[simias]

It's not js that's the issue, it's the fact that the server can change the code at any time without the user being notified. So mega can backdoor its own encryption code at any time to retrieve your keys.

It's broken by design, it's not a flaw of js per se.

[mahyarm]

Your mobile & desktop OSes etc all have a silent automatic update mechanism. Installed programs can start services silently and download executable code in the background and use it as they want. And governments take advantage of these facts regularly.

That's why they created the browser extension. It might even come signed. At least you can read the source in plain text, unlike a compiled binary.

[gurkendoktor]

Which mobile & desktop OSes do that? The only software that automatically installs updates on my Apple gadgetry seems to be Google Chrome.

[mahyarm]

Google play services is one example. Any app can download executable code in the background without you realizing what is happening. Apple has some mechanisms of their own coded in if necessary.

[gurkendoktor]

Do you have more information on Apple's mechanisms? I can't find anything (and I'd like to turn them off :)).

[mahyarm]

You can't turn them off without jailbreaking, then you can download tweaks to turn them off. One I remember from years ago was the 'app blacklist' disabler.