Password protect your (sensitive) habits

[aschrijver]

Habits are very personal, and therefore sensitive information. Having the app on your phone, everyone having access to the device could scan your private habits.

It would be great if you could either:

• Password protect the app entirely
  • This can be combined with Encrypted Backups (#382)

or:

• Password protect selected habits that are considered sensitive (e.g. stop smoking, when your parents don't know you do, or taking your mental-health related medicines, etc.)
  • This can be combined with: Add option to hide some habits (#375)

[iSoron]

Thank you for the suggestion, @aschrijver. There was some discussion about this in #86. As explained in that issue, I am against password-protecting the entire app. Not only because there are already other apps that can do that for you, but, more importantly, because it would be hard to do it right.

However, I am open to the suggestion of hiding private habits on the main list. One way this could work is the following. When creating a habit, the user could tick a checkbox saying "This habit is private". When the app is launched, private habits are not shown on the list by default. If the user wants to see these habits, they must click the filter icon and uncheck "Hide private". After clicking, they are required to type a PIN. If the correct PIN is given, the habits are shown, otherwise they keep hidden. This PIN could be set up after the user creates their fist private habit.

There are still a bunch of important question we need to figure out before moving forward with this:

• What happens when the user forgets the PIN? Surely we can't simply allow them to set a new one in the settings, otherwise your nosy friends or parents could very easily circumvent this protection. Conventional email-based password reset is out of question, since the app works completely offline.
• How does this impact the ability to import and export data? If the adversary can export a full CSV file, they can get access to your private habits. We would probably need a PIN when exporting the data too.
• The list of habits is actually displayed in other places, too. For example, the list is displayed when the user is adding a widget or creating an action on Tasker. How do we handle private habits in those situations?
• I would like to have some plausible deniability here, so that the user cannot be forced to reveal their password. One idea is to let the app pretend it accepted a secondary fake PIN, but only reveal the private habits when the primary one is given.

[aschrijver]

Very nice elaboration of the options, @iSoron !

With regards to protecting private habits and the security requirements, i would say: It does not need to be super-secure. Protection against average users should be enough (friends/family who are sniffing your phone, the average bum who stole it).

So going from a KISS approach and given the app is fully offline I'd say on each point:

• Forgotten the PIN? Too bad. You've lost your private habit history. You can recreate new private habits with a new pin. The old encrypted data is erased, or backed-up in a different file (better, if you allow to re-attach it if you remember the PIN)
• Import/export. Export requires PIN, otherwise only export public habits, or cancel. Maybe with additional option to export encrypted. If exported as encrypted an import requires the current PIN, otherwise it just adds to the current encrypted data file and no PIN needed.
• Display elsewhere. I wasn't aware of these features. I would say: restrict to public data. Open the app itself to access private habits
• Plausible deniability. Is this needed given security requirements? If having this you could, say, after 5 wrong attempts display 'No private habits..' screen. But if you are pretending a successful access, then you should also allow the unauthorized person the ability to create private habits etc., or it will not be convincing. Also when next the PIN is asked you should immediately allow access on the last attempted wrong PIN, or it would be obvious that is was unsuccessful.

I think the PIN coul just as well be a PASS, i.e. allow characters. A number is harder to remember a word. Also allow weak passwords, given security requirements, and the fact you cannot retrieve forgotten passwords.

[yohannd1]

Well, maybe there could be also a recovery key (randomly generated) that could be given to the user when the password is enabled, and he/she would be asked to annotate them in a secure place, like a password manager, a hidden paper or something.

[nxxxse]

Just to ping the people subscribed to this issue, I created #529 which addresses a related issue that I am surprised nobody in this issue has faced before.