[solarkraft]

Naomi analyzes the technical side very well, but somehow face plants on the conclusion.

Insecure IMEs exist everywhere and affect every app. Not just Signal, not just in China.

This is the operating system's job to tackle, not Signal's. And oh wonder: Android displays a scary reminder when you install an IME (of course they could and should disallow network access for IMEs as well).

Signal should show a reminder to help people be secure, but framing this as some kind of obligation towards the people of China is weird.

[TaylorAlexander]

I think Naomi wants at least a clear recognition of the issue from signal. All of us on HN can say “well yeah that’s obvious” but signal keeps telling everyone their app is “secure” without caveats that your keyboard could be leaking everything you type, making the system not secure. Saying “well that’s not my department” isn’t acceptable when people are being put at real risk here.

EDIT: The specific request in TFA is to detect users using a third party IME and give them a security warning. Seems pretty reasonable.

[philsnow]

> This is the operating system's job to tackle, not Signal's. And oh wonder: Android displays a scary reminder when you install an IME (of course they could and should disallow network access for IMEs as well).

(ios makes the third-party keyboard ask the user for "full access" in order to hit the internet.)