Is this new application is safe & trusted ??

[Nokia808]

Hi. I'm sorry if this is not suitable site to post about this, but I did not find other better place.

Dear currently tox has problem regarding support for Android. Antidote seem to be dead application now. Last release was 3 years ago & Antidote currently available in Google play is very buggy .... This is great shortage !

Recently I discovered new application for Android called Tok for Android - see:

https://www.tok.life/ https://github.com/InsightIM

But I'm suspicions about it's safety & trust because:

1) you did not mention it on your official page: https://tox.chat/clients.html

2) it use Tor by default & not allow it's optional use. It seem that it use build in Tor ! I'm not sure is this okay or not. May be I'm wrong in this point ?

3) there is some thing in their "Privacy policy" which bring my attention & make me post this issue. It said: "Exceptions you have to know: In some situations Tok can't establish a direct, peer-to-peer, connection with the recepients (e.g.restrictive NATs, TCP mode, HTTP or SOCKS5 proxy), in which cases Tok uses a relay node or proxy. Note that the relay node or proxy can't decrypt contents of messages and audio/video calls, as they are not the intended recepient of those." Is this - use of proxy in certain cases without making user select to agree or not before do this - is on spirit of Tox ?? The problem is that they not make this optional to user to decide either to disable this behaviour .......

4) they fork you !! They fork c-toxcore itself !! See: https://github.com/InsightIM/c-toxcore

Please can you help by given your kind opinion about this new application ? Can you verify safety & trust of this new application ? I'm not programer & can not understand their code ......

[zoff99]

our offical android client is now TRIfA (it's on f-droid)

[Nokia808]

@zoff99 My question about "Tok-Android" not TRIfA. TRIfA very buggy & practically useless. I examine it, it does not notify user if some one ring on it ! It does not allow import Tox ID ! ...... It seem that it will remain so & will not evoluted to mature application. I test Tok-Android & it notify me when someone send me IM or voice message or image .... Currently Tok-Android has no audio/video chat but it seem that when they added in feature they will work well also. I'm concerned about safety & trust of it due to points that I already mentioned .....

Please can you examine code of Tok-Android & verify if it is safe & trusted or not ?

[robinlinden]

1. The clients listed on tox.chat are the clients that existed before the TCS and the ones that follow it.
2. There is no official client.
3. TRIfA also uses a fork of Toxcore that (to my knowledge) no one has reviewed.
4. Even if someone were to review Tok-Android's source, there's no guarantees about it being safe. Especially since they've pushed new releases to the Google Play store without pushing any new code to their repository.

[zoff99]

@robinlinden actually toxcore used in TRIfA is reviewed. Tok-Android also uses a forked toxcore.

[GrayHatter]

@zoff99 your fork of toxcore has not been publicly reviewed by a known and trusted security org. Don't make things up!

@Nokia808 I used to be a toxcore developer. I'd NEVER install Tok. From the very little I know about it, I don't trust the developers who created it. I don't believe it's secure. And, I have reason to think it may be created by a lazy TLA.

[zugz]

To clarify in case of any confusion, no version of toxcore has undergone an independent security review.

Regarding relays: this sounds like it is describing a long-standing feature of toxcore, in which encrypted traffic is relayed over TCP via certain volunteer nodes in the tox network when a direct UDP connection can't be made.

[JFreegman]

@zoff99

our offical android client is now TRIfA (it's on f-droid)

Who is "our" in this sentence?

Edit: After looking at the fork of toxcore that TRIfA uses, which is maintained by one person and has no oversight by the community, I would highly recommend against anyone using it. The same goes for Tok. I personally wouldn't trust anything that isn't using toktok/c-toxcore.

[soyflourbread]

My two cents of thought:

Tok's developers have forked c-toxcore at InsightIM/c-toxcore. However, the fork's source does not correspond to those included in Tok-iOS (and apparently Tok-Android).

Tok-Android's source code is not completely open. It does not contain the source code of its fork of c-toxcore, thus violating c-toxcore's GPLv3. Tok-Android's version string is "1.0.0" in the source code; however, the Play Store version is already 1.1.2.

Tok-iOS includes a copy of modified c-toxcore source code. After further investigation, it is based on TokTok/c-toxcore@a5cd4764aa3e5f8f0ba18d8348f5995d255f6c00. This commit is already more than 8 months ago and might contain security issues.

Tok-iOS's developers have added "group" and "offline message" functionalities into c-toxcore. After reviewing c-toxcore included in Tok-iOS, these additional functions are all based on centralized "group bot" and "offline message bot". Since these bots are not part of Tox's protocol, these changes are probably incompatible with other Tox clients. Centralized bots are single point of failure and do not meet Tox's point of decentralization. They also reduce anonymity and increase risks of leaking IP, personal data, etc.

Personally the code quality of the modified c-toxcore in Tok-iOS is not good. :)

These are the issues I can find currently.

[soyflourbread]

TL;DR I also highly recommend against the use of Tok-Android or Tok-iOS.

[Nokia808]

I would like to say thank you very much for all who replay me in this issue ! Special thanks for core developers & those who consumed time in reading Tok-Android & Tok-iOS !

I uninstall Tok-Android from my mobile & my wife mobile & deleted & wiped all Tok-Android data from our devices .....

Only one critic: instead of starting new Android tox application from scratch, why developer of TRIfA not fork Antidote & continue it's development ?!! It was much better for him & us if it was take over the development of already built Antidote instead of wasting time & efforts in building new application which is too far from reach to Antidote (which is currently soo bugy) level ......

[iphydf]

Just to reply to the last "critic" part, for posterity: Antidote is an iOS application. It does not run on Android. This is why TRIfA was made. Antox is an Android application which could have been forked, but its codebase was so bad that a rewrite made more sense, cost/benefit-wise.