• Tekniikka
  • Sähkölaitteet
  • Materiaaliteollisuus
  • Digitaalinen elämä
  • Tietosuojakäytäntö
  • O nimi
Location: Home / Tekniikka / Stingle is a privacy-focused open source photo backup application

Stingle is a privacy-focused open source photo backup application

Tekninen palvelu |
3780

Enlarge

/

Despite the encryption, Stingle Photos is a distinctly minimalist app that comes closer to the simple feel of an analog album than most of its competitors do.

Kohei Hara / Getty Images

reader comments

179

with 98 posters participating, including story author

Share this story

Share on Facebook

Share on Twitter

Share on Reddit

With Google Photos

killing off

its Unlimited photo backup policy last November, the market for photo backup and sync applications opened up considerably. We

reviewed

one strong contender—Amazon Photos—in January, and freelancer Alex Kretzschmar walked us through several self-hosted

alternatives

in June.

Today, we're looking at a new contender—

Stingle Photos

—which splits the difference, offering a FOSS mobile application that syncs to a managed cloud.

Trust no one

Arguably, encryption is Stingle Photos' most important feature. Although the app uploads your photos to Stingle's cloud service, the service's operators can't look at your photos. That's because the app, which runs on your phone or tablet, encrypts them securely using

Sodium

cryptography.

Since the photos are encrypted before ever leaving your phone—using a key that isn't ever available to Stingle's operators—you're safe from attackers getting a photo dump from Stingle's cloud. You're also safe from Stingle's own operators pulling a

LOVEINT

on you or getting socially engineered by someone with a believable voice begging to get your photos back.

Since Stingle can't do anything useful with the encrypted cloud backups of your photos, you also don't need to worry about strange things happening as a result of your photos being fed to machine-learning algorithms—they're just garbage bits to anyone without your private key.

Transparency

Stingle has gone out of its way to make how it works as clear as possible to security- and privacy-focused users. The company put out a detailed

white paper

outlining its security practices and giving an excellent overview as to how the service works. And for the truly paranoid, access to the application's

source code

closes the gap the rest of the way.

Having access to the source code especially helps close potential loopholes in what Stingle can and can't do with your photos. Since the cloud storage is effectively useless to anyone but the user, that leaves the mobile app itself as the only place to get up to any chicanery,

before

the photos are encrypted and sent to the cloud (or after they're downloaded and decrypted).

We did not attempt anything like a full code audit of the Stingle Photos app, but we did walk through the code far enough to have a good idea of what it's doing and how. No glaringly obvious gotchas leapt out at us.

Advertisement

Key backup

By default, Stingle Photos uploads a backup of the user's private key to the Stingle cloud (which is hosted redundantly at Digital Ocean, using redundant

Wasabi

buckets). This allows the app to function on a new device without the user having to manually and cumbersomely back up and restore the private key themselves.

Astute users' eyebrows likely just shot through the roof—if Stingle has my private key, how do I know the company isn't using it? The answer is that the key is also encrypted before bundling it up and sending it to the cloud for backup.

This is an

extremely

simplified overview of how the method works:

User creates a new Stingle account, specifying a password or passphrase

Stingle Photos hashes the password or passphrase locally and uploads the hash to the back end

Stingle Photos generates public and private keys derived from the user's password

Stingle Photos bundles up the pubkey and privkey, then it encrypts the bundle using the user's full password or passphrase

Stingle Photos uploads the encrypted key bundle to the cloud for backup

We're leaving out a fair amount of the hairy details, such as specific algorithms, salts, and so forth—interested and crypto-fluent folks should check out the original

white paper

to see the bits we skipped over in the name of readability.

The key here is that Stingle never has access to the user's real password or passphrase at all—only a hash of it. Since the user authenticates themselves using the hash but needs the full password—not just its hash—to decrypt the key bundle, the key bundle is therefore s

afe to store remotely.

If the user elects

not

to back up the key bundle, they instead need to back up their private key themselves—which Stingle delivers in the form of a 24-word Diceware-style passphrase. After installing the Stingle app on a second device, the user would then need to manually import the "backup phrase"—which is really their private key—onto the second device.

On the other hand, if the user allows Stingle Photos to back up the key bundle, they only need their password to access photos on a second device. After logging in, the second device downloads the encrypted key bundle, decrypts it with the user's full password or passphrase (which, remember, never leaves the device) and everything's instantly ready to go.

Stingle Photos also supports optional biometric authentication—if you want access to your backed-up photos and videos without having to type in a passphrase every time, you can enroll your fingerprint and use it to unlock the app more quickly.

Advertisement

Features and platforms

Browsing the Stingle Photos gallery is simple and snappy—although you'll need to organize your photos manually; all Stingle does automatically is organize by date.

Stingle Photos' first login page succinctly gets its raison d'être across—nobody can see your photos but you.

Stingle Photos can automatically import photos from specified folders, or you can disable automatic import and do it manually.

Storage plans are selected within the app itself. The first 1GiB is free—enough to give you a taste of whether the app will work for you.

If you want encrypted local storage without the cloud backup, you can do that. You can also limit backup to Wi-Fi connections only and/or good battery conditions.

We tested Stingle Photos on two Android devices, a Pixel 2XL and a Huawei MediaPad M5 Pro. Support for iPhones and iPads is on the way but has not arrived yet—along with support for Linux, Windows, and Mac PCs.

The app takes a very different approach from those of Google Photos, Amazon Photos, or Apple Photos. All three of the tech giants' apps try to offer everything under the Sun: machine learning to categorize photos and sort them into galleries and albums, print- and swag-creation services, and more.

Stingle Photos is stark and minimalist by comparison. It imports photos (automatically or manually, at the user's discretion), syncs them, and allows you to organize them into albums. That's pretty much it, apart from the typical Android "sharing" options, which dump a (decrypted) photo into another app directly. We shared, for example, one photo via the Textra SMS app by tapping the share icon for that photo and then selecting a Textra contact.

When importing photos either automatically or manually, Stingle offers the option to delete them after successfully importing them. If you turn automatic deletion on, you ensure that a phone thief can't thumb through your photos, even if they unlock the phone itself—but it does mean Stingle is no longer a "backup." Instead, auto-deletion turns Stingle into the sole repository for your photos, with all lost if Stingle is lost.

No web client is available for Stingle Photos. So for right now, you'll need an Android device to view any Stingle-stored photos. Since a web client isn't anywhere on Stingle's published roadmap, we expect that even as Windows, Linux, and Mac clients become available, you'll still need to install an application to view photos—not just log in to a website with your favorite browser.

Although we've referred mostly to photos, Stingle Photos manages videos and photos interchangeably—just like most other mobile camera and backup apps do.

Cloud-storage pricing

The Stingle Photos app is free—as is your first 1GiB of cloud storage. Stingle's business model revolves around those who need more than that first gibibyte of storage—which we're fairly confident means "everyone" now, especially since Stingle stores your photos and videos at full resolution. There isn't even an option to downsample before encryption and uploading—the media you store locally is the media you're backing up, period.

The first paid tier is 100GiB, for which you'll pay $2.99 per month—or you can pay $29.90 for a year up front, saving yourself the cost of two months. 300GiB costs $4.99/mo, 1TiB costs $11.99/mo, and 3TiB costs $35.99/mo, with the same two-months-free savings for upfront annual purchases. (Larger plans are also available for those who need them.)