[simoncion]

> It is your assumption that the perceived threat is a 'nation-state'...

... That was the opening sentence of my paragraph that demonstrated that there is no such thing as "guaranteed security". If you think that there is such a thing, then you're going to be confused about many things when you think about security matters.

To the rest of your comment:

You need to keep things in perspective. [0]

* On Windows, Mac, and Linux malware can read and write to anything that the user who installed it has access to. It can read what other programs have stuffed in to RAM... including your password manager's temporarily decrypted passwords. It can often record and exfiltrate the contents of one's screen and the output of one's microphone. It can often install keyloggers that capture banking, email, and other credentials. It can often encrypt personal data, lock the computer, send the computer user a friendly ransom note, and then decrypt that data once payment is received. Unless the malware is ransomware, it can do all this without ever notifying the computer user.

* On Android and iOS, malware can do exactly what the pre-installation permissions list says it can. Malware cannot read or write to data for which it does not have permission to read or modify. For instance, malware cannot be a keylogger unless it requests the replace system keyboard equivalent permission. For Android malware to read what other programs have stuffed into RAM, it -effectively- has to be authored and signed by Google and baked into the system image.

* Are you old enough to remember popup web advertising? Because (other than the platform) that's exactly what the section you quoted from that article is talking about. In the PC world, popups are called "annoying" rather than "malware".

Is the permissions system good? No. However, it's dramatically better than what you get in the PC world.

Remember that Signal is software that is intended for rather secure communications. Signal's threat model [1] requires that other programs running on the system be unable to tamper with the data that Signal puts into RAM and on to disk. You can get those properties with a PC, but so many non-technical users' PCs have been hit with real malware ages ago that that's kind of a lost cause. Actual "take over your computer" malware doesn't exist in either the Play Store or the App Store. This is really good for the average computer [2] user.

> Maybe this is because I am also taking into account Android's severe updates problem...

Wot? Other than the ~3 year update window problem, this hasn't been a wide-spread problem [3] since Google put critical system stuff in the Google Play Services package (rather than baked into the system image) ages ago.

> I've read and understood the same things you have...

Read? Maybe. Understood? Clearly not. I hope that you'll take the presence of strong differing opinions backed up by sound reasoning and hard facts as a signal that some of your fundamental assumptions about the topic are incorrect.

[0] Indeed, maintaining perspective is a significant part of talking about security issues.

[1] Learn what that means if you don't already know.

[2] Mobile or otherwise.

[3] Yes, you can point to abandoned phones. I can point to people with missing limbs, but that neither means that the majority of people are missing limbs nor does it mean that there's a severe missing limb problem in the human population. :)

[tombrossman]

At issue further up the thread was whether insisting on using Google Play to distribute Signal for security reasons was sound logic, right? Forgive me if I missed the point but I thought that's what we were debating. That's why I provided the specific example above which showed malware distributed via the Google Play store. this advanced my position that an app insisting on distribution via Google Play store exclusively is not automatically more secure than alternative distribution methods.

What part of your response above advances your counter-argument please? The closest you came was saying that "Actual "take over your computer" malware doesn't exist in either the Play Store or the App Store." but this is directly contradicted by this story from just yesterday: http://www.slashgear.com/viking-horde-malware-uses-google-pl... (plenty of other sites covering this too)

I'm also unclear about missing limbs being somehow analogous to 'abandoned' phones. Let's set that aside and have a look at this chart on Wikipedia: https://en.wikipedia.org/wiki/Android_version_history Can you look at that and still say that updates are not a wide-spread problem? It links to sources and indicates to me that most Android phones are not using a current version with up-to-date security patches. Do you disagree?

I've stated from the beginning that I disagree that distribution via Google Play is any guarantee of security and provided links to specific examples of malware in the Google Play store as evidence that Google Play has repeatedly been used to distribute malware to many millions of devices. Can you rebut this?

As an aside, I'm reading your reply and I'm thinking to myself "If someone needed a comprehensive 'how-to' for a straw man argument then this one is pretty good". Also please consider that popups were a real problem as late as the early 2000's. That means you must be thinking I am in my early teens, if I am to take your "Are you old enough to remember popup web advertising?" comment at face value. I have to say it isn't helping to persuade me, and is having the opposite effect.

[EdHominem]

So your point is that the Play store isn't perfect at stopping malware and that negates all benefits over just installing random unsigned APKs?

Besides, Moxie's point is that the store installs what he signs and nothing else. Perhaps the system wouldn't catch malware but if it prevents people from running builds he didn't make it sure lessens the window of opportunity.

[simoncion]

> The closest you came was saying that "Actual "take over your computer" malware doesn't exist in either the Play Store or the App Store." but this is directly contradicted by this story from just yesterday: http://www.slashgear.com/viking-horde-malware-uses-google-pl.... (plenty of other sites covering this too)

That link says these two things:

> There's a new piece of malware in the wild, and it's turning phones and tablets alike into a part of a large botnet.

This is use of both the ability to execute software within Android's sandbox along with the ability to transfer data using HTTP/HTTPS to send data on the Internet. That's what a botnet is.

> While unrooted devices are susceptible to the actions listed above, rooted devices are at a greater risk. On these devices, additional software is installed that allows it to execute any code remotely. What's more, it uses your root access privileges to make it difficult, if not impossible to manually remove the malware.

This doesn't affect anyone who's using Android as either distributed by Google, or by anyone who's distributing an Android-branded phone.

That is to say, unless you purposely go very far out of your way to install custom system software that deliberately weakens critical Android security features -thus putting your Android device pretty squarely in the realm of PC-level security-, then there is no software in the Play Store that will take over your Android device.

Pointing to that and claiming that it's evidence of a failure of the Play Store is like winding your seatbelt tightly around your neck (rather than securing the buckle to its clasp), driving at highway speeds straight into a bridge support, and then blaming the seatbelt when your head pops off of your neck. :)

[simoncion]

> At issue further up the thread was whether insisting on using Google Play to distribute Signal for security reasons was sound logic, right?

No. The assertion was that Moxie only wished to distributed on the Google Play store. I addressed this complaint. From my first comment in this sub-thread:

>> He only wants distribution via Google...

> Untrue. He only wants distribution through channels that provide the same security assurances and deployment features that Google does through the Play Store. [0][1][2]

You then went off on a tear about how the Play Store doesn't provide "guaranteed security", with the strong _implication_ that this fact means that distribution through either the Play Store or the App Store is no better than distributing through a Market that performed no malware scanning, stripped the developer-provided signature from the software they distributed, signed all software distributed in the Market with the same signing key, and (because their code signing system was automated, rather than manually run) kept that signing key online and on an Internet-accessible computer, rather than in cold storage that gets occasionally attached to an airgapped computer.

The difference in procedures is crucial.

> I have to say it isn't helping to persuade me...

Your rhetorical style strongly indicates that you're more interested in verbal sparring than transfer of information. Maybe some months or years down the road you'll go back, revisit conversations like this one, and grow to understand something new about computer security.

[0] https://github.com/WhisperSystems/Signal-Android/issues/127#...

[1] https://github.com/WhisperSystems/Signal-Android/issues/281#...

[2] https://github.com/WhisperSystems/Signal-Android/issues/127#...

[tombrossman]

Verbal sparring is nothing to be afraid of or to shy away from, we're adults and are staying within the guidelines here. It is known for the frequent use of metaphor. Examples of this can be found up-thread in, well, your rather colorful comments about severed limbs and heads popping off! Amusing yes, but not convincing. But not amusing enough to revisit months later - better and healthier to let it go and move on, thanks.

I've provided numerous facts and backed them up with links to sources. That is a substantial transfer of information which you didn't acknowledge. What does all that great security you describe mean for all those people not getting updates? It is a real problem.

You go on to say "That is to say, unless you purposely go very far out of your way to install custom system software that deliberately weakens critical Android security features -thus putting your Android device pretty squarely in the realm of PC-level security-, then there is no software in the Play Store that will take over your Android device." The Viking Horde malware is bad enough with the ads popping up and dangerous links appearing, whether this is 'safely' sandboxed on a vanilla install or completely taking over a rooted devices is of little significance to me. I don't want ANY of it.

I'd like a secure messaging app that can be installed on a more hardened version of Android like CopperheadOS, which does not require the constant 'phoning home' to Google that most Android phones do. Remote install capability via Google Play is huge red flag and a deal breaker for me, but I understand Moxie intends to target more mainstream users and has to make compromises to serve them.

A fair number of Android users like me are more concerned about the mass surveillance practices of advertisers such as Google than we are about the full-on 'tinfoil hat' NSA stuff. I don't like either, but the corporations are more worrying because they're attracting the better workforce with their higher pay and as a result are more effective. We want Signal to protect us from Google, not the NSA.

What initially made me post my first reply to your initial comment was that I saw it was attracting down-votes and I thought you put some effort into it and made some sound points, so I upvoted and replied. This thread has probably run it's course at this point by my email is in my profile if you have anything else to add.

[simoncion]

> I'd like a secure messaging app that can be installed on a more hardened version of Android like CopperheadOS, which does not require the constant 'phoning home' to Google that most Android phones do.

I found this [0] today. You might be interested in the last paragraph of the comment. Enjoy!

[0] https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

[simoncion]

> The Viking Horde malware is bad enough... whether this is 'safely' sandboxed on a vanilla install or completely taking over a rooted devices is of little significance to me. I don't want ANY of it.

It sounds like you'd rather be using something more appliance-like like an iDevice. Their sandboxes are substantially more strict, and their permission system is actually more fine-grained than what you find on Android. OTOH, you can do far fewer interesting things on an iDevice than an Android device. That's the Security vs. Convenience tradeoff at work.

Anyway. This has no bearing on the fact that the infrastructure and services provided by Google through the Play Store are rather good and competently managed. It certainly has no bearing on the fact that distributing software through the Play Store is substantially safer and more secure than either distributing through a Market that has devastatingly poor code signing key management practices, or -even worse- demanding that your users download and install unsigned software hosted on arbitrary sites on the internet.

The truth of the matter is that distribution through the Play Store and the App Store is absolutely the safest and most secure way to distribute software to Android and iOS devices.

> I've provided numerous facts and backed them up with links to sources.

And by and large your "facts" come from antivirus vendors attempting to drum up sales of their now-pointless-on-the-fastest-growing-sector-of-the-computer-business virus scanning software by making mountains out of teaspoonfuls of dirt.

> What does all that great security you describe mean for all those people not getting updates?

You never actually investigated whether or not Google's split of core functionality into Google Play Services largely mitigated the security impact of laggard phone manufacturers. The answer might surprise you!

> A fair number of Android users like me are more concerned about the mass surveillance practices of advertisers such as Google...

Then, uh, why are you running an OS that's authored by Google? There's a saying: "If you don't trust the vendor of your OS, then you can't trust the computer that's running it.". By definition, the author of your OS has root privileges on any device that that OS runs on.

> We want Signal to protect us from Google, not the NSA.

Signal absolutely does not protect your conversations with others if a malicious party gains root on the device on which it runs. If you don't trust Google, then running Signal on Android is absolutely the worst thing you could possibly do. Seriously dwell on that for a while.

> Remote install capability via Google Play is huge red flag...

See above. Also, because Google does not have a copy of the signing key for Android apps that it doesn't author, it is impossible for Google to install rogue versions of apps that it didn't author. [0] When F-Droid was distributing their own copy of Signal, F-Droid used the same code signing key for all apps. This meant that they (or anyone who snatched the key) could push unauthorized updates to any software on the F-Droid repo.

> ...I understand Moxie intends to target more mainstream users and has to make compromises to serve them.

Heh. You haven't understood anything Moxie has said about why Signal is currently distributed exclusively through the Play Store, have you? :(

[0] Of course, you may not believe that if you don't trust Android's app signature verification code.

[xg15]

> It is your assumption that the perceived threat is a 'nation-state'... ... That was the opening sentence of my paragraph that demonstrated that there is no such thing as "guaranteed security". If you think that there is such a thing, then you're going to be confused about many things when you think about security matters.

If we can agree that this sort of thing won't protect against nation-states (if you even wanted that), what exactly does it protect against that a plain TLS connection doesn't?

[simoncion]

You've missed the reason for that opening statement.

tombrossman said "...it must be noted that this isn't a guarantee of security." [0] (emphasis mine). I used the pretty-much-worst-case attacker in the first sentence of my opening paragraph to support the second sentence in my opening paragraph, namely:

> Security isn't binary, it's a gradient.

There is not a "guarantee of security". There are only "things that a given security strategy will protect against, and things that it won't protect against". If you want to expand the set of things that a security strategy protects against, you always need to pay the costs mentioned in the third sentence in that paragraph.

Now, to address your comment:

I'm not sure what the "this sort of thing" to which you refer in your comment is. Would you be so kind as to clarify?

[0] https://news.ycombinator.com/item?id=11673722