search

signalapp / Signal-Android

A private messenger for Android.
https://signal.org
GNU Affero General Public License v3.0
25.46k stars 6.1k forks source link

Use keyboard incognito mode API #6985

Closed wesinator closed 6 years ago

wesinator commented 6 years ago

I have:

Bug description

The new keyboard "incognito" mode API should be used so that keyboards such as Gboard do not collect input data from messages typed in Signal.

Steps to reproduce

Actual result: Keyboard does not use "incognito" mode Expected result: Keyboard should be loaded with personalization disabled.

Device info

Device: Samsung Galaxy Android version: 6.0.1 Signal version: 4.9.9

Dyras commented 6 years ago

This disables the autocorrect feature, doesn't it? Should be optional then, if it's even included at all.

the4ndy commented 6 years ago

i think it most certainly should be included. the Gboard is essentially a key logger and to have that information leaking and going straight to google, whats the point of using a secure e2e messaging if all of everything you type is being leaked elsewhere without the same level of security your message was sent / stored with. But making it optional seems like a good plan. It is basically the same as the anti-screenshot feature, it prevents other apps and such from hooking into potentially dangers API calls from the system, like reading / recording the screen, or keystroke recording / logging

bitmold commented 6 years ago

The incognito flag is only set when you are typing in a ComposeText, in other places within the application, such as the search bar on the main conversation screen, the flag will not be set.

I think the preference should be read and respected at every point within the application where the keyboard is used. As the preference is currently phrased within the app, it is not clear to users that incognito mode is only used in some places which could cause a user to leak information to their keyboard that they were not expecting to. I could see a user sending a message (in incognito), and then later searching for that message (not in incognito) which would result in a leak to the ~keylogger~ keyboard.

Granted, IME authors can always ignore/disrespect this flag, but I think that Signal should at least be consistent in setting it.

I'd be happy to work on generalizing this preference across all the app's EditTexts.

valioDOTch commented 3 years ago

@bitmold Can you tell us to what extent this is still an issue? I don't think I'll be able to help out personally, but I would certainly be willing to organize bounty money.

Le1b1 commented 3 years ago

@bitmold Can you tell us to what extent this is still an issue? I don't think I'll be able to help out personally, but I would certainly be willing to organize bounty money.

It's not, there is a option in the settings.

valioDOTch commented 3 years ago

@Le1b1 I am sorry, but your comment is not very helpful. Have you actually read the comment by @bitmold?

It says that (at least back in March 2018) the IME settings were not applied to all keyboards throughout the app.

It has to be verified whether this is a security issue. It doesn't matter whether there is a UI element in the options screen from a security perspective. You have to analyze the whole code systematically, looking for all keyboard input scenarious and verifying that the keyboard used therein actually adheres to said switch-button in the options.

antont commented 3 years ago

@valioDOTch

verifying that the keyboard used therein actually adheres to said switch-button in the options.

Have been learning about this during the past few days, and have understood that 3rd party keyboards can just ignore the request, if they are spyware for example.

I realize that this is a different topic than what you described, though, it seems you mean bugs in Signal itself which would not even apply the flag from that side. Didn't look into that. I can try if you think there are issues.

Anyway this open pull request about that other issue is related: https://github.com/signalapp/Signal-Android/pull/10729

It proposes to change the settings info text to:

<string name="preferences__request_keyboard_to_disable_personalized_learning">Request that the keyboard disable personalized learning. The keyboard does not have to respect this setting and may send data to a third party.</string>

I'm now trying to figure out whether Android could fix this on the OS level, for example by enforcing that the keyboard can not do any networking. Not a quick fix for sure, but for the long run. Also plan to check whether iOS already does that, saw it mentioned that it would. Just doing this as a hobby, volunteering to help a bit on free time.