FOSS mobile app Stingle wants to privately, securely back up your photos
With Google Photos killing off its Unlimited photo backup policy last November, the market for photo backup and sync applications opened up considerably. We reviewed one strong contender—Amazon Photos—in January, and freelancer Alex Kretzschmar walked us through several self-hosted alternatives in June.
Today, we’re looking at a new contender—Stingle Photos—which splits the difference, offering a FOSS mobile application which syncs to a managed cloud.
Trust no one
Arguably, encryption is Stingle Photos’ most important feature. Although the app uploads your photos to Stingle’s cloud service, the service’s operators can’t look at your photos. That’s because the app, which runs on your phone or tablet, encrypts them securely using Sodium cryptography.
Since the photos are encrypted before ever leaving your phone—using a key that isn’t ever available to Stingle’s operators—you’re safe from attackers getting a photo dump from Stingle’s cloud. You’re also safe from Stingle’s own operators pulling a LOVEINT on you or getting socially engineered by someone with a believable voice begging to get your photos back.
Since Stingle can’t do anything useful with the encrypted cloud backups of your photos, you also don’t need to worry about strange things happening as a result of your photos being fed to machine-learning algorithms—they’re just garbage bits, to anyone without your private key.
Stingle has gone out of its way to make the way it works as clear as possible to security- and privacy-focused users. The company put out a detailed white paper outlining its security practices and giving an excellent overview as to how the service works. And for the truly paranoid, access to the application’s source code closes the gap the rest of the way.
Having access to the source code especially helps close potential loopholes in what Stingle can and can’t do with your photos. Since the cloud storage is effectively useless to anyone but the user, that leaves the mobile app itself as the only place to get up to any chicanery, before the photos are encrypted and sent to the cloud (or after they’re downloaded and decrypted).
We did not attempt anything like a full code audit of the Stingle Photos app, but we did walk through the code far enough to have a good idea of what it’s doing and how. No glaringly obvious gotchas leapt out at us.
By default, Stingle Photos uploads a backup of the user’s private key to the Stingle cloud (which is hosted redundantly at Digital Ocean, using redundant Wasabi buckets). This allows the app to function on a new device without the user having to manually and cumbersomely back up and restore the private key themselves.
Astute users’ eyebrows likely just shot through the roof—if Stingle has my private key, how do I know the company isn’t using it? The answer is that the key is also encrypted, before bundling it up and sending it to the cloud for backup.
This is an extremely simplified overview of how the method works:
- User creates a new Stingle account, specifying a password or passphrase
- Stingle Photos hashes the password or passphrase locally and uploads the hash to the back end
- Stingle Photos generates public and private keys derived from the user’s password hash
- Stingle Photos bundles up the pubkey and privkey, then it encrypts the bundle using the user’s full password or passphrase
- Stingle Photos uploads the encrypted key bundle to the cloud for backup
We’re leaving out a fair amount of the hairy details, such as specific algorithms, salts, and so forth—interested and crypto-fluent folks should check out the original white paper to see the bits we skipped over in the name of readability here.
The key here is that Stingle never has access to the user’s real password or passphrase at all—only a hash of it. Since the user authenticates themselves using the hash but needs the full password—not just its hash—to decrypt the key bundle, the key bundle is therefore safe to store remotely.
If the user elects not to back up the key bundle, they instead need to back up their private key themselves—which Stingle delivers in the form of a 24-word Diceware-style passphrase. After installing the Stingle app on a second device, the user would then need to manually import the “backup phrase”—which is really their private key—onto the second device.
On the other hand, if the user allows Stingle Photos to back up the key bundle, they only need their password to access photos on a second device. After logging in, the second device downloads the encrypted key bundle, decrypts it with the user’s full password or passphrase (which, remember, never leaves the device) and everything’s instantly ready to go.
Stingle Photos also supports optional biometric authentication—if you want access to your backed-up photos and videos without having to type in a passphrase every time, you can enroll your fingerprint and use it to unlock the app more quickly.
Features and Platforms
We tested Stingle Photos on two Android devices, a Pixel 2XL and a Huawei MediaPad M5 Pro. Support for iPhones and iPads is on the way but has not arrived yet—along with support for Linux, Windows, and Mac PCs.
The app takes a very different approach than Google Photos, Amazon Photos, or Apple Photos. All three of the tech giants’ apps try to offer everything under the Sun: machine learning to categorize photos and sort them into galleries and albums, print- and swag-creation services, and more.
Stingle Photos is stark and minimalist by comparison. It imports photos (automatically or manually, at the user’s discretion), syncs them, and allows you to organize them into albums. That’s pretty much it, apart from the typical Android “sharing” options which dump a (decrypted) photo into another app directly. We shared, for example, one photo via the Textra SMS app by tapping the share icon for that photo then selecting a Textra contact.
When importing photos either automatically or manually, Stingle offers the option to delete them after successfully importing them. If you turn automatic deletion on, you ensure that a phone thief can’t thumb through your photos, even if they unlock the phone itself—but it does mean Stingle is no longer a “backup.” Instead, auto-deletion turns Stingle into the sole repository for your photos, with all lost if Stingle is lost.
No web client is available for Stingle Photos. So for right now, you’ll need an Android device to view any Stingle-stored photos. Since a web client isn’t anywhere on Stingle’s published roadmap, we expect that even as Windows, Linux, and Mac clients become available, you’ll still need to install an application to view photos—not just log into a website with your favorite browser.
Although we’ve referred mostly to photos, Stingle Photos manages videos and photos interchangeably—just like most other mobile camera and backup apps do.
The Stingle Photos app is free—as is your first 1GiB of cloud storage. Stingle’s business model revolves around those who need more than that first gibibyte of storage—which we’re fairly confident means “everyone” now, especially since Stingle stores your photos and videos at full resolution. There isn’t even an option to downsample before encryption and uploading—the media you store locally is the media you’re backing up, period.
The first paid tier is 100GiB, for which you’ll pay $2.99 per month—or you can pay $29.90 for a year up front, saving yourself the cost of two months. 300GiB costs $4.99/mo, 1TiB costs $11.99/mo, and 3TiB costs $35.99/mo, with the same two-months-free savings for upfront annual purchases. (Larger plans are also available for those who need them.)
Atoms Lanka Solutions