MVP User Access Control

[gmaclennan]

This is a proposal for a Minimal Viable Product (MVP) for adding minimal User Access Control (UAC) to Mapeo. I'm interested in feedback, in particular:

1. Mapeo users / project coordinators: Would this proposal meet specific UAC needs? Would it still be useful given the security limitations (see below)?
2. Tech team: Does the proposed implementation make sense? How much work would be involved? Are there other limitations that are not identified below?

Goal
A user can choose whether other Mapeo Mobile users in the same project can see the data they collect.

Why?
Currently when a Mapeo user syncs with another device, all data is synced, so all members of a project eventually end up with all data from all devices, and can see the data that every user has collected. This is ok when there is trust between project members, but there are situations when a group of users might want to collect data for a project, but not want other users to see the data they are collecting.

Proposed Solution
Add a setting to Mapeo Mobile that allows a user to turn on "Hide my data from other Mapeo Mobile users". When this is turned on, the user can sync with other devices and the user's data will not be visible on any other mobile device that they sync to. Under this proposal, the data will still be synced, but it will not be visible. The data from all users will be visible on Mapeo Desktop, regardless of the "hide my data" setting.

The proposed implementation has some limitations (see below) but will be faster to implement and simpler to use than a more robust encryption-based implementation, although an encryption-based solution may be a better option long-term.

Why not limit sync?
An alternative approach would be to give the user control over which devices they sync to e.g. the user decides to only sync to other "trusted" devices in the project. However, that device could then sync to an "untrusted" device and pass on the users data. E.g. Karina does not trust Alfredo and chooses not to sync with them. Karina then syncs with Nicola whom they trust. However, at a later date Nicola syncs their device with Alfredo and Alfredo ends up with all of Karina's data, despite Karina's desire to not sync with Alfredo.

The other disadvantage of limiting sync is that data could get "stuck" on a device without a centralised sync coordination, e.g. data can no longer sync from user to user until it reaches a project coordinator, instead every user would need to sync with the project coordinator to ensure data arrives.

Limitations & Security

1. The proposed implementation (below) does not use encryption to hide the data. It is unencrypted on the device, but there would be no way to access it either through the app or by reading the phone's data via adb or USB (because Mapeo stores all data in a "sandboxed" folder that can only be accessed by the app itself an no other process). However a malicious user could access hidden data by "rooting" their phone. Rooting a phone is a highly technical task involving overwriting the phone's ROM and bootloader and requires detailed knowledge which is different for every phone (e.g. here is the process for a common device our partners use, the Ulefone Armor 2). When a phone is rooted the user can access the data from any app, so it would be possible for a user with a rooted phone to access the Mapeo data folder and read the raw Mapeo Core database and access data that had been hidden from them.

2. This proposal allows users of Mapeo Desktop to see data from all users, regardless of the "hide my data" setting. This is motivated by three reasons:

   1. App data on Desktop is not "sandboxed". This means that any user can access the Mapeo data folder and read the data there, even if it is not displayed in the app. It does not require any "hacking" to root the device like is required on mobile.
   2. The assumption that Mapeo Desktop users are project coordinators, and users are collecting data with Mapeo Mobile with the goal of sharing it with a project coordinator using Mapeo Desktop.
   3. We currently do not have an easy way of identifying specific users, and building a UX that allows a user to select specific users to share with is a lot more work.

3. The setting would not take affect until after users have synced. E.g. if Karina has already synced with Nicola and Alfredo before turning on the setting "Hide my data", then Nicola and Alfredo would be able to see any data that they had synced with Karina until they sync with Karina again. The "Hide my data" option would sync along with the data, so if Karina turns on "Hide my data" then syncs with Nicola, then Nicola syncs with Alfredo, then neither Nicola nor Alfredo will be able to see Nicola's data, including data that was previously synced (it would disappear from view on Nicola's and Alfredo's phones).

Implementation ideas
We add a "user preference" record to the Mapeo Core database that is written to the user's hypercore. In Mapeo Core when requesting data we filter data from any hypercores where the user preference record has the value hideData=true. We might also want to avoid indexing data from "hidden" hypercores, although that would be for performance rather than functionality. The front end would not require any changes.

Encrypting data — using a mechanism like PGP — for specific users is more secure, but will take longer to implement and has some UX challenges to how a user selects who will be able to decrypt their data. Also an encryption solution would not affect any previously collected data that has already been synced (other users would already have it, decrypted) it might be necessary to combine both approaches (hide existing data, encrypt future data) to achieve what the user would expect.