacy measure here?

Yes. Get the client to encrypt the blob before it is uploaded to the cloud, with a key which is known only to the client and not to you. There are some issues around users with multiple devices/losing devices etc but they're mostly solved problems, you just need to understand the tradeoffs you're making.

Philip Kendall
  • 22,899
  • 9
  • 58
  • 61
  • Thanks for the reply - would this answer still apply when the media/data is shared between multiple users? – DanDev Oct 19 '21 at 11:16
  • In the example I've given so far, e2e encryption would be nice and simple for the one user. But what if I needed to grant another user access to one of the author's blobs? – DanDev Oct 19 '21 at 11:18
  • To your first comment: yes, just some key management needed. Again, solved problem. To your second comment: if you can do that without the user's permission, you can just grant yourself permission to view all the media and you're back where you started. Work out whether privacy or this feature is more important to your use case. – Philip Kendall Oct 19 '21 at 11:26
  • It'd be with the user's permission, they would grant access to somebody else. I guess this is precisely what the google shared photo album feature, for example, must've already implemented. In this case - would user A (the original author) 'hand' the encryption key to user B? – DanDev Oct 19 '21 at 11:38
  • Again, thanks - really appreciate the response. I can't upvote your answer because I don't have the rep. – DanDev Oct 19 '21 at 11:38
  • In Google's case, no. They have the ability to read all your photos so don't need to worry about all this. – Philip Kendall Oct 19 '21 at 14:27
1

The cloud, as it's sometimes defined, is just someone else's computer. In this case, you are the cloud and other people are uploading files to your computer. So yes, it is normal that you would have the technical capability to look at these files.

I come from an European perspective where the GDPR regulates how user data can be processed. There must be a privacy notice that explains for what purposes you will use the data. And you would be required to implement technical and organizational measures to ensure this. For example, when your company grows, an organizational measure would be to train employees to recognize the sensitivity for this data. You should also limit who has access credentials for production systems. Another measure could involve logging all accesses, so that it can later be proven that no user data was accessed without good reason.

Ideally, trust in the cloud service would not be necessary. This is achievable with end to end encryption, where the user encrypts the data before uploading it. But this severely limits the functionality of the cloud service as the service can merely host the encrypted blobs, but cannot compress or convert the image and cannot display them on a website. The user would have to download and decrypt the photos before being able to view it. Where the client software is provided by the cloud service provider, security is diminished because the provider could insert a backdoor through an update. This is particularly relevant where the client software is a web application. Client-side encryption also has issues around key management: if the encryption keys are lost, the encrypted data is lost. Most consumers do not have a suitable backup solution and tend to rely on account recovery mechanisms that place significant trust in the service provider.

amon
  • 132,749
  • 27
  • 279
  • 375