Enlarge / Anti-government graffiti that reads “Death to the dictator” in Farsi was sprayed on a wall north of Tehran on September 30, 2009.
In the midst of a growing government Internet control, surveillance and censorship in Iran, a new Android app aims to give Iranians a way to speak freely.
Nahoft, which means “hidden” in Farsi, is an encryption tool that converts up to 1,000 characters of Farsi text into a random jumble of words. You can send this mix to a friend through any communication platform (Telegram, WhatsApp, Google Chat, etc.) and then they run it through Nahoft on your device to decipher what you have said.
Launched last week on Google Play by United for Iran, a San Francisco-based human rights and civil liberties group, Nahoft is designed to address multiple aspects of Iran’s internet crackdown. In addition to generating encrypted messages, the application can also encrypt communications and imperceptibly embed them in image files, a technique known as steganography. Recipients then use Nahoft to inspect the image file at its end and extract the hidden message.
Iranians can use end-to-end encrypted apps like WhatsApp for secure communications, but Nahoft, which is open source, has a crucial function in your back pocket for when they cannot be accessed. The Iranian regime has repeatedly imposed almost total internet blackouts in particular regions or throughout the country, including for a full week in November 2019. However, even without connectivity, if you have already downloaded Nahoft, you can still use it locally on your device. Enter the message you want to encrypt and the application spits out the encoded message in Farsi. From there, you can write that seemingly random string of words into a letter, or read it to another Nahoft user over the phone, and they can enter it into your app manually to see what you were really trying to say.
“When the Internet goes down in Iran, people cannot communicate with their families inside and outside the country, and for activists everything comes to a sudden halt,” says Firuzeh Mahmoudi, executive director of United for Iran, which lived through the Iranian conflict in 1979 revolution and left the country when he was 12 years old. “And increasingly, the government is moving towards layered filtering, banning different digital platforms and trying to find alternatives for international services like social media. This doesn’t look very good; it’s the direction we definitely don’t want to see. So this is where the app comes in. “
Iran is a very connected country. More than 57 million of its 83 million citizens use the internet. But in recent years, the country’s government has focused heavily on developing a massive state-controlled network, or intranet, known as the “National Information Network,” or SHOMA. This increasingly gives the government the ability to filter and censor data, and to block specific services, from social media to circumvention tools like proxies and VPNs.
This is why Nahoft was intentionally designed as an application that works locally on your device rather than as a communication platform. In the event of a complete internet shutdown, users must have downloaded the app to use it. But overall, it will be difficult for the Iranian government to block Nahoft as long as Google Play remains accessible there, according to United for Iran strategic adviser Reza Ghazinouri. Since Google Play traffic is encrypted, Iranian surveillance cannot see which apps users download. So far Nahoft has been downloaded 4,300 times. It’s possible, says Ghazinouri, that the government would eventually develop its own app store and block international offerings, but for now that ability seems far off. In China, for example, Google Play is banned in favor of offers from Chinese tech giants like Huawei. and a selected version from the iOS App Store.
Ghazinouri and journalist Mohammad Heydari came up with the idea for Nahoft in 2012 and presented it as part of United for Iran’s second. “Irancubator“Technology Accelerator, which started last year. The Operator Foundation, a Texas nonprofit development group focused on Internet freedom, designed the Nahoft app and German penetration testing company Cure53 conducted two security audits of the application and its encryption scheme, which is based on proven protocols. United by Iran has published the findings of these audits along with detailed reports on how you fixed the problems found by Cure53. In the December 2020 original app review, for example, Cure53 found some major issues, including critical weaknesses in the steganographic technique used to embed messages in photo files. All of these vulnerabilities were fixed prior to the second audit, which returned more moderate issues such as Android denial of service vulnerabilities and a bypass for the auto-remove passcode in the app. Those issues were also fixed prior to launch, and the app’s Github repository contains notes on the improvements.
The stakes are high for an app that Iranians can trust to circumvent government surveillance and restrictions. Any failure in the implementation of cryptography could put people’s secret communications and potentially their security at risk. Ghazinouri says the group took every precaution they could think of. For example, the random word combinations that the app produces are specifically designed to appear low-key and benign. Using real words makes encrypted messages less likely to be flagged by a content scanner. And the United for Iran researchers worked with the Operator Foundation to confirm that currently available scanning tools do not detect the encryption algorithm used to generate the scrambled words. That makes it less likely that censors can detect encrypted messages and create a filter to block them.
You can set a passcode required to open Nahoft and set an additional “kill code” that will erase all app data when entered.
“There has always been a gap between communities in need and the people who claim to work for them and develop tools for them,” says Ghazinouri. “We are trying to reduce that gap. And the app is open source, so experts can audit the code themselves. Encryption is an area where you can’t just ask people to trust you, and we don’t expect anyone to trust us blindly. “
In a 2020 academic speech, “Crypto for the People,” Brown University cryptographer Seny Kamara made a similar point. The forces and incentives that often guide crypto research and the creation of encryption tools, he argued, overlook and discount the specific needs of the marginalized community.
Kamara has not audited Nahoft’s cryptographic code or design, but he told WIRED that the project’s goals dovetail with his ideas about encryption tools created by people, for people.
“In terms of what the app is trying to accomplish, I think this is a good example of a major security and privacy issue that the tech industry and academia have no incentive to solve,” he says.
With Iran’s internet freedom rapidly deteriorating, Nahoft could become a vital lifeline in keeping communication open inside and outside the country.
This story originally appeared in wired.com.