Why DigiBoxx, Why?

Disclaimer : The views on this article are purely my personal opinions. It has nothing to do with endorsement, or brand defamation. I encourage the dev community to take a look at this, and correct me if I’ve misunderstood any aspect of it.

What is DigiBoxx?

DigiBoxx

DigiBoxx is an Indian asset management and cloud storage provider, It was launched in December 2020 amid the huge wave of “Atmanirbhar Bharat’’ within the nation. The movement targets the ever growing dependence of Indians on foriegn service providers for almost all their needs. DigiBoxx came as an Indian tech startup in the cloud sector. It claims to be one of its kind indegenious SaaS providers with data security and data localisation as its main priorities. This company was brought out in public by Amitabh Kant, CEO NITI Aayog, with a very optimistic note for the future.

Is it a necessity?

In the cloud space, we have with us numerous service providers catering to all personal and business needs at the moment. But when we see from Indian landscape, it hurts to find not even a single Cloud Storage provider. For an emerging economy like India, and to handle the fastest happening digital transformation, an Indian Cloud Solution becomes a necessity. Also the recent data privacy threats coming in from China and other countries has escalated the need further more for data localisation and security focussed cloud service providers.

Alternatives to digiboxx

DigiBoxx is just in its nascent phase, and has to go miles. Obviously it has very tough competition from AWS S3, DropBox, Google Drive, etc. But it adds a sense of nationalism when using Indian Product. So yes, there are significant competitors out there, but it surely could give tight competition.

My reviews 📑

DigiBoxx is good for a start. Definitely not close to already established service providers in this sector, and has great room for improvement, but a fairly prominent stand for a long run.

UI/UX : 3/5

The User Interface is simple and sweet. But the User Experience is poor.

Digiboxx Mobile App login Screen

Hey its so obvious, one has to be the username and the other has to be the registered email.

In contrast to the labels, the first textbox requires username and the second one requires your email 😆

After uploading files, some pages, the options don’t work. You simply get tired of clicking the button, until noon.

Unresponsive buttons on DigiBoxx web

File Sharing: 3/5

Once you’ve your file in your boxx, it becomes fairly easy to share with people. You give it the required public-access permission and it is ready to be shared. The cool feature which I personally liked is, it allows you to share files to those who doesn’t even have DigiBoxx account. You simply put their email, and it will notify them about the file shared via their email. Though the other person has to ultimately create an account to view the file.

Business Friendly : 2/5

From a developer’s perspective, the very first thing you look for in a system is its APIs and its documentation. But DIgiBoxx has no such provision for this. Considering this is still evolving, what about the company claiming to be very feasible for small businesses? Does it expects business and its engineers to upload each file manually?

I hope it shows up with a great API package in the next versions.

Note : For now, DigiBoxx is definitely not ready to go beyond personal level. Neither DigiBoxx is ready, nor businesses would be flexible with it.

Security: 1/5

Being more into the engineering aspect, I doubt thesecurity aspects of the files I store in my box. And that wasn’t impressive. As far as I’ve analysed, upon uploading a file, there are two links available to you.

  1. For sharing with people. (app.digiboxx.com/…)
  2. In the Web content, that can be extracted very easily (prod.store.digiboxx.com/…)

Though the first link strictly follows the public-private access policies, the second link is above all these boundaries. No matter what access rules you’ve set for a file, if you have the second link, you can access it from anywhere anytime. I don’t know whether this design pattern is intentional or is a loophole, but this is very severe.

Security Issue 1

Also, upon further recon, I found out that DigiBoxx internally uses “MinIO’’ for its file storage. Link

“MinIO’s high performance, Kubernetes-native object storage suite is built for the demands of the hybrid cloud. Software-defined, it delivers a consistent experience across every Kubernetes environment.”

I learnt that minio was an open-source software solution, under Apache Licence v3. So DigiBoxx dev team can modify, and implement best security practices within the k8 cluster. That’s great!

But what came to me as a surprise was this :

Security Issue 2

This is a direct login console of one of their k8 nodes. Though this still requires valid access key and secret key, this provides a great attack surface for malicious actors. One could easily brute force these keys, and within hours (at max) the entire node along with its data will be compromised. A better approach would be to restrict the access to the login screen in the first place.

My concerns 😯

Apart from what issues I personally faced while using the service, what actually concerns me is:

“Whether it truly is Indian?”

The second link, which can be extracted from the web-page is :

https://prod.store.digiboxx.com:9000/e32ebd3f4ded451c/Temp/Screenshot_20210126-141128_FAU-G.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=aazxcdklmnghfg%2F20210128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210128T144735Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=721ff4df0b3f688a862f5926bf1239daa3d55303a34d51704b2dbf0b40cd1a14

(you can click on the link, it is a screenshot of FAUG game I tried recently)

If you look closely at this, you can very well find out well-known words, like “us-east-1”, “aws4_request”, etc. Infact on deep diving on this, I found out that this is an AWS service for signing API requests. More technically,

“When you send HTTP requests to AWS, you sign the requests so that AWS can identify who sent them. You sign requests with your AWS access key, which consists of an access key ID and secret access key. Some requests do not need to be signed, such as anonymous requests to Amazon Simple Storage Service (Amazon S3) and some API operations in AWS Security Token Service (AWS STS).”

Link to AWS documentation.

I may be completely wrong in this, but this appears to me like the assets with DigiBoxx use AWS services. It may be simply for authentication, or for entire storage. So, it is like our data is again in AWS data centers. More than the fact that it uses AWS, the data rests in “us-east-1” data center, which means data will comply to the data policies of that country. Back to square one? Honestly, I want to be proved wrong here. Because, if it turns out to be true, the existence of DigiBoxx hardly matters. And what about “Atmanirbhar Bharat”?

Is it another “Freedom 251” smartphone?

Conclusion

Though the necessity of an indeginous player is significant in this domain, companies should not rush to things just to exist. Companies should instead focus on security and on quality services and features.

I would reiterate that all the views and opinions are totally mine and it should be taken as a positive push by the tech company to further strengthen their services as well expand their scope in these domains. This was not to defame or harm the company motives by any means. I encourage the dev team at DigiBoxx to take this opportunity to improve, and If I’ve failed to understand things, I express my sincere apologies. Please find time correct me.

Thanks for reading! 😃

Reach me out at twitter ✉️

In love with open-source ❤️