>> Decrypting messages and attachments sent with Signal has been all but impossible…until now.
>> We found that acquiring the key requires reading a value from the shared preferences file and decrypting it using a key called “AndroidSecretKey”, which is saved by an android feature called “Keystore”.
>Yeah, if you have all the keys you can decrypt stuff..
Are all the keys really easily accessible if they have possession of a locked device? I suppose if they can unlock your device they can just open signal and read the messages right?
Does signal allow generation of new passphrase protected private key and can this software bypass that?
If you have a device and it's unlocked, one can simply open signal app and read the messages. You do not need to do any "hacking" here. I fail to see any extra value in the app, except maybe they are looking to get some of the taxpayer's money funneled through to them
Signal has considered this scenario by adding an additional client-side "encrypt my messages" locally feature. Which prevents your messages to get sucked out by some digial forensics tool like it would for iMessage, Messager, etc. So I'm curious if this is what they are referring to.
Post-physical unlocked HD access to the device, aka digital forensics, is assumedq here, this is what this company does.
As others have pointed out Signal might have been storing the local pin/password in an Android secure enclave of "AndroidSecretKey" which they found other means around.
If you can't tell for yourself, here is Moxie's reply (also linked to by the same hn user):
> This (was!) an article about "advanced techniques" Cellebrite uses to decode a Signal message db... on an unlocked Android device! They could have also just opened the app to look at the messages.
> The whole article read like amateur hour, which is I assume why they removed it.
Basically yeah, adding a pin to signal would also prevent this, they didn't bypass such extra measures.
This is what they did in their blog post:
> We found that acquiring the key requires reading a value from the shared preferences file and decrypting it using a key called “AndroidSecretKey”, which is saved by an android feature called “Keystore”.
No further mention of it, so I assume they just had access to it. From Moxie's post, I assume that the keystore is unlocked when the phone is.
Perhaps they mean: assuming one already has legal authority to access somebody else's app data, this is a legal mechanism to remove any remaining technical barriers? (I.e., the other mechanism available for getting past technical barriers would be illegal, e.g. torturing someone who knows the password.)
There were reports of Mexican cartels having access to cellphone decryption software. Yeah, you can say that the cartels are the government in those areas where they have the power. That tells you everything you need to know about lawful access.
Yeah I agree. This type of solutions can always end in the wrong hands.. But you don't need to go that far. The same agencies that buy it can use it in an unlawful way.
Perfectly possible. It's "proprietary" in contrast to "standardized", not in contrast to "open". The Signal protocol isn't a standard from any standards body (eg ISO, or the IETF), so it's proprietary. Its spec is freely accessible, and free to use, but it's still one company's protocol.
I don't buy it. Can you find any instances where it's used like that? According to that definition, you could also say "SpiderMonkey is Mozilla's proprietary javascript engine", which is obviously absurd.
Furthermore, the definitions listed on wiktionary and merriam-webster both seem to incorporate some sort of exclusivity. Just because it's your own variation doesn't make it proprietary.
Mozilla most definitely has exclusive ownership of their property. Ask the people who've tried to repackage Firefox without fully stripping the branding, and get prodded by Mozilla's lawyers.
Here it's a case of semantics, whether you're talking about the open-source software or the full package including services from Mozilla and the Firefox branding. Firefox as a whole is certainly proprietary to Mozilla, even if the code is not.
I suspect the intent re: signal is similar, where the code is indeed open-source, but IIRC signal doesn't network with non-official clients?
Probably best to avoid using the word "proprietary" because of the confusion/connotations, but I don't think it's entirely wrong.
I'll quote the top post from there.
> This immediately smells of marketing bullshit:
>> Decrypting messages and attachments sent with Signal has been all but impossible…until now.
>> We found that acquiring the key requires reading a value from the shared preferences file and decrypting it using a key called “AndroidSecretKey”, which is saved by an android feature called “Keystore”.
>Yeah, if you have all the keys you can decrypt stuff..
> This is dumb, please please do not upvote