With Google Photos abolishing its unlimited photo backup policy last November, the market for photo backup and sync applications opened up significantly. We reviewed a strong contender in January – Amazon Photos – and freelancer Alex Kretzschmar walked us through several self-hosted alternatives in June.
Today we’re looking at a new contender – Stingle Photos – that splits the difference by offering a FOSS mobile application that syncs to a managed cloud.
Trust no one
Encryption is undoubtedly the most important feature of Stingle Photos. While the app uploads your photos to Stingle’s cloud service, the service’s operators can’t view your photos. That’s because the app, which runs on your phone or tablet, securely encrypts them using Sodium cryptography.
Because the photos are encrypted before they leave your phone – using a key that is never available to Stingle’s operators – you’re safe from attackers who get a photo dump from Stingle’s cloud. You’re also safe from Stingle’s own operators playing LOVEINT on you or being socially manipulated by someone with a believable voice begging to get your photos back.
Since Stingle can’t do anything useful with your photos’ encrypted cloud backups, you also don’t have to worry about strange things happening as a result of your photos being fed into machine-learning algorithms – they’re just junk to anyone without your private key.
Stingle has made every effort to make its operation as clear as possible to security and privacy oriented users. The company has released a detailed white paper that outlines its security practices and provides an excellent overview of how the service works. And for the truly paranoid, access to the source code of the application closes the gap to the rest.
Having access to the source code especially helps close any potential loopholes in what Stingle can and can’t do with your photos. Since the cloud storage is basically useless to anyone but the user, the mobile app itself remains the only place to get into chicanes, for the photos are encrypted and sent to the cloud (or after they are downloaded and decrypted).
We haven’t attempted anything like a full code audit of the Stingle Photos app, but we’ve gone through the code far enough to have a good idea of what it does and how. No obvious pitfalls jumped at us.
By default, Stingle Photos uploads a backup of the user’s private key to the Stingle cloud (which is redundantly hosted at Digital Ocean, using redundant Wasabi buckets). This allows the app to function on a new device without the user having to manually and cumbersomely back up and restore the private key themselves.
Astute users’ eyebrows probably just went through the roof – if Stingle has my private key, how do I know the company isn’t using it? The answer is that the key is also encrypted before being bundled and sent to the cloud for backup.
This is a extreme simplified overview of how the method works:
- User creates a new Stingle account and specifies a password or passphrase
- Stingle Photos will hash the password or passphrase locally and upload the hash to the backend
- Stingle Photos generates public and private keys derived from the user’s password
- Stingle Photos bundles the pubkey and privkey, then encrypts the bundle with the user’s full password or passphrase
- Stingle Photos uploads the encrypted key bundle to the cloud for backup
We leave out quite a few of the hairy details, such as specific algorithms, salts, and so on. Interested and crypto-fluent folks should check out the original white paper to see the bits we skipped over in the name of readability.
The key here is that Stingle never has access to the user’s real password or passphrase – only a hash of it. Since the user authenticates himself using the hash, but needs the full password – not just the hash – to decrypt the key bundle, the key bundle can therefore be securely stored remotely.
If the user chooses not instead, to back up the key bundle, they must back up their private key themselves – which Stingle provides in the form of a Diceware-like 24-word passphrase. After installing the Stingle app on a second device, the user must manually import the “backup phrase” – which is actually their private key – onto the second device.
On the other hand, if the user allows Stingle Photos to back up the key bundle, they only need their password to access photos on a second device. After logging in, the second device downloads the encrypted key bundle, decrypts it with the user’s full password or passphrase (who, remember, never leaves the device) and everything is ready to go.
Stingle Photos also supports optional biometric authentication. If you want to access your backed up photos and videos without having to type in a passphrase each time, you can enroll your fingerprint and use it to unlock the app faster.
Features and Platforms
We tested Stingle Photos on two Android devices, a Pixel 2XL and a Huawei MediaPad M5 Pro. Support for iPhones and iPads is on the way, but hasn’t arrived yet, along with support for Linux, Windows, and Mac PCs.
The app takes a very different approach than that of Google Photos, Amazon Photos, or Apple Photos. All three apps from the tech giants aim to offer everything under the sun: machine learning to categorize and sort photos into galleries and albums, print and swag creation services, and more.
Stingle Photos is stark and minimalist by comparison. It imports photos (automatically or manually, according to the user’s choice), syncs them and allows you to organize them into albums. That’s about it, aside from the typical Android “sharing” options, which dump a (decrypted) photo directly into another app. For example, we shared one photo through the Textra SMS app by tapping the share icon for that photo and then selecting a Textra contact.
When importing photos automatically or manually, Stingle offers the option to delete them after they have been successfully imported. Enabling auto-delete ensures that a phone thief can’t browse your photos, even if they unlock the phone themselves, but it does mean that Stingle is no longer a “backup”. Instead, automatic deletion turns Stingle into the sole repository for your photos, with everything lost if Stingle is lost.
There is no web client available for Stingle Photos. So for now, you’ll need an Android device to view all of the photos stored in Stingle. Since a web client is nowhere on Stingle’s published roadmap, we expect that even if Windows, Linux and Mac clients become available, you’ll still need to install an application to view photos – not just log into a website with your browser of choice.
While we’ve mostly been referring to photos, Stingle Photos manages videos and photos interchangeably, just like most other mobile camera and backup apps.
Cloud storage pricing
The Stingle Photos app is free, as is your first 1 GiB of cloud storage. Stingle’s business model revolves around those who need more than that first gibibyte of storage – which we’re pretty sure now means “everyone”, especially since Stingle stores your photos and videos at full resolution. There’s not even an option to downsample before encoding and uploading – the media you save locally is the media you back up, period.
The first paid tier is 100GiB, for which you pay $2.99 per month, or you can pay $29.90 for a year upfront, saving you the cost of two months. 300GiB costs $4.99/month, 1TiB costs $11.99/month, and 3TiB costs $35.99/month, with the same two-month free savings for annual upfront purchases. (Larger plans are also available for those who need them.)