pull down to refresh

encryption key is stored in plain text in a file called config.json.
The file is saved in a location accessible to any app, which makes the encryption ineffective.
Is this an actual problem? To my knowledge Apps can't access files from other apps. In iOS, MacOS, Linux I'm sure. On Android too, right? The individual apps folder env are protected, aren't they?
Media attachments, such as photos sent and received, are stored locally without encryption.
If you don't manage photo library access you're screwed anyways. That's on you.
It’s the desktop apps that are the issue. iOS and android perform proper sandboxing and I know macOS provides keychain APIs and the security model to provide pretty good sandboxing. It’s complex but they should’ve been using platform specific keychains for the desktop app. This is a rookie error.
reply
100 sats \ 1 reply \ @Zk2u 6 Jul 2024
So turns out electron (the tech that signal desktop is built on) has a safeStorage API that does exactly what I said. It uses the OS’s cryptography systems to store the keys to the db. Someone actually sent a PR implementing this but it seems to have been ignored. https://github.com/signalapp/Signal-Desktop/pull/6849
reply
Following up on this, yes macOS is generally the most secure option here. Windows’ keys use DPAPI, which protects keys from other users but not other apps, no different to Linux and what signal does here. macOS uses keychain which will stop apps from accessing other apps’ keychains even when on the same user. Generally Apple platform security is much higher than competitors and a much higher chance at fending off an attack than most systems
reply
Is this a Signal specific issue? Aren't there .ssh folders and config files with session tokens lying around everywhere on desktops?
reply
117 sats \ 1 reply \ @Zk2u 6 Jul 2024
Not a signal specific issue. This is true. I personally use secretive instead for things like ssh keys.
reply
Link for those interested. https://github.com/maxgoedjen/secretive
reply