APEX is a protocol for delegating access to data which is end-to-end encrypted.
See our research paper for details, with additional proofs in the long version.
Demonstration
Our APEX demo consists of two web applications:
- Cloud Drive: a cloud storage service which lets users keep arbitrary files
- Cloud Notes: a web-based application for taking notes using rich text
To try out the applications yourself, simply click the links above.
Additionally, we have produced an Android app to showcase APEX cross-device flows. This is not currently available to try online, however you may wish to see the source code.
Directions
We have provided some suggested steps you may wish to try to test the full functionality of the demo.
Link accounts
In the Cloud Drive app:
- Create a new account by clicking Sign up.
- You will be taken to the login page. Enter your new credentials and click Login.
In the Cloud Notes app:
- Create a new account by clicking Sign up.
- You will be taken to the login page. Enter your new credentials and click Login.
- Click the Link to MyDrive button.
- Copy the one-time-code (OTC) that is shown. Click Continue.
- Click the Open Provider Agent button. (You may need to allow pop-ups.)
- Click Authorize to grant access to cloud-notes.anon.science.
- You will be prompted for the OTC. Paste it in the text field and press Continue.
This demonstrates how authorisation is delegated using OAuth 2.0 and APEX and how consumer–provider agent authentication works using the OTP
Create an unencrypted note
In the Cloud Notes app:
- Click the Create new note button.
- Enter a name for the note. Click OK.
- The note will appear in the left sidebar. Click it to view.
- Enter some text in the area on the right. Click the icon in the toolbar to save.
- Refresh the page and click the note again to confirm that the contents were saved.
This demonstrates a note being created with plain OAuth 2.0
Create an encrypted note
In the Cloud Notes app:
- Click the Create new APEX note button.
-
Enter a name for the note. Click OK.
A pop-up window should appear displaying first the consumer agent and then the provider agent. These are scripts which run in browser and encrypt the note on behalf of the user.
(You may need to allow pop-ups.) -
The note will appear in the left sidebar. Click it to view.
The consumer agent and then the provider agent should appear again to decrypt the note received from Cloud Drive.
-
Enter some text in the area on the right. Click the icon in the toolbar to save.
Once again the consumer agent and provider agent appear.
- Refresh the page and click the note again to confirm that the contents were saved.
This demonstrates a note being created with OAuth 2.0 extended with APEX
Source code
The source code of our demo implementation is available on GitHub. This can be found in the following two repos:
- srcanon/apex-web-demo: contains the frontend and backend code for the Cloud Drive and Cloud Notes web apps
- srcanon/apex-mobile-demo: contains the code for the Cloud Drive Mobile app which allows the user to keep their encryption keys on their mobile device
Performance Metrics
You can see the raw data and code we used to calculate the performance figures given in Section 4 of the paper in this CodePen: APEX Performance Experiment
advanced steps
You may also obtain your own performance metrics from Cloud Notes by opening Developer Tools in your browser, clicking the Console tab and typing exportTimings() to get the durations of all retrieval operations performed since page load, or exportSaveTimings() to get the same for save operations.