Closed yodaforces closed 3 years ago
thestinger
commented
3 years ago Don't plan to implement this. We're not going to be adding anything fancy to the Messaging app and want to discourage people from using insecure carrier-based calls/texts which aren't private.
yodaforces
commented
3 years ago Well, unfortunately insecure carrier-based calls/texts isn't going away over a day/night (maybe in the perfect world) and GrapheneOS ships with the Messaging app so why not tighten up the security in it, then (or remove it totally)?
thestinger
commented
3 years ago I don't see how this tightens up security. You're treating this as something that it isn't.
thestinger
commented
3 years ago Preventing screenshots in a bunch of arbitrary places doesn't interest us.
ghost
commented
3 years ago @yodaforces This feature doesn't make it any more secure than if it wasn't added. SMS simply cannot be made secure. Preventing screenshots does nothing to improve its security or privacy.
yodaforces
commented
3 years ago @yodaforces This feature doesn't make it any more secure than if it wasn't added. SMS simply cannot be made secure. Preventing screenshots does nothing to improve its security or privacy.
Thank you for clarifying that the SMS protocol is insecure. However it will still the make the SMS client app safer (believe it or not) because it prevents screen data from being leaked to other apps. And SMS could be of sensitive nature too even if the SMS protocol is insecure, or not? At least we are just humans.
yodaforces
commented
3 years ago Preventing screenshots in a bunch of arbitrary places doesn't interest us.
Agree, the Auditor app don't really need it.
In Vanadium I had forgot about this is already the case in the incognito tab so it can easily be archived, but then we forget about the human factor here which in fact is not GrapheneOS problem. (Tor browser uses this, btw)
Regarding PDF Viewer I still think this should be at least optional.
ghost
commented
3 years ago @yodaforces
However it will still the make the SMS client app safer (believe it or not) because it prevents screen data from being leaked to other apps. And SMS could be of sensitive nature too even if the SMS protocol is insecure, or not?
The goal is not to implement security theatre features and misleading people into believing SMS is secure just because we're implementing more secure features for it. Misleading people into harmful beliefs completely ruins the purpose of this OS despite what it offers.
Implementing security features for a fundamentally insecure protocol will just mislead people and it still does not improve the security of SMS itself. There are far easier methods to obtain private information from an insecure protocol like SMS instead of trying to find a bypass to arbitrary screenshot blocking.
yodaforces
commented
3 years ago It is all about attack surface reduction. If an OS ships with a default SMS app on a mobile device, then people gonna use it in some way or another (remember: "in the perfect world")?
I never mentioned the SMS protocol is secure, so we could end this discussion about this now.
I recommend you to read the section "General hardening recommendations for Android app (Info)" here: https://cure53.de/pentest-report_mullvad_2020_v2.pdf
tl;dr: "As such the flags described below should be considered as defense-in-depth mechanisms."
It should be possible to add a toggle button to "prevent screenshots" in the Messaging app for somewhat screen security. I think this fit well in a privacy and security focused project like GrapheneOS or even AOSP.
Molly/Signal/Element + some VPN and banking apps have this already.
Could be set with the Window flag. https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE