Rewriting of chapter 5

thesis/bib/bibliography.bib

@@ -83,4 +83,52 @@
   url    = {https://web.archive.org/web/20121109114722/http://blog.diasporafoundation.org/2012/08/27/announcement-diaspora-will-now-be-a-community-project.html},
 }
 
+@InProceedings{graffi2011lifesocial,
+  author    = {K. {Graffi} and C. {Gross} and D. {Stingl} and D. {Hartung} and A. {Kovacevic} and R. {Steinmetz}},
+  title     = {LifeSocial.KOM: A secure and P2P-based solution for online social networks},
+  booktitle = {2011 IEEE Consumer Communications and Networking Conference (CCNC)},
+  year      = {2011},
+  pages     = {554-558},
+  month     = {Jan},
+  doi       = {10.1109/CCNC.2011.5766541},
+  issn      = {2331-9852},
+  keywords  = {authorisation;computer network security;Internet;peer-to-peer computing;quality of service;social networking (online);LifeSocial.KOM;P2P-based solution;Internet;social links;secure online social networks;secure communication;access-controlled storage;monitored quality of service;system providers;crucial operational costs;testbed evaluation;p2p paradigm;Peer to peer computing;Social network services;Monitoring;Cryptography;Bandwidth;Distributed databases;Measurement},
+}
+
+@InProceedings{graffi2008distributed,
+  author       = {Graffi, Kalman and Podrajanski, Sergey and Mukherjee, Patrick and Kovacevic, Aleksandra and Steinmetz, Ralf},
+  title        = {A distributed platform for multimedia communities},
+  booktitle    = {2008 Tenth IEEE International Symposium on Multimedia},
+  year         = {2008},
+  pages        = {208--213},
+  organization = {IEEE},
+}
+
+@InProceedings{graffi2009practical,
+  author       = {Graffi, Kalman and Mukherjee, Patrick and Menges, Burkhard and Hartung, Daniel and Kovacevic, Aleksandra and Steinmetz, Ralf},
+  title        = {Practical security in p2p-based social networks},
+  booktitle    = {2009 IEEE 34th Conference on Local Computer Networks},
+  year         = {2009},
+  pages        = {269--272},
+  organization = {IEEE},
+}
+
+@Misc{google-plus2018shutdown,
+  author = {Ben Smith},
+  title  = {Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+},
+  month  = oct,
+  year   = {2018},
+  note   = {https://www.blog.google/technology/safety-security/project-strobe/},
+  url    = {https://www.blog.google/technology/safety-security/project-strobe/},
+}
+
+@Misc{facebook2017release,
+  author = {Chuck Rossi},
+  title  = {Rapid release at massive scale - Facebook Code},
+  month  = aug,
+  year   = {2017},
+  note   = {https://code.fb.com/web/rapid-release-at-massive-scale/},
+  url    = {https://code.fb.com/web/rapid-release-at-massive-scale/},
+}
+
 @Comment{jabref-meta: databaseType:bibtex;}

thesis/content/05-proof-of-concept.tex

@@ -1,85 +1,35 @@
 \chapter{Proof of Concept}
 \label{ch:proof-of-concept}
+\input{content/05-proof-of-concept/introduction}
 
-The ideas for a hybrid OSN presented in Chapter 4 were implemented with the development of a prototype. The resulting hybrid client for Twitter is presented in this chapter and the important design decisions are presented in a comprehensible way. Essential aspects such as the choice of OSN, the choice of technologies used to develop the app and important features of the client are explained.
+\section{Objective}
+\label{sec:objective}
+\input{content/05-proof-of-concept/objective}
 
-\section{Choosing an OSN}
-\label{sec:choose-osn}
+\section{Selection of the OSN}
+\label{sec:osn-selection}
+\input{content/05-proof-of-concept/osn-selection}
 
-When selecting a suitable OSN for the development of a hybrid client, Facebook was the obvious choice due to the numerous negative headlines about data protection. With over 2 billion users per month, it is currently the most widely used social network in the world. In the recent past, it has often been criticized for its handling of its users' data. In particular, the scandal surrounding the data analysis company Cambridge Analytica, which had access to the data of up to 87 million Facebook users, hit Facebook hard. As a result, CEO Mark Zuckerberg had to face the US Congress and the EU Parliament in question rounds and did not leave a good impression by avoiding many questions. As a result of this scandal, the Facebook API was further restricted.
+\section{Technology Decisions}
+\label{sec:technology-decisions}
+\input{content/05-proof-of-concept/technology-decisions}
 
-However, the Facebook API is not suitable for developing your own client anyway. The functionalities offered by the API offer the possibility to develop an app that can be used within Facebook. For example, it's not possible to make a like for a post using this API. As discussed in chapter 4, it is possible to access the data through crawling. However, the constant and rapid development would make this an arduous undertaking. In a blog entry\footnote{https://code.fb.com/web/rapid-release-at-massive-scale/} Facebook writes that the code changes every few hours. So it is almost impossible to adjust the crawler fast enough and roll out the adjusted code.
+\section{Building Block View}
+\label{sec:building-block-view}
+\input{content/05-proof-of-concept/building-block-view}
 
-If you take a look at the app stores, you will find alternative Facebook clients (e.g. \enquote{Friendly for Facebook}\footnote{https://play.google.com/store/apps/details?id=io.friendly} \footnote{https://itunes.apple.com/de/app/friendly-for-facebook/id400169658}, \enquote{Metal Pro}\footnote{https://play.google.com/store/apps/details?id=com.nam.fbwrapper.pro}). Because Facebook doesn't provide an API and crawling isn't an alternative, these clients must have found a different way. This other way is to display the mobile Facebook page\footnote{https://m.facebook.com/} and manipulate it with injected CSS and JavaScript files. The app itself therefore only offers a container around the mobile Facebook website and modifies it. The changes then often refer only to color changes and links to frequently used pages. In order to adapt the design, knowledge of the page structure and the structure of individual components is necessary. Facebook's fast and frequent code adjustments lead to the fact that the design changes of the app do not work in some places and have to struggle with the same problems as with crawling.
+\section{Runtime View}
+\label{sec:runtime-view}
+\input{content/05-proof-of-concept/runtime-view}
 
-For this number of reasons, Facebook was dropped as OSN for the prototype, despite special interest. Another candidate was the OSN Google Plus, because Google announced in October 2018\footnote{https://www.blog.google/technology/safety-security/project-strobe/} it will discontinue its OSN.
+\section{Security}
+\label{sec:security}
+\input{content/05-proof-of-concept/security}
 
-Ultimately, the OSN's choice for the prototype fell on Twitter. With 336 million active users per month, it is one of the largest social networks. It is particularly well suited for the development of a hybrid client for two reasons: on the one hand, it has a detailed API that provides almost the full functionality free of charge, and on the other hand, compared to Facebook, it offers only a few simple functions. These are the ideal prerequisites for a first proof of concept. In order to use the API, an application must be registered for which an API key is then assigned. This API key entitles the user to use the API and must be sent with every request to the API in the request header. Use of the API is limited. The limitation depends on the app and the user.
+\section{Providing Insights to the Service Provider}
+\label{sec:insights}
+\input{content/05-proof-of-concept/insights}
 
-\section{Twitter API}
-\label{sec:twitter-api}
-
-Twitter offers different APIs for developers that serve different purposes. The current APIs are:
-\begin{itemize}
-	\item \textbf{Standard API}: the free and public API offering basic query functionality and foundational access to Twitter data.
-	\item \textbf{Premium API}: introduced in November 2017 to close the gap between Standard and Entrprise API. Improvements over the standard API: \enquote{more Tweets per request, higher rate limits, a counts endpoint that returns time-series counts of Tweets, more complex queries and metadata enrichments, such as expanded URLs and improved profile geo information}\footnote{https://blog.twitter.com/developer/en\_us/topics/tools/2017/introducing-twitter-premium-apis.html}. Prices to use this API start at 149\$/month.
-	\item \textbf{Enterprise API}: 
-	\item \textbf{Ads API}: this API is only of interest for creating and managing ad campaigns.
-	\item \textbf{Twitter for websites}: this is more a suite of tools than an API. It's free to use and enables people to embed tweets and tweet buttons on their website.
-\end{itemize}
-
-In the case of the hybrid client, the standard API is the right one. In order to use this API you first have to create a \enquote{Twitter App}. After registering you will get a consumer key and access token. These two authentication tokens are required to log in users via their own app and successfully execute requests to the API.
-
-Twitter offers almost the entire range of functions via the API. The lack of functionalities (such as querying Reply to a Tweet or the search results come only from the last days) are not so difficult. A major limitation is the limitation on the number of requests. This is to prevent Twitter being exposed to too much load. It also aims to prevent bots from abusing Twitter. The exact limits can be found on a help page\footnote{https://developer.twitter.com/en/docs/basics/rate-limits}. In the app stores of Google and Apple, there are a number of alternative Twitter clients (Twitterific\footnote{https://itunes.apple.com/de/app/twitterrific-5-for-twitter/id580311103?mt=8}, [more examples ...]), which are also subject to these restrictions in terms of functionality and limitation.
-
-Basically, the API can be used via http requests. The data exchanged are available in JSON format. However, there are also various libraries, some of which are developed directly by Twitter and greatly simplify the use of the API.
-
-\section{P2P Network}
-\label{sec:p2p-network}
-Now Twitter is to be extended by a P2P network through which data can be exchanged safely and in particular without the knowledge of Twitter. Basically, there are two conceivable approaches for the P2P network:
-
-\begin{itemize}
-	\item Creation of a separate P2P network between the hybrid client apps
-	\item Use of an existing P2P network for your own purposes
-\end{itemize}
-
-These two approaches are presented and discussed below.
-
-\subsection{Creation of a P2P network}
-\label{sec:create-p2p-network}
-
-The advantage of having your own P2P network is that you have it completely under control. Accordingly, it can be designed to fit exactly to the use case and require little or no compromise. However, setting up your own P2P network is a big challenge and some hurdles must be overcome. These challenges include peer discovery (how peers find each other), global data exchange over the Internet and data storage, and availability of the stored data. And of course, all these requirments must scale so it will work for P2P networks with only a few peers and also for a few thousand or even more peers. Two approaches are conceivable here: the use of an established standard such as Wi-Fi Dircet or WebRTC or the use of a library (for example Hive2Hive, Y-Js) to create a dedicated P2P network.
-
-\subsubsection{Wi-Fi Direct}
-Wi-Fi Direct is a standard (IEEE 802.11) for data transmission between two WLAN terminals. There is no need for an access point between the two devices. However, the distance that may lie between the two peers is thus limited. Without obstacles, which contribute to the attenuation of the signal, a distance of up to 95m is possible. In buildings, it sinks to 32m or less. However, the requirement for the P2P network to expand Twitter is different. Users can be scattered around the world and may be online through the mobile network. There is no P2P connection via Wi-Fi Dircet in this case.
-
-\subsubsection{WebRTC}
-WebRTC (Web Real-Time Communication) is an open standard that provides various communication protocols for real-time communication between two or more peers. Above all, WebRTC is popular for its ability to easily perform video calls, as known from Skype, in the browser without a server. But also the file transfer between peers is possible. In a separate P2P network, data could be exchanged between the clients. However, the connection between the clients is complex, since in addition to the two peers also a STUN server and optionally a TURN server is involved. Furthermore, it is unclear whether the system scales. At least for Google Chrome browser is known that a maximum of 265 connections to other peers can be maintained in parallel.
-
-\subsubsection{Y-JS}
-The JavaScript library Y-JS describes itself as \enquote{a framework for offline-first p2p shared editing on structured data-like text, richtext, json, or XML.} The library takes care of solving synchronization conflicts when editing distributed files. By choosing a connector, you can set the protocol for the communication between the peers.There is the possibility to use WebRTC, XMPP or Websockets, but with some connectors running a server is a prerequisite. Further extensions can be used to supplement a database and data types, but the focus here is on the joint editing of data by multiple peers. For all connectors, the authors of the library recommend using an own server.
-
-\subsubsection{Hive2Hive}
-Hive2Hive is a Java library for \enquote{secure, distributed, P2P-based file synchronization and sharing}. There is no less promise than \enquote{a free and open-sourced, distributed and scalable solution that focuses on maximum security and privacy of both users and data}. In order to be able to use Hive2Hive globally via the Internet, it is necessary to operate at least one relay peer - five are recommended\footnote{https://github.com/Hive2Hive/Android/wiki/Guide-for-System-Admins}. Since a permanent TCP connection between peer and relay peer is maintained, the power consumption is quite high. Constant TCP connection can be avoided by using Google Cloud Messaging (GCM). However, Google has already discontinued this service. And since the development of Hive2Hive was discontinued in March 2015 too, there is currently no solution to this problem.
-
-\subsubsection{GUN}
-GUN is a graph database that keeps a state in sync across multiple instances. GUN is written in JavaScript and unlike Hive2Hive and Y-JS, the project is still being worked on.
-
-\textit{todo...}
-
-\subsubsection{Conclusion}
-While there are ways to build your own P2P network and exchange data about it, this can only be done on a local level easily. Although there is a standard with WebRTC that can connect multiple clients, this is not appropriate for a P2P network to extend an OSN due to its lack of scalability. To keep data available and to ensure successful and effective peer discovery, running your own infrastructure with servers permanently accessible from a static address is inevitable. The benefits of an always reachable server and the low cost of operation could be one of the reasons why P2P solutions are so unpopular and there are only few outdated libraries.
-
-\subsection{Using an Existing P2P Network}
-\label{sec:using-existing-p2p-network}
-As mentioned in the previous section, setting up your own P2P network involves a number of challenges. If you use an already existing P2P network for your own purpose, these challenges can be elegantly avoided. For this purpose, however, a suitable P2P network must be found whose properties and possible uses meet the requirements of the hybrid OSN client.
-
-In the following, various P2P networks are considered and examined for their usability for a potential deployment to extend an OSN. It is based on the requirements set out in the previous chapter.
-
-\subsubsection{Filesharing P2P Networks}
-
-\subsubsection{Distributed Apps - Blockchain}
-
-\subsubsection{Conclusion}
 \section{Summary}
-\label{sec:proof-of-concept-summary}
+\label{sec:proof-of-concept-summary}
+\input{content/05-proof-of-concept/summary}

thesis/content/05-proof-of-concept/building-block-view.tex

@@ -0,0 +1,86 @@
+In this section, the context in which Hybrid OSN is located is first considered and then a breakdown into the individual components is carried out. The function of the respective blocks is then described in more detail. Finally, the function of certain components in interaction is explained using the examples of displaying the home timeline and posting a new tweet.
+
+\subsection{Scope and Context}
+\label{sec:scope-and-context}
+Figure \ref{fig:building-block-view} shows a black box view of which other systems Hybrid OSN communicates with via interfaces. The systems are:
+
+\begin{itemize}
+	\item Twitter API
+	\item Gun
+	\item IPFS via Infura
+	\item User 
+\end{itemize}
+
+Infura\footnote{https://infura.io/} is a service that provides access to Ethereum and IPFS via a simple interface. Communication with the API happens using simple HTTP requests. The connection of IPFS in hybrid OSN can thus be carried out in an uncomplicated way. The use of an additional system entails typically an additional risk. However, there is a JavaScript client for IPFS, which can be integrated into hybrid OSN and thus the dependency on Infura would be omitted. At the present time and for the development of the prototype, the decision was made to use Infura for reasons of simplicity. Infura can be used for IPFS free of charge and without registration.
+
+\begin{figure}[h!]
+	\centering
+	\includegraphics[width=1.0\textwidth]{building-block-view}
+	\caption{.}
+	\label{fig:building-block-view}
+\end{figure}
+
+\subsection{White Box View}
+\label{sec:white-box}
+
+The used Ionic Framework uses Angular in the core, in the concrete case of hybrid OSN Angular 5.2 is used. Accordingly, the hybrid OSN App is in principle an Angular application. The essential building blocks are components, pages and providers. In the following, these components are described in detail and examples are given of where they are used in hybrid OSN.
+
+\subsubsection{Providers}
+\label{providers}
+Data access is performed using providers (known as services in Angular). For the external services (Twitter API, P2P database, P2P storage), there is one provider each to handle the communication. In addition, providers are used as helper classes that provide a certain functionality that is used several times. This includes, for example, encryption and decryption and the compilation of aggregated timelines. Providers are injected into components using the constructor. Table \ref{tab:providers} lists all providers used in hybrid OSN and their functional descriptions.
+
+\begin{table}[h!]
+	\begin{tabularx}{\textwidth}{|l|X|}
+		\hline
+		\textbf{Provider} & \textbf{Purpose}                                                                             \\ \hline
+		Auth              & Manage and perform authentication against the Twitter API. Responsible for login and logout. \\ \hline
+		Crypto            & Provides methods for encryption, decryption, and key generation                              \\ \hline
+		Feed              & Aggregation of private (P2P) and public (Twitter) tweets to compose a chronological timeline \\ \hline
+		P2P-Database-Gun  & Interface for data exchange with Gun                                                         \\ \hline
+		P2P-Storage-IPFS  & Interface for data exchange with IPFS via Infura                                             \\ \hline
+		Twitter-API       & Interface to use the Twitter API using the Twit package                                      \\ \hline
+	\end{tabularx}
+	\caption{Providers used in the hybrid OSN app in alphabetical order with their purpose.}
+	\label{tab:providers}
+\end{table}
+
+\subsubsection{Components}
+\label{sec:components}
+Components are the basic building blocks of a user interface. Figure \ref{fig:component-example} shows an example for the representation of a tweet in hybrid OSN using various components. A component consists of an HTML template, CSS styling and JavaScript logic, whereby the logic is typically limited to a minimum. Components can be used as elements in other components or pages. A component is given the data it is supposed to visualize. Furthermore, components can process events or return them to parent components for handling.
+
+\begin{figure}[h!]
+	\centering
+	\includegraphics[width=1.0\textwidth]{component-example}
+	\caption{Composition of the tweet component from three other components. Several tweet components are in turn combined to form a feed component.}
+	\label{fig:component-example}
+\end{figure}
+
+\subsubsection{Pages}
+\label{pages}
+Pages are special components that are used as a holistic view. A page is made up of several other components. The data to be displayed is loaded using providers. To be able to navigate between the individual pages within the app, the model of a stack is used (implemented by the NavController). The currently visible page is at the top of the stack. When another page is called, it is pushed onto the stack. Pressing \enquote{Back} removes the top page from the stack and displays the page below it.
+
+Table \ref{tab:pages} lists all pages and their purpose. When the app is opened, it checks whether the user is already logged in. Depending on this, the user starts with the Login Page or the Home Page.
+
+\begin{table}[h!]
+	\begin{tabularx}{\textwidth}{|l|X|}
+		\hline
+		\textbf{Page}                 & \textbf{Purpose}                                                                                                                         \\ \hline
+		About                         & Information about the app, which can be accessed via the login page to get basic information about the app before logging in             \\ \hline
+		Home                          & Chronological view of the latest tweets from Twitter and the private network                                                             \\ \hline
+		Login                         & Authentication against Twitter to use the Twitter API                                                                                    \\ \hline
+		Profile                       & Presentation of a user profile consisting of the user data (profile picture, brief description, location, website) and the user timeline \\ \hline
+		Search                        & Container page for searching for tweets and users, where tweets are also divided into popular and recent (see Search-Reuslts-Tweets-Tab) \\ \hline
+		Search-Reuslts-Tweets-Popular & Search results of currently popular tweets for a given keyword                                                                           \\ \hline
+		Search-Reuslts-Tweets-Recent  & Search results of recent tweets for a given keyword                                                                                      \\ \hline
+		Search-Reuslts-Tweets-Tab     & Container page for the search results for tweets (recent and popular) in tabs                                                            \\ \hline
+		Search-Reuslts-Users          & Search results of users for a given keyword                                                                                              \\ \hline
+		Settings                      & Configuration of keywords that trigger the private mode and settings regarding encryption                                                \\ \hline
+		Write-Tweet                   & Form for writing a tweet                                                                                                                 \\ \hline
+	\end{tabularx}
+	\caption{Pages used in the hybrid OSN app in alphabetical order with their purpose.}
+	\label{tab:pages}
+\end{table}
+
+\subsubsection{Local Storage}
+\label{sec:local-storage}
+As the name suggests, this is a local storage that the app has access to. With hybrid OSN, this memory is used to store the essential information for usage. These include the Twitter user id, the two tokens for accessing the Twitter API, the keywords that trigger the private mode, and private and public keys for encryption. Logout completely deletes the local storage.

thesis/content/05-proof-of-concept/insights.tex

@@ -0,0 +1,9 @@
+The requirements mentioned in \ref{sec:requirements} also include the provision of anonymized data for the OSN service provider. Since the business model of Twitter is based on personal data and therefore the interests of hybrid OSN are contrary to those of Twitter, the fulfillment of this requirement is extremely complex.
+
+A prominent feature of Twitter is the analysis and promotion of trends. The trends are identified by means of frequently used hash tags and presented in a ranking. Such data can also be collected and evaluated in the private network without having to establish a connection to the users.
+
+To collect this information, when a new tweet is posted to the private network, the contained hashtags are extracted and stored separately (see flowchart Figure \ref{fig:post-tweet-flow-chart}). Similar to the presentation of trends on Twitter, the trends in the private network are also aggregated on a daily basis and presented on a website (see Figure X).
+
+[Screenshot Twitter Trends – Screenshot P2P Private Trends]
+
+Due to the fact that Gun is JavaScript-based and therefore executable in the web browser, access to the data from a simple HTML web page can be performed using JavaScript code. The raw data is loaded and then aggregated and displayed.

thesis/content/05-proof-of-concept/introduction.tex

@@ -0,0 +1 @@
+After working out the concept of a hybrid OSN in the previous chapter \ref{ch:concept}, this chapter presents a proof of concept in the form of a special Twitter client for Android. The previously described solution strategies as well as functional and non-functional requirements actively influenced the development of the client, and attention was also paid to compliance with the defined quality goals. In the following, the decisions made are explained and the resulting architecture is presented.

thesis/content/05-proof-of-concept/objective.tex

@@ -0,0 +1,7 @@
+With the proof of concept, the basic feasibility of the idea of an extension of an established OSN by a secure data exchange should be proven. Within the framework of this thesis, the task was to provide the proof of concept as a native Android app. With regard to the architecture, the focus from the beginning was on a peer 2 peer solution, which is why a solution with its own additional servers was not pursued further in the development of the prototype. Furthermore, an interface should be available for the service provider of the OSN, through which anonymized information can be obtained from the privately exchanged data.
+
+Even though the implementation by add-on, as shown in the previous chapter as a possible solution strategy, was thus fundamentally ruled out, the decisions were nevertheless based on considerations as to how users of such an extension could also be part of the P2P network.
+
+Since it is only a proof of concept, the mapping of the complete functionality of the OSN was not in the foreground. But, again, this was taken into account by considerations and decisions, how for example data formats can be arranged so flexibly that every functionality can be mapped.
+
+In addition, the focus was on compliance with the quality objectives and implementation of the functional and non-functional requirements as defined in the previous chapter. How well this has been achieved will be evaluated in the following chapters for evaluation and subsequent discussion.

thesis/content/05-proof-of-concept/osn-selection.tex

@@ -0,0 +1,24 @@
+When selecting a suitable OSN for the development of a hybrid client, Facebook was the obvious choice due to the numerous negative headlines about data protection. With over 2 billion users per month, it is currently the most widely used social network in the world. In the recent past, it has often been criticized for its handling of its users' data. In particular, the scandal surrounding the data analysis company Cambridge Analytica, which had access to the data of up to 87 million users, hit Facebook hard. As a result, CEO Mark Zuckerberg had to face the US Congress and the EU Parliament in question rounds and did not leave a good impression by avoiding many questions. As a result of this scandal, the Facebook API was further restricted.
+
+However, the Facebook API is not suitable for developing an own client anyway. The functionalities offered by the API offer the possibility to develop an app that can be used within Facebook, for example for a game. So, it is not possible to make a like for a post through this API, which is part of the core functionality of a Facebook client. As discussed in Chapter 4, it is possible to access the data through crawling. However, the constant and rapid development would make this an arduous undertaking. Facebook writes in a blog entry\cite{facebook2017release} that the code changes every few hours. Therefore it is almost impossible to adjust the crawler fast enough and roll out the adjusted code.
+
+Even the mixed version of displaying and manipulating the mobile website in a WebView in a container app does not seem to be an option due to the short release cycles and frequent changes. Apps like "Friendly for Facebook" don't manage to keep up with the changes. The result is erroneous representations that worsen the user experience.
+
+For this number of reasons, Facebook dropped out as OSN candidate for the prototype despite the special interest. As a further candidate, the OSN Google Plus was dropped, as Google announced in October 2018 that it would discontinue its OSN\cite{google-plus2018shutdown}.
+
+In the end, Twitter was chosen for the prototype. With 336 million active users per month, it is one of the largest social networks. It is particularly well suited for the development of a hybrid client for two reasons: on the one hand, it has a detailed API that provides almost full functionality free of charge, and on the other hand, compared to Facebook, it offers only a few simple functions. These are the ideal prerequisites for a first proof of concept.
+
+Twitter offers different APIs for developers that serve different purposes. The current APIs are:
+\begin{itemize}
+	\item \textbf{Standard API}: the free and public API offering basic query functionality and foundational access to Twitter data.
+	\item \textbf{Premium API}: introduced in November 2017 to close the gap between Standard and Entrprise API. Improvements over the standard API: \enquote{more Tweets per request, higher rate limits, a counts endpoint that returns time-series counts of Tweets, more complex queries and metadata enrichments, such as expanded URLs and improved profile geo information}\footnote{https://blog.twitter.com/developer/en\_us/topics/tools/2017/introducing-twitter-premium-apis.html}. Prices to use this API start at 149\$/month.
+	\item \textbf{Enterprise API}: tailored packages with annual contracts for those who depend on Twitter data.
+	\item \textbf{Ads API}: this API is only of interest for creating and managing ad campaigns.
+	\item \textbf{Twitter for websites}: this is more a suite of tools than an API. It's free to use and enables people to embed tweets and tweet buttons on their website.
+\end{itemize}
+
+In the case of the hybrid client, the standard API is the right one. In order to use this API you first have to create a \enquote{Twitter App}. After registering you will get a consumer key and access token. These two authentication tokens are required to log in users via their own app and successfully execute requests to the API.
+
+Twitter offers almost the entire range of functions via the API. The lack of functionalities (such as querying Reply to a Tweet or the search results come only from the last days) are not so difficult. A major limitation is the limitation on the number of requests. This is to prevent Twitter being exposed to too much load. It also aims to prevent bots from abusing Twitter. The exact limits can be found on a help page\footnote{https://developer.twitter.com/en/docs/basics/rate-limits}. In the app stores of Google and Apple, there are a number of alternative Twitter clients (Twitterific\footnote{https://itunes.apple.com/de/app/twitterrific-5-for-twitter/id580311103?mt=8}, Talon for Twitter\footnote{https://play.google.com/store/apps/details?id=com.klinker.android.twitter\_l}, Fenix 2 for Twitter\footnote{https://play.google.com/store/apps/details?id=it.mvilla.android.fenix2}), which are also subject to these restrictions in terms of functionality and limitation.
+
+Basically, the API can be used via HTTP requests. The data exchanged are available in JSON format. However, there are also various libraries (e.g. Twit\footnote{https://github.com/ttezel/twit}), some of which are developed directly by Twitter (see Twitter Kit for Android\footnote{https://github.com/twitter/twitter-kit-android} or iOS\footnote{https://github.com/twitter/twitter-kit-ios}) and greatly simplify the use of the API.

thesis/content/05-proof-of-concept/runtime-view.tex

@@ -0,0 +1,59 @@
+This section describes concrete processes and relationships between building blocks for two selected scenarios. The first is to write and post a tweet and the second is to display the home timeline. In addition to the description, the two scenarios are also documented by flowcharts.
+
+The goal is to make clear how the building blocks of the system perform their respective tasks and communicate with each other at runtime. The two scenarios were therefore deliberately selected because they are of particular importance and require special documentation due to their complexity.
+
+\subsection{Post a Tweet}
+\label{sec:post-a-tweet}
+
+On the write-tweet page, new tweets can be written and posted using a form. In addition to the input field for the message text, there is also a status display that informs the user about the character limit, a switch that decides about the target network, and a button to send. The process of writing and publishing a tweet is shown in the flow chart in Figure \ref{fig:post-tweet-flow-chart}. Figure \ref{fig:post-tweet-building-block-view} shows the involved components in the block view.
+
+\begin{figure}[h!]
+	\centering
+	\includegraphics[width=1.0\textwidth]{post-tweet-flow-chart}
+	\caption{Flow chart of the process for posting a new tweet either on the public Twitter network or on the private P2P network}
+	\label{fig:post-tweet-flow-chart}
+\end{figure}
+
+\begin{figure}[h!]
+	\centering
+	\includegraphics[width=1.0\textwidth]{post-tweet-building-block-view}
+	\caption{Building block view of the interaction between the different modules when posting a new tweet}
+	\label{fig:post-tweet-building-block-view}
+\end{figure}
+
+After entering the message in the input field, determining the destination network, and pressing the \enquote{TWEET!} button, processing starts in the WriteTweetPage class. If the message is destined for Twitter, the Twitter API provider sends a HTTP POST request with the data to the \texttt{statuses/update}\footnote{https://developer.twitter.com/en/docs/tweets/post-and-engage/api-reference/post-statuses-update} interface. In this case, nothing more needs to be done, as the Twitter API takes over the preparation of the data and extracts, for example, hashtags, mentions and URLs.
+
+When publishing in the private network, the system first checks whether the public key has already been published. The Crypto provider performs this check using the Twitter API provider (for further information about the handling of public keys see the section about security \ref{sec:security}). If the public key has not yet been published, the user receives a warning and the posting process is aborted. Otherwise the private tweet will be constructed. The entered text is converted into a simplified tweet object (see Twitter documentation for original tweet object\footnote{https://developer.twitter.com/en/docs/tweets/data-dictionary/overview/tweet-object.html}) that contains the essential information.
+
+Beside the message (\texttt{full\_text}) the Twitter user id (\texttt{user\_id}) and the timestamp (\texttt{created\_at}) are set. In addition, there is a flag (\texttt{private\_tweet: true}) to distinguish the private tweet, which later influences the design. The \texttt{display\_text\_range} indicates the beginning and end of the relevant part in \texttt{full\_text}. For private tweets this is always the entire text, for tweets from the Twitter API an additional URL may be appended, which is not necessary due to clipping. Furthermore, the tweet entities are extracted. This includes URLs, hashtags and user mentions. An example of a private tweet is shown in Listing \ref{listing:private-tweet}.
+
+\lstinputlisting[label=listing:private-tweet, caption=Private Tweet in JSON format]{listings/private-tweet.json}
+
+The encryption of the private tweet data is performed by the crypto provider. The RSA algorithm is used for asymmetrical encryption. The encrypted data is transmitted via the P2P storage provider via POST request to Infura for storage in IPFS. The response contains the hash under which the data can be found in IPFS. This hash is stored in Gun together with the time stamp and the author's Twitter user id. This is done through the P2P DB provider. In addition, the previously extracted hash tags with the time stamp are also stored in Gun with the same provider, so that the data in the dashboard is accessible to the service provider without having to draw conclusions about individual users.
+
+\subsection{Load the Home Timeline}
+\label{sec:load-home-timeline}
+
+When opening the home page, the logged in user gets the latest tweets of the accounts he follows chronologically presented. The tweets are loaded in batches of 20 tweets from the Twitter API and enriched with the private tweets for this time period. If the user scrolls to the end of the feed, the reloading of the next batch is triggered and automatically inserted at the end. A pull to refresh can be triggered at the top of the feed. The process is shown in Figure \ref{fig:home-timeline-flow-chart} as a flow chart and in Figure \ref{fig:home-timeline-building-block-view} as a building block view of the interacting components.
+
+\begin{figure}[h!]
+	\centering
+	\includegraphics[width=1.0\textwidth]{home-timeline-flow-chart}
+	\caption{Flow chart of the process for loading the home timeline for a user}
+	\label{fig:home-timeline-flow-chart}
+\end{figure}
+
+\begin{figure}[h!]
+	\centering
+	\includegraphics[width=1.0\textwidth]{home-timeline-building-block-view}
+	\caption{Building block view of the interaction between the different modules when loading the home timeline of a user}
+	\label{fig:home-timeline-building-block-view}
+\end{figure}
+
+Starting point is the home page, which is accessed by the user. Using several components, the data obtained from the feed provider is displayed. Using the Twitter API provider, the feed provider loads the latest 20 timeline tweets via the corresponding interface (\texttt{statuses/home\_timeline}\footnote{https://developer.twitter.com/en/docs/tweets/timelines/api-reference/get-statuses-home\_timeline.html}) via a HTTP GET request.
+
+The next step is to load the private tweets that match the time period marked by the current timestamp and timestamp of the 20th (the oldest) tweet. Furthermore, the user ids of the users the user follows (so called friends) are required. These must initially be requested from the Twitter API (\texttt{friends/list}\footnote{https://developer.twitter.com/en/docs/accounts-and-users/follow-search-get-users/api-reference/get-friends-list}) via the Twitter Feed provider using a HTTP GET request. The loaded user ids are cached in order to keep the number of requests to the Twitter API to a minimum for later loading processes. For each user id a lookup for private tweets in the given time span is performed. This is done by the P2P DB provider who queries Gun. If there are private tweets, the hashs for IPFS are returned together with the \texttt{created\_at} timestamp. If no private tweets are available for the period, the feed provider returns the data of the public tweets to the home page.
+
+Otherwise, the private tweets must be loaded and decrypted. First, the P2P Storage provider is used to load the data behind the hash addresses from IPFS via Infura. For this purpose, the hash is transferred to Infura with a HTTP GET request and the data is received from IPFS as response. To decrypt the data, the author's public key is required. The public key is stored in the user's public key history. This is loaded and decrypted via the Crypto provider, which in turn uses the Twitter API provider. The private tweet is then decrypted with the appropriate public key.
+
+Finally, the private and public tweets are merged and sorted according to their \texttt{created\_at} timestamp in descending order. This data is returned to the home page. If the user triggers a reload by reaching the end of the feed or by pull to refresh, the previously described process starts again.

thesis/content/05-proof-of-concept/security.tex

@@ -0,0 +1,30 @@
+Usually, asymmetric or a combination of asymmetric and symmetric encryption methods are used for secure message exchange. The advantage of asymmetric encryption methods is that messages can be encrypted with the known public key and can then only be decrypted by the owner of the private key. The private key cannot be determined from the public key within a reasonable time. However, asymmetric encryption methods are more computationally intensive and therefore more time-consuming than symmetric encryption methods. For this reason, a combination of both methods can be used to first exchange a symmetric key using asymmetric encryption. This ensures that only the two parties are aware of the symmetric key, which can then be used for symmetric encryption of the communication.
+
+Tweets are usually posted publicly on Twitter. Only those who explicitly set their profile to "private" can decide who they allow as followers and thus recipients of their tweets. This type of publication and visibility should also apply to private networks. Since it is unclear who is the recipient of a private tweet, it is not possible to encrypt the message with the recipient's public keys.
+
+The following three requirements apply to encryption:
+\begin{enumerate}
+	\item The author can be verified. It is not possible to distribute tweets on behalf of another user on the P2P network.
+	\item A private tweet should have the same visibility to other users as a standard tweet on Twitter.
+	\item The service provider (Twitter) must not be able to decrypt private tweets or associate them with a user. 
+\end{enumerate}
+
+Concrete actions can be concluded to meet these requirements:
+\begin{enumerate}
+	\item Private tweets must be signed or asymmetrically encrypted so that the author can be clearly identified.
+	\item The public key with which the tweets can be decrypted must be distributed over the user's profile. This is the only way to ensure that only authorized users can access the key and that the public key belongs to a specific user without any doubt.
+	\item The hybrid OSN application must encrypt the public keys so that Twitter cannot read them and therefore cannot decrypt the private tweets.
+\end{enumerate}
+
+\subsection{Realization}
+\label{sec:security-relaization}
+
+In the settings, an (asymmetric) key pair can be stored or generated, which is used to encrypt the private tweets. The RSA-OAEP algorithm is used here. Furthermore, the public key can be published on the settings page by clicking on a particular button. The new key together with the current timestamp is recorded in the public key history of the user and stored in IPFS. Listing \ref{listing:public-key-history} shows an example for the public key history. In JSON format, public key and validity start are stored in an array. The address at which the public key history can be retrieved is posted as a normal tweet in the user's timeline during publication. So that this tweet can be found quickly and easily, the id of this tweet is entered in the profile description of the user.
+
+\lstinputlisting[label=listing:public-key-history, caption=Public key history in JSON format. The file is symmetrically encrypted before storing on IPFS.]{listings/key-history.json}
+
+This ensures that only users who can read the user's normal tweets have access to the user's public keys. The history allows you to change the key pair and still ensure that older private tweets can be decrypted.
+
+Since Twitter has access to all the data stored on its servers, it can also find the link to the public key history. It must therefore be prevented that Twitter can decrypt the private tweets of the user by retrieving the public key history. For this reason, the public key history is additionally encrypted symmetrically with the AES-GCM algorithm. The key is stored in the hybrid OSN app and therefore unknown to Twitter.
+
+When writing a new, private tweet, the system checks whether the public key has been published before posting. Only if this is fulfilled will the private tweet be encrypted with the private key and posted.

thesis/content/05-proof-of-concept/technology-decisions.tex

@@ -0,0 +1,52 @@
+In order to implement the concept in the best possible way, some technology decisions had to be made. These included the implementation of the data exchange on a peer-to-peer basis and the choice of a framework for the development of the app. In the following, different technologies and libraries are presented that were considered for the implementation.
+
+\subsection{Peer 2 Peer Network}
+\label{sec:p2p-network-technology}
+Basically, there are two conceivable approaches for the P2P network:
+
+\begin{itemize}
+	\item Creation of a separate P2P network between the hybrid clients
+	\item Use of an existing P2P network for own purpose
+\end{itemize}
+
+In the following, solutions for both ways are presented and compared with each other.
+
+\subsubsection{Creation of a P2P Network}
+\label{sec:create-p2p-network}
+The advantage of having an extra P2P network is that it is completely under control. Accordingly, it can be designed to fit exactly to the use case and require little or no compromise. However, setting up a P2P network is a big challenge and some hurdles must be overcome. These challenges include peer discovery (how peers find each other), global data exchange over the Internet and data storage, and availability of the stored data. And of course, all these requirements must scale. It should work for P2P networks with only a few peers and also for a few thousand or even more peers. Two approaches are conceivable here: the use of an established standard such as Wi-Fi Dircet or WebRTC or the use of a library (for example Hive2Hive, Y-Js) to create a dedicated P2P network.
+
+\subsubsection*{Wi-Fi Direct}
+Wi-Fi Direct is a standard (IEEE 802.11) for data transmission between two WLAN terminals. There is no need for an access point between the two devices. However, the distance that may lie between the two peers is thus limited. Without obstacles, which contribute to the attenuation of the signal, a distance of up to 95m is possible. In buildings, it sinks to 32m or less. However, the requirement for the P2P network to expand Twitter is different. Users can be scattered around the world and may be online through the mobile network. There is no P2P connection via Wi-Fi Dircet in this case.
+
+\subsubsection*{WebRTC}
+WebRTC (Web Real-Time Communication) is an open standard that provides various communication protocols for real-time communication between two or more peers. Above all, WebRTC is popular for its ability to easily perform video calls, as known from Skype, in the browser without a server. But also the file transfer between peers is possible. In a separate P2P network, data could be exchanged between the clients. However, the connection between the clients is complex, since in addition to the two peers also a STUN server and optionally a TURN server is involved. Furthermore, it is unclear whether the system scales. At least for Google Chrome browser is known that a maximum of 265 connections to other peers can be maintained in parallel.
+
+\subsubsection*{Y-JS}
+The JavaScript library Y-JS describes itself as \enquote{a framework for offline-first P2P shared editing on structured data-like text, richtext, json, or XML.} The library takes care of solving synchronization conflicts when editing distributed files. By choosing a connector, you can set the protocol for the communication between the peers.There is the possibility to use WebRTC, XMPP or Websockets, but with some connectors running a server is a prerequisite. Further extensions can be used to supplement a database and data types, but the focus here is on the joint editing of data by multiple peers. For all connectors, the authors of the library recommend using an own server.
+
+\subsubsection*{Hive2Hive}
+Hive2Hive is a Java library for \enquote{secure, distributed, P2P-based file synchronization and sharing}. There is no less promise than \enquote{a free and open-sourced, distributed and scalable solution that focuses on maximum security and privacy of both users and data}. In order to be able to use Hive2Hive globally via the Internet, it is necessary to operate at least one relay peer - five are recommended\footnote{https://github.com/Hive2Hive/Android/wiki/Guide-for-System-Admins}. Since a permanent TCP connection between peer and relay peer is maintained, the power consumption is quite high. Constant TCP connection can be avoided by using Google Cloud Messaging (GCM). However, Google has already discontinued this service. And since the development of Hive2Hive was discontinued in March 2015 too, there is currently no solution to this problem.
+
+\subsubsection*{GUN}
+GUN is a graph database that keeps a state in sync across multiple instances. GUN is written in JavaScript and unlike Hive2Hive and Y-JS, the project is still being worked on.
+
+\textit{todo...}
+
+\subsection{Using an Existing P2P Network}
+\label{sec:using-existing-p2p-network}
+As mentioned in the previous section, setting up your own P2P network involves a number of challenges. If you use an already existing P2P network for your own purpose, these challenges can be elegantly avoided. For this purpose, however, a suitable P2P network must be found whose properties and possible uses meet the requirements of the hybrid OSN client.
+
+In the following, various P2P networks are considered and examined for their usability for a potential deployment to extend an OSN.
+
+\subsubsection*{Filesharing P2P Networks}
+
+\subsubsection*{Blockchain}
+
+\subsubsection*{IPFS}
+
+\subsubsection{Conclusion}
+
+\subsection{Application Framework}
+\label{sec:application-framework}
+
+[Standard Android Java App vs. Ionic]

thesis/listings/key-history.json

@@ -0,0 +1,20 @@
+{
+   "keys":[
+      {
+         "key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNZiscdaUuJ8pUFkPkTAh6oq...",
+         "validFrom":1548591435051
+      },
+      {
+         "key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+14hMkrRfSwCTfbmkS+m6MQ...",
+         "validFrom":1548193838409
+      },
+      {
+         "key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5rYHZljdPXozCNCX86N8CTY...",
+         "validFrom":1546382473017
+      },
+      {
+         "key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjssLPklHgNX/KyPACLOQAmB...",
+         "validFrom":1545945585132
+      }
+   ]
+}

thesis/listings/private-tweet.json

@@ -0,0 +1,23 @@
+{
+  "full_text": "Hello @twitter #hi",
+  "user_id": "3237049834",
+  "created_at": 1552290414930,
+  "private_tweet": true,
+  "display_text_range": [0, 18],
+  "entities": {
+    "hashtags": [
+      {
+        "hashtag": "hi",
+        "indices": [15, 18]
+      }
+    ],
+    "urls": [],
+    "user_mentions": [
+      {
+        "indices": [6, 14],
+        "id_str": "783214",
+        "screen_name": "twitter"
+      }
+    ]
+  }
+}