this post was submitted on 06 Jul 2024
483 points (94.5% liked)

Privacy

31991 readers
454 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] x1gma@lemmy.world 87 points 4 months ago* (last edited 4 months ago) (20 children)

How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

You. Don't. Store. Secrets. In. Plaintext.

There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

Edit: "If you got malware then this is a problem anyway and not only for signal" - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

"you need device access to exploit this" - There is no exploiting, just reading a file.

[–] refalo@programming.dev 13 points 4 months ago* (last edited 4 months ago) (4 children)

How in the fuck are people actually defending signal for this

Probably because Android (at least) already uses file-based encryption, and the files stored by apps are not readable by other apps anyways.

And if people had to type in a password every time they started the app, they just wouldn't use it.

[–] Liz@midwest.social 21 points 4 months ago (1 children)

Popular encrypted messaging app Signal is facing criticism over a security issue in its desktop application.

Emphasis mine.

[–] ChapulinColorado@lemmy.world 12 points 4 months ago (1 children)

I think the point is the developers might have just migrated the code without adjustments since that is how it was implemented before. Similar to how PC game ports sometimes run like shit since they are a close 1-1 of the original which is not always the most optimized or ideal, but the quickest to output.

[–] x1gma@lemmy.world 6 points 4 months ago

Been a few days since using electron, but AFAIK electron can't be used as a wrapper for android apps, or can it? Or is their android app a web app wrapped into a "native" android app too?

Also, since this seems to be an issue since 2018, 6 years should be plenty to rewrite using a native secure storage...

load more comments (2 replies)
load more comments (17 replies)