[simoncion]

> ...it must be noted that this isn't a guarantee of security.

Yes, and if a nation-state is after you, you almost certainly don't have the OPSEC discipline required to keep your computing devices secure. Security isn't binary, it's a gradient. Ever more secure devices require ever higher costs, whether they be monetary costs, lost time, or procedural complications.

> A quick search of 'Google Play malware' returns many results from 2016...

And even a brief dig into the details of those "malware" reports reveals that -if the software was distributed and installed through the Play Store, and the Android device user did not have "Allow installation from unknown software sources" checked- all that pretty much all of that "malware" does is exactly what the permissions it requests permits it to do. [0]

Protip: If the software asks for permission to read your contacts, location information, and system log data, don't be surprised if it exfiltrates that information via the pretty-much-always-on Internet connection that's built into the device it's running on. :)

The fact of the matter is that Google is rather good at software security.

> ...but the only certainty that using Google's store brings is that you must have a first-party relationship with Google to use his app.

Not to be an ass, but you either haven't read or haven't understood either the technical aspects of what the Play Store gives you, or the target audience for Whisper Systems's software.

[0] Vulnerabilities like stagefright are excepted from this list because they are vanishingly rare. I challenge you to find another actual Android sandbox escape. :)

[tombrossman]

It is your assumption that the perceived threat is a 'nation-state', not mine. Personally I'm not to worried about them and I'm more concerned with advertisers and data brokers.

Let's take that brief dig into those 'malware' reports, shall we? Here's one from the Wall Street Journal[0] from last year. Some choice quotes:

"Security-software maker Avast called out a trio of malicious Android apps that were, until recently, available in the Google Play app store. The apps would go into sinister mode after 30 days on a device, and begin spamming users with advertisements, Avast said in a company blog post. Google told the Journal that, as of now, the infected apps have been pulled from Google Play."

"For those who had the apps installed on their phones for more than 30 days, a threatening ad would pop up each time they unlocked their phone, saying the device was out of memory, experiencing a security hole or some other false claim, Avast said. The pop-ups would then route people to websites where more malware could be installed on devices, said the security company. Anyone with either of the known apps installed should delete them immediately."

Do we blame the users since the apps informed them about permissions?

I've read and understood the same things you have, and reached a diametrically opposite conclusion. Maybe this is because I am also taking into account Android's severe updates problem, which is typically left to the carriers and handset makers to implement. Carriers and handset makers want to sell new phones, not patch old ones, who didn't see that one coming? Good on Google for patching Android security holes, too bad they don't reach the majority of users. I'm sticking to my original view and I guess we'll have to agree to disagree.

[0]http://blogs.wsj.com/personal-technology/2015/02/04/android-...

[simoncion]

> It is your assumption that the perceived threat is a 'nation-state'...

... That was the opening sentence of my paragraph that demonstrated that there is no such thing as "guaranteed security". If you think that there is such a thing, then you're going to be confused about many things when you think about security matters.

To the rest of your comment:

You need to keep things in perspective. [0]

* On Windows, Mac, and Linux malware can read and write to anything that the user who installed it has access to. It can read what other programs have stuffed in to RAM... including your password manager's temporarily decrypted passwords. It can often record and exfiltrate the contents of one's screen and the output of one's microphone. It can often install keyloggers that capture banking, email, and other credentials. It can often encrypt personal data, lock the computer, send the computer user a friendly ransom note, and then decrypt that data once payment is received. Unless the malware is ransomware, it can do all this without ever notifying the computer user.

* On Android and iOS, malware can do exactly what the pre-installation permissions list says it can. Malware cannot read or write to data for which it does not have permission to read or modify. For instance, malware cannot be a keylogger unless it requests the replace system keyboard equivalent permission. For Android malware to read what other programs have stuffed into RAM, it -effectively- has to be authored and signed by Google and baked into the system image.

* Are you old enough to remember popup web advertising? Because (other than the platform) that's exactly what the section you quoted from that article is talking about. In the PC world, popups are called "annoying" rather than "malware".

Is the permissions system good? No. However, it's dramatically better than what you get in the PC world.

Remember that Signal is software that is intended for rather secure communications. Signal's threat model [1] requires that other programs running on the system be unable to tamper with the data that Signal puts into RAM and on to disk. You can get those properties with a PC, but so many non-technical users' PCs have been hit with real malware ages ago that that's kind of a lost cause. Actual "take over your computer" malware doesn't exist in either the Play Store or the App Store. This is really good for the average computer [2] user.

> Maybe this is because I am also taking into account Android's severe updates problem...

Wot? Other than the ~3 year update window problem, this hasn't been a wide-spread problem [3] since Google put critical system stuff in the Google Play Services package (rather than baked into the system image) ages ago.

> I've read and understood the same things you have...

Read? Maybe. Understood? Clearly not. I hope that you'll take the presence of strong differing opinions backed up by sound reasoning and hard facts as a signal that some of your fundamental assumptions about the topic are incorrect.

[0] Indeed, maintaining perspective is a significant part of talking about security issues.

[1] Learn what that means if you don't already know.

[2] Mobile or otherwise.

[3] Yes, you can point to abandoned phones. I can point to people with missing limbs, but that neither means that the majority of people are missing limbs nor does it mean that there's a severe missing limb problem in the human population. :)

[tombrossman]

At issue further up the thread was whether insisting on using Google Play to distribute Signal for security reasons was sound logic, right? Forgive me if I missed the point but I thought that's what we were debating. That's why I provided the specific example above which showed malware distributed via the Google Play store. this advanced my position that an app insisting on distribution via Google Play store exclusively is not automatically more secure than alternative distribution methods.

What part of your response above advances your counter-argument please? The closest you came was saying that "Actual "take over your computer" malware doesn't exist in either the Play Store or the App Store." but this is directly contradicted by this story from just yesterday: http://www.slashgear.com/viking-horde-malware-uses-google-pl... (plenty of other sites covering this too)

I'm also unclear about missing limbs being somehow analogous to 'abandoned' phones. Let's set that aside and have a look at this chart on Wikipedia: https://en.wikipedia.org/wiki/Android_version_history Can you look at that and still say that updates are not a wide-spread problem? It links to sources and indicates to me that most Android phones are not using a current version with up-to-date security patches. Do you disagree?

I've stated from the beginning that I disagree that distribution via Google Play is any guarantee of security and provided links to specific examples of malware in the Google Play store as evidence that Google Play has repeatedly been used to distribute malware to many millions of devices. Can you rebut this?

As an aside, I'm reading your reply and I'm thinking to myself "If someone needed a comprehensive 'how-to' for a straw man argument then this one is pretty good". Also please consider that popups were a real problem as late as the early 2000's. That means you must be thinking I am in my early teens, if I am to take your "Are you old enough to remember popup web advertising?" comment at face value. I have to say it isn't helping to persuade me, and is having the opposite effect.

[EdHominem]

So your point is that the Play store isn't perfect at stopping malware and that negates all benefits over just installing random unsigned APKs?

Besides, Moxie's point is that the store installs what he signs and nothing else. Perhaps the system wouldn't catch malware but if it prevents people from running builds he didn't make it sure lessens the window of opportunity.

[simoncion]

> The closest you came was saying that "Actual "take over your computer" malware doesn't exist in either the Play Store or the App Store." but this is directly contradicted by this story from just yesterday: http://www.slashgear.com/viking-horde-malware-uses-google-pl.... (plenty of other sites covering this too)

That link says these two things:

> There's a new piece of malware in the wild, and it's turning phones and tablets alike into a part of a large botnet.

This is use of both the ability to execute software within Android's sandbox along with the ability to transfer data using HTTP/HTTPS to send data on the Internet. That's what a botnet is.

> While unrooted devices are susceptible to the actions listed above, rooted devices are at a greater risk. On these devices, additional software is installed that allows it to execute any code remotely. What's more, it uses your root access privileges to make it difficult, if not impossible to manually remove the malware.

This doesn't affect anyone who's using Android as either distributed by Google, or by anyone who's distributing an Android-branded phone.

That is to say, unless you purposely go very far out of your way to install custom system software that deliberately weakens critical Android security features -thus putting your Android device pretty squarely in the realm of PC-level security-, then there is no software in the Play Store that will take over your Android device.

Pointing to that and claiming that it's evidence of a failure of the Play Store is like winding your seatbelt tightly around your neck (rather than securing the buckle to its clasp), driving at highway speeds straight into a bridge support, and then blaming the seatbelt when your head pops off of your neck. :)

[simoncion]

> At issue further up the thread was whether insisting on using Google Play to distribute Signal for security reasons was sound logic, right?

No. The assertion was that Moxie only wished to distributed on the Google Play store. I addressed this complaint. From my first comment in this sub-thread:

>> He only wants distribution via Google...

> Untrue. He only wants distribution through channels that provide the same security assurances and deployment features that Google does through the Play Store. [0][1][2]

You then went off on a tear about how the Play Store doesn't provide "guaranteed security", with the strong _implication_ that this fact means that distribution through either the Play Store or the App Store is no better than distributing through a Market that performed no malware scanning, stripped the developer-provided signature from the software they distributed, signed all software distributed in the Market with the same signing key, and (because their code signing system was automated, rather than manually run) kept that signing key online and on an Internet-accessible computer, rather than in cold storage that gets occasionally attached to an airgapped computer.

The difference in procedures is crucial.

> I have to say it isn't helping to persuade me...

Your rhetorical style strongly indicates that you're more interested in verbal sparring than transfer of information. Maybe some months or years down the road you'll go back, revisit conversations like this one, and grow to understand something new about computer security.

[0] https://github.com/WhisperSystems/Signal-Android/issues/127#...

[1] https://github.com/WhisperSystems/Signal-Android/issues/281#...

[2] https://github.com/WhisperSystems/Signal-Android/issues/127#...

[tombrossman]

Verbal sparring is nothing to be afraid of or to shy away from, we're adults and are staying within the guidelines here. It is known for the frequent use of metaphor. Examples of this can be found up-thread in, well, your rather colorful comments about severed limbs and heads popping off! Amusing yes, but not convincing. But not amusing enough to revisit months later - better and healthier to let it go and move on, thanks.

I've provided numerous facts and backed them up with links to sources. That is a substantial transfer of information which you didn't acknowledge. What does all that great security you describe mean for all those people not getting updates? It is a real problem.

You go on to say "That is to say, unless you purposely go very far out of your way to install custom system software that deliberately weakens critical Android security features -thus putting your Android device pretty squarely in the realm of PC-level security-, then there is no software in the Play Store that will take over your Android device." The Viking Horde malware is bad enough with the ads popping up and dangerous links appearing, whether this is 'safely' sandboxed on a vanilla install or completely taking over a rooted devices is of little significance to me. I don't want ANY of it.

I'd like a secure messaging app that can be installed on a more hardened version of Android like CopperheadOS, which does not require the constant 'phoning home' to Google that most Android phones do. Remote install capability via Google Play is huge red flag and a deal breaker for me, but I understand Moxie intends to target more mainstream users and has to make compromises to serve them.

A fair number of Android users like me are more concerned about the mass surveillance practices of advertisers such as Google than we are about the full-on 'tinfoil hat' NSA stuff. I don't like either, but the corporations are more worrying because they're attracting the better workforce with their higher pay and as a result are more effective. We want Signal to protect us from Google, not the NSA.

What initially made me post my first reply to your initial comment was that I saw it was attracting down-votes and I thought you put some effort into it and made some sound points, so I upvoted and replied. This thread has probably run it's course at this point by my email is in my profile if you have anything else to add.

[simoncion]

> I'd like a secure messaging app that can be installed on a more hardened version of Android like CopperheadOS, which does not require the constant 'phoning home' to Google that most Android phones do.

I found this [0] today. You might be interested in the last paragraph of the comment. Enjoy!

[0] https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

[simoncion]

> The Viking Horde malware is bad enough... whether this is 'safely' sandboxed on a vanilla install or completely taking over a rooted devices is of little significance to me. I don't want ANY of it.

It sounds like you'd rather be using something more appliance-like like an iDevice. Their sandboxes are substantially more strict, and their permission system is actually more fine-grained than what you find on Android. OTOH, you can do far fewer interesting things on an iDevice than an Android device. That's the Security vs. Convenience tradeoff at work.

Anyway. This has no bearing on the fact that the infrastructure and services provided by Google through the Play Store are rather good and competently managed. It certainly has no bearing on the fact that distributing software through the Play Store is substantially safer and more secure than either distributing through a Market that has devastatingly poor code signing key management practices, or -even worse- demanding that your users download and install unsigned software hosted on arbitrary sites on the internet.

The truth of the matter is that distribution through the Play Store and the App Store is absolutely the safest and most secure way to distribute software to Android and iOS devices.

> I've provided numerous facts and backed them up with links to sources.

And by and large your "facts" come from antivirus vendors attempting to drum up sales of their now-pointless-on-the-fastest-growing-sector-of-the-computer-business virus scanning software by making mountains out of teaspoonfuls of dirt.

> What does all that great security you describe mean for all those people not getting updates?

You never actually investigated whether or not Google's split of core functionality into Google Play Services largely mitigated the security impact of laggard phone manufacturers. The answer might surprise you!

> A fair number of Android users like me are more concerned about the mass surveillance practices of advertisers such as Google...

Then, uh, why are you running an OS that's authored by Google? There's a saying: "If you don't trust the vendor of your OS, then you can't trust the computer that's running it.". By definition, the author of your OS has root privileges on any device that that OS runs on.

> We want Signal to protect us from Google, not the NSA.

Signal absolutely does not protect your conversations with others if a malicious party gains root on the device on which it runs. If you don't trust Google, then running Signal on Android is absolutely the worst thing you could possibly do. Seriously dwell on that for a while.

> Remote install capability via Google Play is huge red flag...

See above. Also, because Google does not have a copy of the signing key for Android apps that it doesn't author, it is impossible for Google to install rogue versions of apps that it didn't author. [0] When F-Droid was distributing their own copy of Signal, F-Droid used the same code signing key for all apps. This meant that they (or anyone who snatched the key) could push unauthorized updates to any software on the F-Droid repo.

> ...I understand Moxie intends to target more mainstream users and has to make compromises to serve them.

Heh. You haven't understood anything Moxie has said about why Signal is currently distributed exclusively through the Play Store, have you? :(

[0] Of course, you may not believe that if you don't trust Android's app signature verification code.

[xg15]

> It is your assumption that the perceived threat is a 'nation-state'... ... That was the opening sentence of my paragraph that demonstrated that there is no such thing as "guaranteed security". If you think that there is such a thing, then you're going to be confused about many things when you think about security matters.

If we can agree that this sort of thing won't protect against nation-states (if you even wanted that), what exactly does it protect against that a plain TLS connection doesn't?

[simoncion]

You've missed the reason for that opening statement.

tombrossman said "...it must be noted that this isn't a guarantee of security." [0] (emphasis mine). I used the pretty-much-worst-case attacker in the first sentence of my opening paragraph to support the second sentence in my opening paragraph, namely:

> Security isn't binary, it's a gradient.

There is not a "guarantee of security". There are only "things that a given security strategy will protect against, and things that it won't protect against". If you want to expand the set of things that a security strategy protects against, you always need to pay the costs mentioned in the third sentence in that paragraph.

Now, to address your comment:

I'm not sure what the "this sort of thing" to which you refer in your comment is. Would you be so kind as to clarify?

[0] https://news.ycombinator.com/item?id=11673722

[makomk]

It's also important to remember that anyone who can compromise your Google account or put legal pressure on Google can remotely install software on your device without interaction from you, and that there have been attacks in the past that have hijacked credentials in suck a way that the attacker doesn't even need to do that.

[simoncion]

Sure, sure. It's also important to remember that there are often chips in phones that are remotely accessible and have privileged access to the memory in the device. The consumer hardware security situation is... not the best.

> ...put legal pressure on Google can remotely install software on your device...

Given their actions in the past, I expect that Google would refuse to do this. That would be a bad precedent to set, given that Google operates in some countries with rather questionable reputations in regards to civil liberties.