Privacy implications for Bisq mobile

[HenrikJannsen]

The privacy implications of Bisq mobile users depend primarily on the model:

• Android full node over Tor
• Android full node over clearnet
• Thin client (Android or iOS) connected to self hosted node
• Thin client (Android or iOS) connected to node hosted by "Uncle Jim" (friend and family member)

Furthermore there are implications if the user opt-in to use mobile notifications and if so which model. As that topic is little discussed yet we can postpone those implications or delegate it to the discussion dedicated to that topic.

Android full node over Tor

This mode is basically the same as the Bisq Desktop model. The only slight difference will be that probably the peer group size will be smaller (8-12 is target size on desktop, maybe 3-5 on mobile). The privacy implications of that change are minimal (and we can leave it to the user to increase that size as well).

Android full node over clearnet

In this model the mobile user leaks it's IP address to the clearnet (relay) nodes it is connected to (seed nodes, oracle nodes, Bisq provided dedicated relay nodes, anonymous relay nodes). Furthermore the IP address is visible in the public network messages like offers or chat messages. As this address is not functional as the mobile user is not accepting inbound connections, we could fake those IP addresses. This would only limit the exposure to the whole network, but not to the relay nodes.
As anyone could run a relay node there could be malicious spies among that. We could reduce that risk by a whitelist which allows outbound connections only to Bisq provided nodes (or even more strict only to bonded role nodes). Those nodes would still learn about the IP address but the risk of abuse is mitigated by the bond.

Mailbox messages carry the key ID to optimize decryption process (to only try decrypting messages with a matching key ID).
The relay nodes will send all mailbox messages to the mobile node, thus they cannot know which one is addressed to them. Though after processing the mailbox message gets deleted by a new message and that time correlation could leak which mailbox message was addressed to the mobile node. As the data is encrypted it does not reveal much, but still could be used for further correlations with blockchain data or using message size to guess which type of message it was.
This issue can be mitigated by adding a random delay for deleting a mailbox message. Furthermore we could add random data to make size-correlation attacks less effective.

Thin client (Android or iOS) connected to self hosted node

As the full node is self hosted there are no privacy implications expected.

Thin client (Android or iOS) connected to node hosted by "Uncle Jim" (friend and family member)

The mobile user must trust the node provider and as the model is intended for trusted relationship only that should not be a concern.