Hacker News new | ask | show | jobs
by MrsHippy 2012 days ago
Are all the keys really easily accessible if they have possession of a locked device? I suppose if they can unlock your device they can just open signal and read the messages right?

Does signal allow generation of new passphrase protected private key and can this software bypass that?
3 comments
kova12 2012 days ago
If you have a device and it's unlocked, one can simply open signal app and read the messages. You do not need to do any "hacking" here. I fail to see any extra value in the app, except maybe they are looking to get some of the taxpayer's money funneled through to them
link
dmix 2012 days ago
Signal has considered this scenario by adding an additional client-side "encrypt my messages" locally feature. Which prevents your messages to get sucked out by some digial forensics tool like it would for iMessage, Messager, etc. So I'm curious if this is what they are referring to.

Post-physical unlocked HD access to the device, aka digital forensics, is assumedq here, this is what this company does.

As others have pointed out Signal might have been storing the local pin/password in an Android secure enclave of "AndroidSecretKey" which they found other means around.

link
MayeulC 2011 days ago
Here is the original blog post (also posted by someone else in this thread):

https://web.archive.org/web/20201210150311/https://www.celle...

If you can't tell for yourself, here is Moxie's reply (also linked to by the same hn user):

> This (was!) an article about "advanced techniques" Cellebrite uses to decode a Signal message db... on an unlocked Android device! They could have also just opened the app to look at the messages.

> The whole article read like amateur hour, which is I assume why they removed it.

> https://twitter.com/moxie/status/1337434126186553345

--

Basically yeah, adding a pin to signal would also prevent this, they didn't bypass such extra measures.

This is what they did in their blog post:

> We found that acquiring the key requires reading a value from the shared preferences file and decrypting it using a key called “AndroidSecretKey”, which is saved by an android feature called “Keystore”.

No further mention of it, so I assume they just had access to it. From Moxie's post, I assume that the keystore is unlocked when the phone is.

link
auslegung 2012 days ago
I think one can lock Signal app with a pin so if someone has the device unlocked they would still need the pin.
link