118 sats \ 6 replies \ @zuspotirko 6 Jul \ on: Is Signal Messenger Compromised? security
Is this an actual problem? To my knowledge Apps can't access files from other apps. In iOS, MacOS, Linux I'm sure. On Android too, right? The individual apps folder env are protected, aren't they?
If you don't manage photo library access you're screwed anyways. That's on you.
It’s the desktop apps that are the issue. iOS and android perform proper sandboxing and I know macOS provides keychain APIs and the security model to provide pretty good sandboxing. It’s complex but they should’ve been using platform specific keychains for the desktop app. This is a rookie error.
reply
So turns out electron (the tech that signal desktop is built on) has a safeStorage API that does exactly what I said. It uses the OS’s cryptography systems to store the keys to the db. Someone actually sent a PR implementing this but it seems to have been ignored. https://github.com/signalapp/Signal-Desktop/pull/6849
reply
Following up on this, yes macOS is generally the most secure option here. Windows’ keys use DPAPI, which protects keys from other users but not other apps, no different to Linux and what signal does here. macOS uses keychain which will stop apps from accessing other apps’ keychains even when on the same user. Generally Apple platform security is much higher than competitors and a much higher chance at fending off an attack than most systems
reply
Is this a Signal specific issue? Aren't there .ssh folders and config files with session tokens lying around everywhere on desktops?