Passphrase support missing

[behrmann]

I have:

• [X] searched open and closed issues for duplicates
• [X] read https://github.com/signalapp/Signal-Android/wiki/Submitting-useful-bug-reports

---

Bug description

The support for securing Signal with a passphrase seems to have been removed.

Since the old Textsecure days I have been securing Signal with a passphrase, since my screen lock is rather short, since I want to be able to open my phone without typing a long passphrase. For Signal this has never been an issue, as I get messages only in short bursts during which Signal could stay unlocked while during longer pauses the app would be locked.

Today I had to reinstall Signal (because of the most recent linageos medling with the keystore) and found myself unable to set a passphrase for locking Signal. The only remaining option was to use my rather weak screen lock or use a fingerprint sensor, which I don't have.

It would be very kind if support for a separate passphrase could be retained.

Steps to reproduce

• Delete Signal application data that was previously secured with a passphrase
• Reregister to Signal
• Try to find passphrase option under Settings -> Privacy

Actual result: Fail to find passphrase option, find "Screen lock - Lock Signal access with Android screen lock or fingerprint" instead. Expected result: Be able to set a separate passphrase for Signal.

Device info

Device: Oneplus One Android version: 7.1.2 (current lineage-14.1-20180321-nightly-bacon) Signal version: 4.17.5

[johanw666]

Do you have an old (4.15) TI backup? Restoring that might work. Otherwise you would have to manually hack org.thoughtcrime.securesms_preferences.xml, I would guess that setting

<boolean name="pref_disable_passphrase" value="false" />

would help but I have to check the source if this is really sufficient.

[behrmann]

Yeah, I don't have that, since I run my phone unrooted and I actually do think, that there is value in having this option set for all users. If passphrases will not be reinstated, then I will have to change from a handy short unlock PIN to a moderate passphrase, but this will be a serious hassle, keeping me out of my phone on every unlock, so that my conversations are secure.

[Kamkata]

Thanks for not deleting the issue template. I have to say that sometimes i cannot follow moxies logic. Now that we moved to sqlcipher. He trades the phassphrase for a fingerprint and android login, wich he is considering removing. There is an interesting post in the unofficial forum about this.

https://whispersystems.discoursehosting.net/t/passphrase-encryption-only-for-message-contents/917/3

I think i understand moxies idea. if you want a strong Password, than set a strong pass for your phone and use the fingerprint to unlock the phone and the passphrase for signal. But in another issue he said that he may only leave fingerprint unlocking (https://github.com/signalapp/Signal-Android/issues/7480). To me this doesn't make sense. In case moxie you don't know, but a fingerprint is no password.

Cellphone fingerprint passcodes weren’t on James Madison’s mind when he authored the Fifth Amendment, a constitutional protection with roots in preventing torture by barring self-incriminating testimonials in court cases.

Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

The three basic rules for password security are:

1. Never write your password down. Someone might find your note.
2. Never use the same password for different services. Otherwise you give the operators of one service access to the other.
3. Change your password when it gets compromised.

Fingerprints violate all of these rules. You leave them (write them down) whenever and touch a smooth surface. You only have ten fingers, so you’ll end up reusing your credentials for different services.

So after switching to sqlcipher for a even better encryption for data at rest, wich i assume includes the metadata as well (like timestamps, sender and devicde id) now he weakens the security of this by letting us only use fingerprints? If i didn't know he is a master in what he does, i would get serious doubts about him after i see such decisions.

Hope this won't get closed with pointing to the discussion forum. Haha at least he can't tell you not to delete the issue template.

[sigenc]

hey, i'm the one who posted this in the community forum. Lol i though maybe my post did influence him a bit to go for sqlcipher. But i didn't though, that he will take away the possibility to set an own passphrase. fuck

[moxie0]

It's just a screen lock. The point of a screen lock is that it can generally be short. Since all it is doing is preventing "online" access, it can rate limit through that interface. The only reason Signal had support for a passphrase in the past was because Android didn't support interfacing with the quick unlock stuff (swipe pattern, fingerprint, etc) and I didn't want to write all of that myself. Now that it does, the only reason I can think of to use a passphrase is if you wanted to protect access to Signal from someone who knows your Android screen lock.

However, the only reason I can think of to use the Signal screen lock at all is if you want to hand your phone to someone (kids, friends, etc) unlocked, but don't want those people to be able to access Signal.

[sigenc]

no my friend. one of the reasons to use a passphrase is forensic and police.

[behrmann]

Pre.S.: Onlookers to this thread, please refrain from commenting, just to voice your opinion, this is a bug report, not a forum. If you want to voice support or disagreement without additional insight, please use Github's buttons.

@moxie: Maybe I misunderstood, but I was under the impression, that Signal's data is encrypted in rest, i.e. no one with physical access to the phone can simply read the messages in cleartext. It is thus sensible the lock Signal in addition to a screen lock, since screen locks tend to be rather weak and short, as everything else would be a hassle, or need hardware, that not every phone has, like fingerprint scanners, because otherwise the in rest encryption would not make a difference.

If Signal's lock is the same as the screen lock, it is forced to be artifically weak or the whole usage of the phone becomes cumbersome. I think this does strike a wrong balance between usability and privacy, because in the worst case it impedes both.

And besides, being able to use a separate passphrase actually does allow me to hand my phone to my friends, for a short whie, to just quickly have a look at wikipedia without them being able to directly have a look at all my messages.

[moxie0]

The Signal screen lock is just that, a screen lock. It is not connected to any kind of data encryption, it is just a screen that someone holding your phone has to unlock to get past.

The data on disk is encrypted using a key that's stored in the Android system keystore, which is hardware backed on some devices (presumably most new devices). However, the sad truth is that if what you're really worried about is protecting your messages from someone with forensic physical access to your device, your best bet is to run Signal on an iPhone instead.

Is there something about locking Signal with a fingerprint or pattern that prevents you from handing your phone to a friend without them being able to look at all your messages?

[behrmann]

Thanks a lot for the clarification. I always thought the in rest encryption was tied to the lock. It is good to have this cleared up.

Well, fingerprints fall flat for me, since I am missing the hardware, and for PINs (at least somehwat short ones) and patterns I find, that they can be very easily seen, even by chance. I guess I could unlock most of my friends phones, since I have seen their unlock patterns multiple times just while standing around them. After this change I could potentially read their Signal messages as well. In the past this would not have been possible, at least for the ones that use passphrases, since a passphrase is, at least for me, quite a bit harder to overlook than a pattern or a pin.

[sigenc]

Hmm this is something i didn't know. I also always thougt that the in rest encryption was tied to the lock. lol my password was a pain in the ass to enter just for that. Uffff. why not locking the whole database with a self chosen password. This would prevent forensics if i'm not mistaken. If the pass is good enough. Damn if it is not secure against forensics i could have used a very simple pass. LOL it did cost me years of my life for sure to enter this damn thing. hahaha. Damn moxie you really shocked me right now. I don't know where i saw that post, but i think the whole world believes this pass is connected to the encryption. Damn..... under this circumstances we can use the weakest method to prevent someone to view our messages, I won't sleep this night for sure

[sigenc]

STOP!!!!

What does than this mean moxie: https://github.com/signalapp/Signal-Android/wiki/Using-Signal

Passphrase

You can choose to lock Signal and messages with a passphrase. Local security of your messages depends on the strength of this passphrase, so make it good. Signal can be configured to cache this passphrase in memory for as long as its running, or for a specific length of time, so you won't need to be constantly re-entering it in order to access or send messages. This passphrase cannot be recovered if it is lost.

Lost Passphrase

A lost passphrase cannot be recovered. To continue using Signal when a password has been lost the app must be uninstalled and reinstalled, and all messages will be lost.

This doesn't fit with what you said above. For me this is very confusing. I actually understand this as tied to the lock. So i and everybody else who did read this got misinformed?????????????

[sigenc]

I beg for an option that we can encrypt the data at rest with our own chosen pass. This is fundamental.

[moxie0]

I guess I could unlock most of my friends phones, since I have seen their unlock patterns multiple times just while standing around them.

You can configure Android to not display the "trail" as you swipe the pattern.

This would prevent forensics if i'm not mistaken. If the pass is good enough.

Probably not. It's in memory in many places, since there's no way to control that with the JVM. Also, password based encryption is not generally effective, particularly given the mobile form factor.

What does than this mean moxie: https://github.com/signalapp/Signal-Android/wiki/Using-Signal

Every official support page says otherwise, the feature itself is called a "screen lock," etc. All of these wiki pages are made by people here like yourself, I'll delete this one.

I beg for an option that we can encrypt the data at rest with our own chosen pass. This is fundamental.

Not only would that be ineffective, it's not really possible. A message arrives, but the database is "locked." What do we do? We could put it somewhere temporarily and notify the user, but what if the message is from someone who is blocked? There's no way to know that, because that information is... in the database. etc etc.

In any case, I'm going to lock this issue now in favor of discussion on the forum.