FilePin Security
Overview
FilePin allows users and organizations to upload documents that are only accessible to users within that group.
Uploaded files that are “pinned” to a room, don’t expire, and can be listed/retrieved by the group occupants. The files are encrypted by the server during upload. While browsing the attachments, the client receives the key material necessary to decrypt them.
FilePin is currently only available for iOS users.
Usage
- In the group details page, tap Attachments.
- Then tap Add Attachment.
- Select the file you want to attach.
- The files will now be attached to the group for all users to view.
Security
To retrieve the list of attachments the client queries the list of files attached to a given room by sending an IQ-get to the group.
The server responds with an IQ-result that contains the attachments, each with url, cipher, key, iv, and tag attributes. The url attribute points to the HTTPS URL of the encrypted file, the cipher hard-coded to AES-256-GCM, and the remaining three attributes contain the key material required to decrypt the downloaded file. During the upload process the file is encrypted using AES-256 GCM before storing it.