This is my absolute favourite kind of post on HN. It's got everything; intrigue, mystery, scandal and of course heavy on the technical side too. All packaged up in a compelling narrative.
There is software that lives up to these claims, it's Tinfoil Chat. The article is correct about the necessary trade-offs: due to peer to peer transport (onion hidden service 2 onion hidden service) both ends of the conversation have to be online -- it at least spools the message waiting for the recipient to appear.
For hole punching and signaling that has to be done by third party, well, the third party is TOR
TFC then goes on to break out the encryption and decryption machines from the network and passes messaging over opto-couplers to prevent your keys from getting exfiltrated. Qubes qrexec could similarly isolate the components.
The problem with these tools is that they're extremely complicated to set up and use. Grandma wants a phone number, not a v3 Tor Onion Service address.
I'm interested in usable E2EE messaging apps -- that's what I compared Converso to. Whatever this is (I will read the docs some day) is in another realm.
Definitely - adding contacts in TFC is an unreasonable burden, cannot copy paste addresses into the source machine, 56-character tor addresses have to be typed in manually, followed by the recipients' public key.
If memory serves, I was once told by an IP lawyer that during the time period when you have a patent pending (regardless of merit) some unscrupulous types then leverage that face to juice their valuation to potential investors.
I had this same thought. The problems with this app are serious enough to be a danger for certain people who might rely on it (journalists for example)
Have you by chance looked at the new update? Not that anyone should ever use this app in the first place, but I'm curious whether the massive vulnerability you discovered was fixed.
It's actually kind of sad to see people actually using this and believing in the claims being made. And this is all supported by Google who, frankly, should be denying service to what should be considered spyware. I mean, I swear this type of app used to be considered spyware...
It seems these days if your data ends up on a server that's A-ok! With all the talk on HN about the "GDPR" it sure seems like an absolute failure - where's the QC from Google looking at the code and proactively doing something about the real, potential harm that can come from this? It really seems if you want to harvest user data you can whip together an app that looks and feels okay, but behind the scenes is designed to do nothing but collect your data for whatever nefarious purpose the developer has in mind - and this is all 100% legal and the chances are whoever was involved will not even get so much as a fine!
Now there's an app that openly collects user data and is publishing it as a matter of public record, consequences be damned.
Android and Google need to take responsibility here and use Play Protect to treat the app as harmful and to better shield users.
This is an excellent write-up and investigation which is something Google should be doing to expose the dangers of their own platforms - hacking together a few API's/SDK's to mass harvest user data is absolutely not okay. Frankly, they should be legally mandated to review these apps in depth, and be provided full, unobfuscated source code, along with a detailed network-map of all URL's the app accesses, API keys etc and should approve (similar to Apple) before Android allows it to be used. If you install it outside of the app-store a very strong warning should be in place to let users know of potential spy/malware
I also discovered this app is actually on the play store [1]! And the app data safety says "No data shared with third parties Learn more about how developers declare sharing". It's an absolute JOKE this is not being enforced by Google at all. Shame on them.
I believe Mozilla did an investigation and found most apps are outright LYING about their "data safety" so that feature is beyond useless when Google doesn't actively moderate it.
I wonder if there might be grounds for any users to sue based on the publishing of their personal data online and misrepresentation of the product and its security features.