this post was submitted on 19 Nov 2023

194 points (97.1% liked)

Android

16862 readers

16 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.

Support, technical, or app related questions belong in: [email protected]

For fresh communities, lemmy apps, and instance updates: [email protected]

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below

Rules

Stay on topic: All posts should be related to the Android OS or ecosystem.
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to [email protected].
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to [email protected].
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

See thread

Chat and More

founded 1 year ago

MODERATORS

[email protected]

194

Nothing Chats, an iMessage app for Android, is a privacy nightmare (9to5google.com)

submitted 10 months ago by [email protected] to c/[email protected]

24 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 51 points 10 months ago (2 children)

It's bizarre that Sunbird touted their solution as end-to-end encrypted, when it can't be - iMessage drops to plaintext on the Mac farm.

[–] [email protected] 15 points 10 months ago (6 children)

Well not sure about Sunbird. Beeper advertises this also but it's not entirely untrue. It's E2EE from the sender to your Beeper server, where it's decrypted, then re-encypted as a Matrix message. But it's all open source so you can see what's going on.

You can get around this vulnerability by hosting your own Beeper server.

[–] [email protected] 40 points 10 months ago (2 children)

While it's a good solution, it is entirely untrue. A message is either End to End Encrypted or it is not. If the message is decrypted at any point between the sender and the intended recipient, it is definitively not End to End Encrypted.

[–] [email protected] 24 points 10 months ago

E2EE means it's End-to-End Encrypted. If it's decrypted at any point during transit then it's by definition not E2EE and Beeper shouldn't be making that claim.

[–] [email protected] 20 points 10 months ago* (last edited 9 months ago) (1 children)

[This comment has been deleted by an automated system]

[–] [email protected] 1 points 10 months ago (1 children)

Now you're back to "all of my messages can be stolen if a server gets hacked" again

Except you're not because your decrypted messages aren't stored anywhere.

[–] [email protected] 2 points 10 months ago* (last edited 9 months ago) (1 children)

[This comment has been deleted by an automated system]

[–] [email protected] 0 points 10 months ago

Good points all around

[–] [email protected] 9 points 10 months ago* (last edited 10 months ago) (1 children)

It's E2EE from the sender to your Beeper server, where it's decrypted, then re-encypted as a Matrix message.

Then it's not E2E encrypted.

One end is your device, the other end is the other device. It's only E2E encrypted if it is not decrypted until it reaches the other device.

[–] [email protected] -5 points 10 months ago (1 children)

Yes. It is.

[–] [email protected] 7 points 10 months ago (1 children)

Sticking two E2EE tunnels together with a plaintext middleman doesn't result in a single E2EE tunnel.

The reason the distinction is important is because the security profile is vastly different—a compromised server leads to a compromised message—which isn't true for actual E2EE services like a pure Matrix link.

Side note: the first thing you should ask of a "end-to-end encrypted" product to you is "which 'ends' do you mean?" I've seen TLS advertised as E2EE before.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

Adding: TLS is actually a pretty apt analogy here.

You could make a chat server that just accepts plain text messages over a TLS link, and that's basically the same security topology as with this Beeper bridge.

But no one would call that a E2EE chat.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (1 children)

How does one host their own beeper server?

Edit: found it

[–] [email protected] 3 points 10 months ago

https://github.com/beeper/self-host

[–] [email protected] 9 points 10 months ago

As someone who works in the tech industry, this is not surprising to me at all. Typically the people who communicate with the media and customers don't know a single thing about tech. They don't know what end to end encryption means. They know just know encryption is involved and they have heard the buzzword, so they repeat it.