Summary:

• Signal’s desktop app stores encryption keys for chat history in plaintext, making them accessible to any process on the system
• Researchers were able to clone a user’s entire Signal session by copying the local storage directory, allowing them to access the chat history on a separate device
• This issue was previously highlighted in 2018, but Signal has not addressed it, stating that at-rest encryption is not something the desktop app currently provides
• Some argue this is not a major issue for the “average user”, as other apps also have similar security shortcomings, and users concerned about security should take more extreme measures
• However, others believe this is a significant security flaw that undermines Signal’s core promise of end-to-end encryption
• A pull request was made in April 2023 to implement Electron’s safeStorage API to address this problem, but there has been no follow-up from Signal

deleted by creator

Apps are typically removed from the IzzyOnDroid repository if they are later added to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they’re accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.

Apps are typically removed from the IzzyOnDroid repository if they are later added to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they’re accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.

deleted by creator

Android’s Messages, Dialer apps quietly sent text, call info to Google

Google’s Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe’s data protection law.

According to a research paper, “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.

“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”

The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection.

One option is QKSMS

Another is Connect You

Fossify Messages (fork of Simple SMS Messenger) should be released on F-Droid sometime soon.

I’m not the writer of the article, but here’s an answer you can find on running a quick search.

According to this article from the Electronic Frontier Foundation (EFF):

What is 2G and why is it vulnerable?

2G is the second generation of mobile communications, created in 1991. It’s an old technology that at the time did not consider certain risk scenarios to protect its users. As years have gone, many vulnerabilities have been discovered in 2G and it’s companion SS7.

The primary problem with 2G stems from two facts. First, it uses weak encryption between the tower and device that can be cracked in real time by an attacker to intercept calls or text messages. In fact, the attacker can do this passively without ever transmitting a single packet. The second problem with 2G is that there is no authentication of the tower to the phone, which means that anyone can seamlessly impersonate a real 2G tower and your phone will never be the wiser.

Cell-site simulators sometimes work this way. They can exploit security flaws in 2G in order to intercept your communications. Even though many of the security flaws in 2G have been fixed in 4G, more advanced cell-site simulators can take advantage of remaining flaws to downgrade your connection to 2G, making your phone susceptible to the above attacks. This makes every user vulnerable—from journalists and activists to medical professionals, government officials, and law enforcement.

You make a valid point. As I’m not the writer of the article, perhaps it would be apt to convey your feedback to the writer.

The setting you’re mentioning i.e., Apple ID > Find My: Disable everything¹ has superscript i.e., ¹ attached to it. The superscript leads to the following note:

¹: Some people prefer to leave “Find My iPhone” enabled as it allows them to remotely wipe the device if it gets lost. However, due to enabling the “Erase Data” setting, I don’t believe this is necessary. If it makes you feel better or if you have a specific use case for it, you can leave this feature on, but “Share My Location” should still be disabled (unless you use need to use it often) as this feature will report your location back to Apple regularly.

I’m not the writer of the article, but I think that this note makes it clear that you can configure this setting according to your threat model.

The settings you’ve highlighted do improve device security against common threats, such as those posed by nosy people who find the device unattended, as I’ve mentioned in the post.