
Keybase is out for iPhone, Android - osteele
iPhone: https:&#x2F;&#x2F;keybase.io&#x2F;_&#x2F;download&#x2F;keybase-for-ios<p>Android: https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=io.keybase.ossifrage
======
malgorithms
Oh HN, so much for a soft-launch! (But thanks for all the positive comments on
here.) We've been testing Keybase a lot with iOS and Android testers and we
quietly released into the app stores last night. In many ways it's an MVP
focusing on: (1) Keybase chat, and technically important (2) your phone acting
as an additional device key, so you can easily provision new desktop
computers.

There are still some things missing from the app, such as the ability to
browse your encrypted files (KBFS), although the app actually has KBFS running
inside it. So we're close on that front. Also, provisioning is still a bit
clunky.

Possibly interesting to HN: Keybase is one of the only large apps we know of
which exists on all 5 platforms (iOS, Android, macOS, Linux, and Windows) and
which was programmed almost entirely in Go. Except for the chrome, which is
react/react native. Source code for all platforms at
[https://github.com/keybase/client](https://github.com/keybase/client)

If you're an HN user and give it a try, please send us feedback. It's `Gear
Icon > Feedback`. We read all the feedback.

~~~
tkfu
How did you manage to get something written in Go into the iOS app store? I
was under the impression that foreign binaries weren't allowed.

~~~
azinman2
The bigger problem with go is if/when Apple requires bitcode on iOS.

~~~
lloeki
For those who don't know what "bitcode" refers to and why the "if/when":

[https://medium.com/@FredericJacobs/why-i-m-not-enabling-
bitc...](https://medium.com/@FredericJacobs/why-i-m-not-enabling-
bitcode-f35cd8fbfcc5)

------
techsupporter
Clickable links:

iPhone: [https://itunes.apple.com/us/app/keybase-crypto-for-
everyone/...](https://itunes.apple.com/us/app/keybase-crypto-for-
everyone/id1044461770) (original link in post was:
[https://keybase.io/_/download/keybase-for-
ios](https://keybase.io/_/download/keybase-for-ios))

Android:
[https://play.google.com/store/apps/details?id=io.keybase.oss...](https://play.google.com/store/apps/details?id=io.keybase.ossifrage)

~~~
dfcab
thanks @techsupporter

------
pdog
_> By using the Keybase app you agree to the following terms: you'll be a nice
Internet person._

Unfortunately, Keybase cannot be considered free software because of this
clause.

~~~
Xeoncross
I am really tiring of these cute, but vague clauses.

I think discussing important topics like war, death, and censorship are
needed, but then again maybe I'm not "nice" bring up uncomfortable issues
especially when they don't make your hero/candidate look good.

~~~
mikeash
I'm pretty sure it's just a joke. There's no way such a thing would be
enforceable.

~~~
koolba
Sure but this is the type of thing that shies corporate lawyers from approving
usage of something.

" _We can 't guarantee we'll be nice ..._"

~~~
hdhzy
See also "don't use for evil" clause in JSON library by Douglas Crockford and
a special exemption for IBM: "I give permission for IBM, its customers,
partners, and minions, to use JSLint for evil." [0].

[0]: [http://dev.hasenj.org/post/3272592502/ibm-and-its-
minions](http://dev.hasenj.org/post/3272592502/ibm-and-its-minions)

------
lode
Keybase has succeeded in making crypto and user verification user-friendly
enough for day to day use. (Even though it's probably not easy enough to use
in day to day e-mail.)

This new mobile experience is very slick, with a very smooth login flow that
just 'feels' secure as well.

The Keybase verification of different services feels very much like what
ClaimID used to do, back when OpenID was showing promise as an open, secure,
easy to use single sign on protocol. I'd still love for someone to solve this
challenge once and for all. For some reason I'd love to see what the team
behind Keybase might come up with in this space. (For now I'll have to do with
using 1Password and 2FA wherever possible.)

------
TheAceOfHearts
Keybase is amazing, and I'll be installing it on my mobile device. It really
makes crypto a lot more approachable for average users. Their chat is great,
and I'd been looking forward to the mobile app.

On desktop my only complaint so far is that they keep trying to jam everything
into a single app. I think they could break things up into three separate
apps: core, chat, and KBFS. Personally, I have no use for KBFS and I wish I
could disable it. It's also slightly buggy on macOS, and it causes a warning
messages to show when restarting.

~~~
jpwgarrison
I just tried to use chat on FreeBSD (helpfully mentioned in another comment)
but it fails with "error unboxing chat message: KBFS client wasn't found" so
they might be more tightly linked than you hope.

------
BjoernKW
The paper key process after the initial login is broken.

Because I didn't have an actual piece of paper with me when I tried the app
(and writing down things like that on paper is a weird idea anyway) I opened
1Password to create a secure note there. Unfortunately, when I returned to
Keybase the app had already silently moved on to the next screen without me
having confirmed anything.

I'm not sure what this paper key will be needed for in the future but I hope
it's nothing important.

~~~
greensea
If you lose the device key on your computer (perhaps there is a hardware error
or it is stolen), you can use the paper key to add a new device key to your
account - and not lose any data.

You can add another paper key using `keybase paperkey`, and you may want to
revoke the old one using `keybase device remove <key name>`. This is also
possible to do from the "Devices" tab in the desktop or mobile app.

Of course, if you have Keybase both on your computer and your phone you
already have some redundancy, and maybe having a paper key is not as
important.

------
sebsauvage
Oh great... the application is not available in France (!). GooglePlay refuses
to let me download the app. And the website does not provide a direct link to
the apk (only direct links to desktop apps).

Will I have to download the app from dubious third-party stores ? :-(

~~~
activis
As I read France set very troublesome restrictions for any software which uses
cryptography. As I remember it requires some kind of approval from government,
assignment of special code based on documents you provide via mail. And it
takes up to 4 month.

~~~
sebsauvage
Signal, Telegram, WhatsApp, PGP, RetroShare and other are freely available in
France.

Most notably PGP has been available in France for decade and has never
received any form of approval as far as I know.

~~~
activis
It's not about being available on the internet, it's about being available on
the AppStore or Google Play Market which make you comply with French laws.

Just read developer FAQ for the store you want, there is a requirement of
"Declaration approval from French ANSSI authorities." which links to
[http://www.ssi.gouv.fr/en/regulation/cryptology/](http://www.ssi.gouv.fr/en/regulation/cryptology/)

"...

However supplying, importing and exporting cryptology means in and from France
are regulated activities. These operations are either subject to a declaration
or an authorisation process.

ANSSI records declarations and investigates requests for the authorization of
cryptology equipment and services in accordance with French and European
Community legislation."

So you have to send them ANSSI declaration and get an approval to submit an
app to the store.

If you are distributing something through the website which is available
everywhere then you can ignore that since there is no entity which would
control that you follow French law, but it just a technical details. The law
is the same for everyone I believe.

Regarding Telegram, Signal, WhatsApp, etc.: I believe they have sent all the
documents and got the permission/registration in all regions they are
available in and which require that.

------
mike-cardwell
Just installed on my OnePlus One. Is very laggy to switch between options by
touching the buttons at the bottom of the screen. In particular, pressing the
chat button seems to do nothing for over a second before it switches to the
chat page. I've had this phone for a few years, and this is definitely the
lagiest app I've used on it.

[edit] /data/data/io.keybase.ossifrage/files/service.log seems to be getting
filled with a tonne of data every time I interact with anything in the app. I
can see that filesize becoming a problem.

------
joshpadnick
Could someone explain how the underlying keys are managed for Keybase mobile?
I'm guessing as part of sign up you generate a unique key just for your mobile
device, and if your mobile device is lost, you'll need to generate a new key?
How does this dovetail with your desktop key? Does resetting _any_ active key
trigger a re-proof of each your identity services (i.e. Twitter, GitHub, etc.)

Looks very cool overall!

~~~
rtkwe
They have a blog post of their key model. [0] If you lose your device you
shouldn't have to re-prove your identity on all services just any that you
proved using that particular key.

[0] [https://keybase.io/blog/keybase-new-key-
model](https://keybase.io/blog/keybase-new-key-model)

~~~
malgorithms
Almost 100% correct :-)

First part: if you lose or wipe a phone and want to reprovision, the lost
device's private key is GONE. It will not exist in some icloud backup. When
you provision your new device, the Keybase app will make fresh keys. To make
that device yours, you'll need to either (a) bring together another keybase
device, or (b) enter a paper key. When you do that, the old key will sign your
newly generated key, and the new key will countersign. The old key will also
be used to decrypt and reencrypt access keys for your data, so you can get to
your old messages and files. Your data will live on. So even in an extreme
example: if you write data in KBFS or send a chat message, provision a new
device, and then revoke all your old devices, you'll still have the data on
the new device. Assuming at some point you always held at least one of your
private keys.

The general rule of thumb here is as long as you don't lose all your devices
(and in this sense you can think of a paper key as a device), you won't lose
your files in kbfs/chat.

The reason the answer above wasn't 100% correct: the revocation of a device
(by another) does not trigger an identity re-proof, even for proofs made by
the revoked device. Why? well, the original identity announcement is in a
well-ordered signature chain of your announcements, and at the same time you
remove it, you also have the power to remove your twitter or other proofs. By
choosing not to do that AND leaving up your twitter announcement, it's pretty
clear you're still you. This isn't like PGP where revocations and statements
are floating around and could be ordered in any-which-way.

1\. key X adds key Y

2\. key X adds twitter

3\. key Y revokes X (leaving twitter proof)

the twitter proof is considered still valid in Keybase's logic. Because 1,2,3
exist in a signed chain and Y had the power to remove twitter but chose not
to.

One final point we've made in multiple places: your PGP key is part of your
identity on Keybase (like your Twitter account or HN account), but it isn't
used as a key in Keybase chat or the filesystem for a variety of reasons. So
really, your Keybase-data is protected by your devices+paper keys. Just don't
run out of them!

~~~
azag0
Re the final point: Was it like this from the beginning? I still have some
identities signed by my original PGP key with which I signed up to Keybase
[https://keybase.io/azag0/graph](https://keybase.io/azag0/graph)

~~~
malgorithms
yes, but to be clear: an identity proven by your PGP key is still considered
"you" for chat/KBFS, as your device keys have transitively said that PGP key
is you. So (1) PGP proved twitter (or whatever), then (2) PGP signed in a
device key (which counter-signed), and therefore (3) device key can read
KBFS/chat that is sent to you by your Twitter name.

------
thewisenerd
any chance of getting this added to the F-Droid project? I'd like to be able
to get the APK without having to install gapps first.

------
darkstar999
I can't get my friends to use Telegram or anything remotely better than sms or
Google hangouts. I hope keybase finds the critical mass that's needed to make
these things work.

------
Osmium
Congratulations on the release! Been waiting for this one :)

Requests to any Keybase devs reading this:

* UI to disable the macOS app from auto-launching on login (slightly user hostile not to be able to have this option, also asking permission before putting something in my Finder sidebar would be nice, useful though it may be!)

* Not sure if there's a technical reason for this, but it would be nice to be able to link accounts via OAUTH or similar without having to make a public post for all my e.g. Facebook contacts to see.

~~~
plttn
Not affiliated with Keybase:

The whole point of Keybase is we don't have to trust Keybase (as a company).
The proofs have to be independently verifiable, and an oAuth login wouldn't
be.

~~~
Osmium
I definitely get that motivation. Doesn't change the fact that people who
might want to use Keybase are more likely to be privacy-minded, and therefore
less likely to have public Facebook, Twitter accounts (like myself).

I'd personally prefer maybe a badge which was showed either publicly or
privately verified, and then people can make their own judgement, but I
appreciate there's a loss in simplicity then.

------
0xCMP
Very cool. Would be great to eventually see support for the file picker UI
similar to Resilio or Working Copy so files can be saved directly into
KeyBase's encrypted areas.

------
jonseager
Keybase is great, makes the whole process of PGP significantly nicer to use,
lowers the barrier and hopefully encourages more people to participate.

Great work, thanks!

------
fsargent
Woohoo! Great to get notifications and chat on my phone.

Nice to have a truly encrypted, secure chat application where I control the
keys.

------
archarios
This doesn't sound too different from Signal to me other than the public
directory of people thing. Is that it?

~~~
Veratyr
It also:

\- Doesn't need a phone number

\- Has _good_ multi-device support

There's also other fun stuff like Kbfs:
[https://keybase.io/docs/kbfs](https://keybase.io/docs/kbfs)

------
cafogleman
The app is up and running great here, not experiencing any of the referenced
performance issues (so far).

Support for the PGP portion that is available on the web would be great as
well, maybe with a "Copy to Clipboard" after encrypting so I can drop the
ciphertext straight into an email? Or (with a few more permissions), using a
Share feature to write the email/chat in the app of my choosing, and I just
have to choose the sender.

If this catches on like I hope, I can see a grand future where Keybase is how
I can contact almost anyone I know through almost any means (FB, Twitter,
etc.), but until then, it would be cool to have support for "legacy"
addressing such as email, but still with strong encryption.

------
t0mbstone
So how exactly does it open a truly secure chat with someone else? If it is
encrypting messages, then the recipient would have to have my public key to
decrypt the message, right?

But if keybase is sending the recipient my public key, then doesn't keybase
have the ability to decrypt my messages, too? And if keybase can do that, than
can't everyone else that is watching the public key go over the wire decrypt
my messages, too?

It seems like this is really only good for proving that the sender of a
message is who they say they are, but not really good for privacy.

Please correct me if I'm wrong. How is this supposed to work?

~~~
seveneightn9ne
When you send a message, you encrypt it with _their_ public key, so that only
_they_ can decrypt it. Additionally, you sign the message with your _private_
key, so the person who receives the message can verify that you signed it, by
using your _public_ key.

This is the general idea of how public/private key crypto works. The actual
Keybase implementation is a bit more complicated because a person doesn't have
exactly one public/private keypair, but rather keys for each device.

~~~
t0mbstone
Oooohhh ok, I get it now. Thanks for the explanation!

------
wapz
I've never heard about Keybase before this post. Can someone explain what the
"you can write securely to any twitter, reddit, facebook, github, and hacker
news user" is about? If you write to them do they need the app to view it or
does it go into their inbox (does github even have an inbox?). And if they
open it on a browser it would no longer be encrypted, right?

~~~
Preemo
It's like WhatsApp; but with PGP and you're in complete control of your keys.

They basically provide the public key exchange and verification services with
an appealing UI akin to your modern chat application.

Let's say you hook up your reddit account or HN account to your Keybase
account, and we want to chat. One of us simply has to look for the other on
Keybase, start up a chat like Twitter DMs -- but it's PGP encrypted and
seemingly as flawless as exchanging PGP emails without the hassle of
exchanging our public keys through a key-server. This is arguably the hardest
thing for non-tech savvy's to grasp.

------
mmcclure
Nice! This feels like a huge leap forward for Keybase in terms of broad, daily
usability. The onboarding onto the app felt pretty smooth overall, always nice
when I can feel comfortable logging into a mobile app without pulling up my
password manager.

This is one of those teams that I legitimately get excited when I see new
announcements.

------
pjc50
Hmm. Could I use the file storage feature of this to store small text files
containing passwords and other confidential data? Would that fit well with its
security model?

------
kizashi
Awesome, looking forward to seeing Keybase grow through mobile.

------
CtrlAltT5wpm
Is adding 2FA somewhere on the horizon? I'd prefer something like U2F or
possibly the upcoming SQRL, but I'll take anything robust that isn't SMS.

------
petetnt
Installation and logging in was very smooth on the iPhone version at least:
just typed my username, scanned a QRCode (wow!) and I was ready to go.

Kudos on the launch!

------
pepve
I'm so glad this arrived. Thanks Keybase! Finally we have proper identity
backed secure chat! (Which is going to be my main use case.)

------
tomcam
What UI library did you use on iOS and Android?

~~~
dennyabraham
Not a contributor, but it look like they're using react-native
[https://github.com/keybase/client/tree/master/shared/react-n...](https://github.com/keybase/client/tree/master/shared/react-
native/android)

------
cnf
I can't figure out how to log in on this. I use the CLI client which seems to
have no way to auth the new device.

~~~
Nadya
Doesn't the CLI client allow you to generate a new paper key? Then you can use
that paper key to authorize the new device.

Command: `keybase paperkey` will generate a new paper key, then enter that key
onto your device.

------
Arubis
Huzzah and congratulations! I've been eagerly awaiting this. Congrats on the
release!

------
exabrial
holy molasses batman. Great app but you have to be hella patient!

------
matthewemes
Hope this helps get wider adoption for distributed trust models

------
Sleepyead
does your messages only get stored on the senders and recivers device or even
on a keybase server?

~~~
cjbprime
They get stored encrypted in all of those places, and only the device itself
can decrypt and read them, not the Keybase servers.

~~~
Sleepyead
okay so messages that i delete, only get removed from my device?

------
nthcolumn
Oops we had a problem... :/

------
leachy114
Definitely looking into this!

------
williamle8300
How'd you guys build this? Are these native apps, or Cordova/Ionic?

~~~
skrowl
The UI is React / Reactive Native, the rest is Go

