wiki:BluePrint/Mobile/P2PSync

Version 12 (modified by MichaelRogers, 7 years ago) ( diff )

--

BluePrint: Mobile Client Peer-to-Peer Synchronization

Introduction

Peer-to-peer sync will enable EdenMobile users to synchronize data between mobile devices without being connected to an Eden server. This will allow users to operate and collaborate more easily in areas where internet access is unreliable or unavailable.

Peer-to-peer sync capabilities exist in Serval Mesh and several messaging apps including Briar, Murmur and Anonymouse.

Stakeholders

EdenMobile users will be the primary stakeholders. The data subjects will also be stakeholders, and appropriate access controls to protect the confidentiality, integrity and authenticity of data must be built in. Trainers who teach EdenMobile users how to use the application will need to be aware of the new functionality. If the data being synchronized is ultimately delivered to a server then the people deploying and operating the server will also be stakeholders.

User Stories

User stories document

Requirements

Functional requirements

1. Establishing peer relationships

1.1. Peer visibility

The P2P sync component must be able to make the device it is running on visible to nearby devices in order to establish a peer relationship.

1.2. Peer discovery

The P2P sync component must be able to discover nearby devices that have made themselves visible.

1.3. Peer selection

When peers have been discovered, the P2P sync component must allow the user to choose a device to establish a peer relationship with.

1.4. Peer authentication

When the user has chosen a device to peer with, the P2P sync component must allow the user to authenticate the peer before granting the peer access to any data. The P2P sync component may allow the user to continue without authenticating the peer.

1.5. Peer persistence

When a peer has been authenticated, the P2P sync component may allow the user to store information about the peer, including information that will allow the peer to be authenticated automatically during subsequent connections. If information about a peer has been stored, the P2P sync component must allow the user to revoke the peer's access to data.

2. Destination servers

2.1. Destination server configuration

The P2P sync component may allow the user or an administrator to enter the details of a destination server for the data being synced. If a destination server has been configured, the P2P sync component may deliver data to the server automatically when internet access is available.

3. Data synchronization

3.1. Data selection

The P2P sync component may allow the user to choose which data to synchronize, either with peers in general or with each specific peer. When data is received from a peer, the P2P sync component may automatically choose it for synchronization with other peers.

3.2. Data deletion

The P2P sync component must allow the user to delete data from the device, regardless of whether that data has been chosen for synchronization. The P2P sync component may automatically delete data that has been received from peers, for example on receiving confirmation that the data has been delivered to a destination server.

4. Managing conflicts

4.1. Conflict detection

The P2P sync component must assign an identifier to each item of data chosen for synchronization, such that two peer devices performing synchronization can tell whether they are using the same identifier to refer to the same data.

4.2. Conflict resolution

If a conflict is detected during synchronization, the P2P sync component may resolve the conflict automatically, either by merging the conflicting items or by assigning them distinct identifiers. If a conflict cannot be resolved automatically, the P2P sync component must be able to continue synchronizing other items with the peer. The P2P sync component may inform the user of conflicts that cannot be resolved automatically.

Non-functional requirements

1. Security

1.1. Protection of data in transit

The P2P sync component must ensure the confidentiality, integrity and authenticity of data in transit between peers. If a destination server has been configured, the P2P sync component must ensure the confidentiality, integrity and authenticity of data in transit between mobile devices and the destination server.

1.2. Protection of data at rest

The P2P sync component must ensure the confidentiality, integrity and authenticity of data at rest on mobile devices, to at least the same level of protection as other components of the EdenMobile application.

1.3. Access control

The P2P sync component must authenticate peers, or allow the user to authenticate them, before granting them access to data. If a destination server has been configured, the P2P sync component must authenticate the destination server before granting it access to data.

If a delivery confirmation from a destination server is received, either directly from the server itself or from a peer, the P2P sync component must authenticate the delivery confirmation before acting on it or synchronizing it with peers.

To protect the privacy of data subjects, the P2P sync component may encrypt data before synchronizing it with peers, such that it can only be decrypted by the destination server.

2. Performance

2.1. Power efficiency

The P2P sync component must not significantly reduce the battery life of the device when P2P sync is not being used.

2.2. Communication efficiency

The P2P sync component must not significantly increase the mobile data usage of the device, regardless of whether P2P sync is being used.

Interoperability

For a given deployment, the same version of the EdenMobile app will be used for all mobile devices, which should minimize interoperability issues. The protocols used between peers, and between mobile devices and the destination server, should use version negotiation so that any interoperability issues are detected as early as possible. Interoperability with other applications is not required.

Standards

Communication between mobile devices and the destination server should use HTTPS. If the P2P sync component protects the privacy of data subjects by encrypting data before synchronizing it, this should be done using OpenPGP.

System Constraints

The P2P sync component must operate on mobile devices with limited battery life, storage, and network bandwidth. It must be usable with minimal training and background knowledge. It must tolerate intermittent and unreliable connections between peers, and between mobile devices and the destination server.

Design

There are two design options:

1. Synchronize immutable documents

In this option, the data to be synced consists of immutable documents, each of which originates on one mobile device and is synced to other devices without being modified. Examples of immutable documents might include a completed form or a photo.

Detecting and resolving conflicts is simple in this option: each data item is identified by its cryptographic hash, which ensures that if two items have the same identifier then they also contain the same data.

This option also makes it simple for data to be encrypted on the originating device and decrypted on the destination server.

The destination server confirms delivery of an immutable document by creating a delivery confirmation containing the document's identifier, signed with the server's OpenPGP key. The confirmation can be synced between mobile devices, which can delete the confirmed document if they no longer need a local copy.

2. Synchronize changes to database records

In this option, the data to be synced consists of database records that may be modified independently on any device. This provides maximum flexibility for the application, as anything stored in the database can potentially be synced, but it also requires the application to handle conflicts that may arise from concurrent modification of a given record on multiple devices.

Detecting and resolving conflicts in this option follows a similar approach to CouchDB. Non-conflicting updates are applied automatically. If a conflict occurs, the P2P sync component stores all conflicting versions of the record and asks the application to resolve the conflict, which may require user intervention, either on the mobile device or on the destination server.

This option allows individual database fields to be encrypted on the originating device and decrypted on the destination server, but if a conflict occurs in an encrypted field it may not be possible to resolve it intelligently on the mobile device.

The destination server confirms delivery of a record by creating a delivery confirmation containing the record's identifier and revision, signed with the server's OpenPGP key. The confirmation can be synced between mobile devices, which can delete the confirmed record if they are storing the same revision and no longer need a local copy. Multiple revisions of a given record may be confirmed by the destination server.

Data Model

(e.g. EER or class diagrams)

Workflows

<Diagrams or Pseudocode>

Site Map

<for User Interface solutions>

Wireframes

<for User Interface solutions>

Technologies

Current Implementation

<Leave open for a list of existing implementation of this solution in Sahana Eden:> <*a brief description of the implementation (date/time, name, design options chosen)> <*a link to the code> <*list of deployments of the implementation> <*links to case studies> <*short analysis of achievements/problems>

Planned Implementation

<List of goals for your implementations which you (include your name/github repo/IRC handle) are currently working on>

Future Extensions

<List of features which could be included, but are outside of the scope of this extension>

Outstanding Questions

<Questions about the features or design that haven't been (and need to be) answered>

References

<Links to external resources>


BluePrint

Note: See TracWiki for help on using the wiki.