<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Breaks &amp; Ciphers</title>
    <link>https://breaksciphers.com/</link>
    <atom:link href="https://breaksciphers.com/feed.xml" rel="self" type="application/rss+xml"/>
    <description>A small R&amp;D lab focused on open-source cybersecurity, cryptography, and privacy.</description>
    <language>en</language>
    <lastBuildDate>Wed, 15 Jul 2026 13:48:48 +0000</lastBuildDate>
    <item>
      <title>Google keeps losing court cases about Android</title>
      <link>https://breaksciphers.com/notes/google-keeps-losing-court-cases-about-android/</link>
      <guid>https://breaksciphers.com/notes/google-keeps-losing-court-cases-about-android/</guid>
      <pubDate>Wed, 15 Jul 2026 14:00:00 +0000</pubDate>
      <description><![CDATA[<p><img src="https://breaksciphers.com/notes/google-keeps-losing-court-cases-about-android/google-courts.jpg" alt=""></p>
<p>Google has been getting hammered this year for monopolistic Android practices, yet they still have highly questionable ongoing initiatives.</p>
<p>Their losses so far this year:</p>
<ul><li><a href="https://www.bbc.com/news/articles/cvgj0pp5p62o" target="_blank" rel="noopener noreferrer">The EU successfully fined them €4.1 billion</a> for anti-competitive practices in Android, including that Google required device manufacturers to pre-install Google Chrome and Google Search as a condition for giving their users access to the Play Store.</li><li><a href="https://arstechnica.com/gadgets/2026/03/google-and-epic-look-to-bury-the-hatchet-with-new-app-store-settlement/" target="_blank" rel="noopener noreferrer">Epic Games successfully sued them over their Play Store practices</a>. This has resulted in upcoming changes in the US that include reduced commission rates and a requirement for the Google Play catalogue of apps to be shared with third-party app stores. Further news broke this week that <a href="https://www.theverge.com/policy/965792/google-epic-withdraw-injunction-third-party-app-stores-coming-google-play" target="_blank" rel="noopener noreferrer">the proposed settlement between Epic Games and Google was withdrawn</a>, resulting in an additional requirement for the Google Play app itself to host third-party app stores.</li></ul>
<p>Here&#x27;s some ongoing initiatives I have encountered myself, which could see them back in court:</p>
<ul><li>Devices without Play Protect certification are unable to attain the <a href="https://developer.android.com/google/play/integrity/verdicts#device-integrity-field" target="_blank" rel="noopener noreferrer">MEETS_DEVICE_INTEGRITY</a> or <a href="https://developer.android.com/google/play/integrity/verdicts#optional-device-labels" target="_blank" rel="noopener noreferrer">MEETS_STRONG_INTEGRITY</a> labels in the Play Integrity API. This can result in app developers locking out all devices that haven&#x27;t gone through Google&#x27;s device certification programme. Thankfully, very few apps are currently requiring MEETS_STRONG_INTEGRITY.</li><li>Google is <a href="https://cloud.google.com/security/products/recaptcha" target="_blank" rel="noopener noreferrer">replacing some CAPTCHA puzzles on websites with QR code scanning</a>. For Android users, the device you scan the QR code with <a href="https://support.google.com/recaptcha/answer/16609652" target="_blank" rel="noopener noreferrer">must have Google Play Services installed</a>. So your browsing experience on your laptop is becoming affected by your choice of mobile device. I&#x27;ve encountered this QR code scan requirement once so far.</li><li>Google is bringing in a requirement that <a href="https://support.google.com/android-developer-console/answer/16561738?hl=en" target="_blank" rel="noopener noreferrer">Google-certified Android devices must only allow app installs from developers who have gone through Google&#x27;s Developer Verification programme</a>. This includes apps installed from third-party app stores. Most devices are Google-certified so they can give Play Store access to their users, but soon that same certification will lock out developers who have rejected Google&#x27;s verification process.</li></ul>
<p>I don&#x27;t like how Android has been a treasure trove of user data for Google, and I also don&#x27;t like when security features have a dual purpose of monopolising. In the past, we might see these initiatives and hope they are for our benefit. But now we have strong evidence from the courts that Google&#x27;s past actions haven&#x27;t put Android users and developers first. This is a strong motivation for engineers to contribute to the software ecosystem of de-Googled Android, including projects like <a href="https://grapheneos.org/" target="_blank" rel="noopener noreferrer">GrapheneOS</a>, <a href="https://f-droid.org/en/" target="_blank" rel="noopener noreferrer">F-Droid</a>, <a href="https://accrescent.app/" target="_blank" rel="noopener noreferrer">Accrescent</a>, and <a href="https://obtainium.imranr.dev/" target="_blank" rel="noopener noreferrer">Obtainium</a>.</p>]]></description>
      <media:thumbnail url="https://breaksciphers.com/notes/google-keeps-losing-court-cases-about-android/google-courts.jpg" />
      <media:content url="https://breaksciphers.com/notes/google-keeps-losing-court-cases-about-android/google-courts.jpg" type="image/jpeg" medium="image" />
      <enclosure url="https://breaksciphers.com/notes/google-keeps-losing-court-cases-about-android/google-courts.jpg" length="322707" type="image/jpeg" />
    </item>
    <item>
      <title>A new era for open-source applications</title>
      <link>https://breaksciphers.com/notes/a-new-era-for-open-source-applications/</link>
      <guid>https://breaksciphers.com/notes/a-new-era-for-open-source-applications/</guid>
      <pubDate>Thu, 02 Jul 2026 08:00:00 +0000</pubDate>
      <description><![CDATA[<p>Earlier this week I submitted a privacy vulnerability disclosure to an open-source app, and the solo maintainer merged a patch the next day. The whole experience strengthened my belief that open-source apps can finally defeat the “free” apps that have been extracting data out of us for years.</p>
<p>Historically, the open-source projects that had the strongest level of maintenance were packages and infrastructure. Companies that have lots of money and engineers depend on those, and some of these companies have provided funding for maintainers and dedicated their engineers’ time toward contributions.</p>
<p>However, apps have been a different story. As apps aren’t critical to companies’ bottom lines, they haven’t received the same level of funding and support. This made app maintenance difficult to sustain, as they often had underfunded solo maintainers, and would-be contributors didn’t have enough time to meaningfully help out.</p>
<p>The LLM boom hasn’t helped much with this yet, as slop contributions have caused maintainers a lot of headaches. But I think the ecosystem will learn to filter out the slop soon, and then the new era of LLM-assisted gains for open-source will begin.</p>
<p>While LLM-enabled maintainer productivity gains will be impactful, I see the following as a more fundamental change: engineers who use the apps will be able to make meaningful contributions without dedicating an unsustainable amount of their free time. I think this can result in open-source apps becoming highly competitive with the for-data apps that have historically required full teams of engineers.</p>
<p>Many of us have had a deep appreciation of open-source for years, but haven’t had enough time to consistently contribute. I’ll be helping with security and privacy. What will be your contribution?</p>]]></description>
    </item>
    <item>
      <title>Neocypherpunk Summit</title>
      <link>https://breaksciphers.com/notes/neocypherpunk-summit/</link>
      <guid>https://breaksciphers.com/notes/neocypherpunk-summit/</guid>
      <pubDate>Mon, 15 Jun 2026 12:38:00 +0000</pubDate>
      <description><![CDATA[<p><img src="https://breaksciphers.com/notes/neocypherpunk-summit/privacy-summit.jpg" alt=""></p>
<p>Yesterday I attended the Neocypherpunk Summit in Berlin with hundreds of people from various backgrounds who all care about the human right to privacy.</p>
<p>The term “cypherpunk” used to refer to extremely technical lone wolves who dedicated their lives to privacy. Thankfully, it has now evolved into a movement where anyone who cares about privacy is welcome, no matter their background. In one day I heard talks from human rights organisations, activists, engineers, academics, and philosophers.</p>
<p>People care about privacy to differing degrees and for various reasons. Some people need to protect their safety, some want to chat with their loved ones in a safe space, while others simply don’t want their data to enrich a tech oligarch who they don’t trust.</p>
<p>Privacy doesn’t mean isolating yourself from society, it is about the right to choose what information you share with whom. Yesterday was the opposite of isolation, with hundreds of people making friends, sharing ideas, and feeling inspired.</p>
<p>Whatever your reason, if you feel a bit uncomfortable about where your data flows behind your back, feel free to message me and we can come up with something small you can do today. It’s usually as simple as replacing one of your apps with another that has the same features, but is more secure. It feels empowering!</p>]]></description>
      <media:thumbnail url="https://breaksciphers.com/notes/neocypherpunk-summit/privacy-summit.jpg" />
      <media:content url="https://breaksciphers.com/notes/neocypherpunk-summit/privacy-summit.jpg" type="image/jpeg" medium="image" />
      <enclosure url="https://breaksciphers.com/notes/neocypherpunk-summit/privacy-summit.jpg" length="445223" type="image/jpeg" />
    </item>
    <item>
      <title>Building a secure open-source tasks app</title>
      <link>https://breaksciphers.com/notes/building-a-secure-open-source-tasks-app/</link>
      <guid>https://breaksciphers.com/notes/building-a-secure-open-source-tasks-app/</guid>
      <pubDate>Mon, 08 Jun 2026 11:13:00 +0000</pubDate>
      <description><![CDATA[<p><img src="https://breaksciphers.com/notes/building-a-secure-open-source-tasks-app/secure-tasks.jpg" alt=""></p>
<p>At Breaks &amp; Ciphers I’m building a secure open-source tasks app. Our day-to-day tasks are some of the most valuable data points to creeps, so I think we should protect them.</p>
<p>I intend to use this as a testbed for what the state of the art is in building, testing, and deploying applications when security and privacy are uncompromising goals.</p>
<p>This may have some measures that seem extreme for a tasks app, but the underlying purpose of this project is to push open-source security and privacy forward. I hope to find where these are most difficult to achieve for maintainers, and publish research and tools to fill these gaps.</p>
<p>Some of the early security design investigations I’m doing are:</p>
<ul><li>Using Rust + FFI vs app development languages like Kotlin/Swift</li><li>Using cross-platform frameworks vs per-platform development</li><li>Peer-to-peer sync / backup options</li><li>Where to use formal verification</li></ul>
<p>As references, I’ll be comparing other apps that are known for their security:</p>
<ul><li><a href="https://signal.org/" target="_blank" rel="noopener noreferrer">Signal</a></li><li><a href="https://grapheneos.org/" target="_blank" rel="noopener noreferrer">GrapheneOS</a>&#x27;s built-in applications (SMS, PDF viewer, etc.)</li><li><a href="https://bitwarden.com/" target="_blank" rel="noopener noreferrer">Bitwarden</a></li><li>Apps recommended by <a href="https://www.privacyguides.org/en/" target="_blank" rel="noopener noreferrer">Privacy Guides</a></li></ul>
<p>Let me know if there’s a different app you consider to be the gold standard in secure development!</p>]]></description>
      <media:thumbnail url="https://breaksciphers.com/notes/building-a-secure-open-source-tasks-app/secure-tasks.jpg" />
      <media:content url="https://breaksciphers.com/notes/building-a-secure-open-source-tasks-app/secure-tasks.jpg" type="image/jpeg" medium="image" />
      <enclosure url="https://breaksciphers.com/notes/building-a-secure-open-source-tasks-app/secure-tasks.jpg" length="35457" type="image/jpeg" />
    </item>
    <item>
      <title>Tools for assessing open-source security</title>
      <link>https://breaksciphers.com/notes/tools-for-assessing-open-source-security/</link>
      <guid>https://breaksciphers.com/notes/tools-for-assessing-open-source-security/</guid>
      <pubDate>Thu, 28 May 2026 12:07:00 +0000</pubDate>
      <description><![CDATA[<p><img src="https://breaksciphers.com/notes/tools-for-assessing-open-source-security/scorecard-post.jpg" alt=""></p>
<p>It’s currently too hard for users and developers to figure out which open-source software is secure and trustworthy.</p>
<p>The most prominent assessment tool I’ve found is <a href="https://github.com/ossf/scorecard" target="_blank" rel="noopener noreferrer">OpenSSF Scorecard</a>, which assesses projects for security risks through a series of automated checks, assigning each project a score out of 10.</p>
<p>Unfortunately, it hasn’t proliferated enough yet. Most users have never encountered Scorecard, so it doesn&#x27;t affect their choices. And if it doesn’t directly affect weekly downloads or clout, most maintainers aren’t incentivised enough to adopt it. Scorecard also isn’t a fully comprehensive security assessment.</p>
<p>Whether it’s Scorecard or something else, I do believe automated assessments have strong potential. At Breaks &amp; Ciphers I’ve been considering some features that could result in a successful movement:</p>
<ul><li>Fact-checking: a trustworthy assessment can’t currently be achieved solely through static checks or AI (hallucinations, prompt injections). There need to be incentives designed to encourage fact-checking or approval of automated results, similar to <a href="https://communitynotes.x.com/guide/en/about/introduction" target="_blank" rel="noopener noreferrer">X’s Community Notes</a> feature.</li><li>Stages instead of scores: a scoring system may be too daunting for maintainers if their projects start out with very low scores. One alternative I like is a stage-by-stage framework, where projects work their way up through several security and trust model stages over time. I saw the effectiveness of this approach in the <a href="https://l2beat.com/" target="_blank" rel="noopener noreferrer">L2BEAT</a> initiative, and there is a similar <a href="https://github.com/walletbeat/walletbeat" target="_blank" rel="noopener noreferrer">Walletbeat</a> initiative in beta. Perhaps we need a Softwarebeat.</li><li>Inform the user: the security and trust status of the project needs to be shown clearly in GitHub, app stores, and package providers. Otherwise users and developers won’t hear about it, and maintainers won’t care about it. Even if we can’t get GitHub or Google Play onboard at the beginning, we could demonstrate the effectiveness by achieving integration in smaller platforms, such as the <a href="https://github.com/ImranR98/Obtainium" target="_blank" rel="noopener noreferrer">Obtainium</a> APK installer.</li></ul>]]></description>
      <media:thumbnail url="https://breaksciphers.com/notes/tools-for-assessing-open-source-security/scorecard-post.jpg" />
      <media:content url="https://breaksciphers.com/notes/tools-for-assessing-open-source-security/scorecard-post.jpg" type="image/jpeg" medium="image" />
      <enclosure url="https://breaksciphers.com/notes/tools-for-assessing-open-source-security/scorecard-post.jpg" length="64577" type="image/jpeg" />
    </item>
    <item>
      <title>Announcing Breaks &amp; Ciphers</title>
      <link>https://breaksciphers.com/notes/announcing-breaks-and-ciphers/</link>
      <guid>https://breaksciphers.com/notes/announcing-breaks-and-ciphers/</guid>
      <pubDate>Mon, 18 May 2026 12:39:00 +0000</pubDate>
      <description><![CDATA[<p><img src="https://breaksciphers.com/notes/announcing-breaks-and-ciphers/breaksciphers.jpg" alt=""></p>
<p>I want to live in a world where the software we use is highly secure, including security against mass surveillance by advertising agencies and intelligence agencies. I don’t believe this will happen if the software we use daily continues to be owned by companies whose primary incentive is to maximise shareholder value. I believe this is achievable through open-source software, now more than ever before, because today’s engineers can build good software on much tighter resources.</p>
<p>There was once an implicit deal between society and big tech: we give you our data, you provide us with great free products, good jobs, and positive economic impact. Whether through greed or other reasons, big tech has betrayed this deal. Products become worse for our health to maximise profits (slot machine algorithms, AI slop, TikTok-like videos). Job cuts are encouraged in favour of centralised AI. Wealth doesn’t trickle down effectively, and the divide seems to be accelerating.</p>
<p>On the surveillance side, whistleblowers and leaks over the years have demonstrated how some states are willing to violate the privacy of innocent people across the globe via software exploits and backdoors. The current geopolitical climate leads me to believe we may see further steps backward in this area. As a citizen of a neutral country, Ireland, I think it&#x27;s completely reasonable to demand the ability to verify that the technology I use does not contain backdoors or vulnerabilities accessible by foreign states.</p>
<p>At Breaks &amp; Ciphers, we will do consistent work toward regaining our security and privacy. We will analyse trust models deeply to provide recommendations on which software to use, along with how we can improve these trust models over time. We’ll make contributions and security improvements to open-source projects. We’ll produce new open-source projects when necessary.</p>
<p>While the need for Breaks &amp; Ciphers comes from quite a sad state of the digital world, I don’t see the road forward as a lonely, dark path. I see it as a hopeful path where the thousands of engineers, researchers, journalists, activists, lawyers, communities and organisations who have fought for people’s digital sovereignty can win. And we’re going to have tonnes of fun and fulfillment along the way.</p>
<p>For examples of software to be optimistic about, think of Signal, GrapheneOS, Tor.</p>
<p>But I’m not recommending these yet, you’ll need to wait for the research!</p>]]></description>
      <media:thumbnail url="https://breaksciphers.com/notes/announcing-breaks-and-ciphers/breaksciphers.jpg" />
      <media:content url="https://breaksciphers.com/notes/announcing-breaks-and-ciphers/breaksciphers.jpg" type="image/jpeg" medium="image" />
      <enclosure url="https://breaksciphers.com/notes/announcing-breaks-and-ciphers/breaksciphers.jpg" length="82039" type="image/jpeg" />
    </item>
  </channel>
</rss>
