Feature Request: Lock App + Encrypted Database

[resu]

Since recently migrating from a chrome add-on, I feel we should revisit adding an optional lock screen & optional database encryption for the standalone application.

While FDE is totally an option, and something I already use, I would like to be able to lock the standalone application if I wanted to let a friend jump on my system to browse amazon or play a game, without worrying they might get curious and click on the application only to stumble on my private conversations without any type of wall.

Referencing #452, #550, #710, #790, #972, #1017

[scottnonnenberg]

As previously discussed, you can use the guest account available in your OS of choice for that 'friend using my computer' scenario.

Maybe you can talk a little about why you feel things have changed with the Standalone app?

[breznak]

you can use the guest account available in your OS of choice for that 'friend using my computer' scenario.

not necessarily, ie they need to work with your apps/data, so it makes sense to lock-protect the app.

Also the data should be imho stored only in an encrypted way, as even with FDE, once the computer is on, all the data is unlocked. A virus can access your conversations on disk. if the data is kept encrypted (in RAM also?) and on disk and only decrypted by the app when needed, this can be reduced.

A final touch would be if Signal could store its keys in TPM for extra security?

[scottnonnenberg]

As a quick gut check, a few more questions:

• When you lend your machine to a friend to use your apps/data, do you also log out of all web sites with persistent logins? Could they post to social media as you? Buy something on your favorite web store?
• If they opened your email app, could they send email on your behalf?

[breznak]

do you also log out of all web sites with persistent logins? Could they post to social media as you?

Yes, I log off easily, as all "important" sites are logged in in the "porn view", so it's just a matter of killing a browser window.

could they send email on your behalf?

Could not, webmail. But I see your point, in many reasonable cases they could impose me (ie skype, etc).

I feel the thing is:

• Signal is a niche, thus it's used by a) privacy-freak friends, b) for sensitive data, therefore the extra layer of security would be welcome.
• As you say, Skype,Telegram do not have it, so it would be a bonus feature over them.

I was looking into the "Implementation POV":

• encFS could be used to encrypt, and unlock-on-demand the Signal's data folder?
  • that would also "break" the apps functionality (intended), so all we'd need to un/lock Signal is:
    • signal depends on encFS containers, data stored in one
    • add a GUI button "Log On/Off" that would open the container
• there are "privacy container" apps on Android, that do just that - hide&disable an app/folder and ask for a password to access it. Does something like that exist for desktop linux (open-source)?

[canerelci]

I totally agree with @breznak about at least a configurable password protection. I can spend some time on developing this feature if you think it's nice to have. In fact, I think having two passwords would be great to have:

• One decoy password, which unlocks the UI in alarmed state, in which shows empty chats windows for selected contacts or totally hide them.
• One real password to unlock the app back in normal state.

Who talked about being privacy-freak? :)

[scottnonnenberg]

Decoy behavior is not something we've put in place on any of the Signal apps, so I don't think we want to do that yet.

Regarding the password, you're welcome to start brainstorming visual designs and potential code changes, but we're not ready for a pull request yet.

[canerelci]

I'm not in a hurry either :) I have lots of things on my desk, but still, I would like to contribute as much as I can.

[priceratops]

fwiw, I really like the idea of a Lock function/button for the desktop app, too. Something like the way it is on the Android app would be great. I'd make it myself if I knew how.

[isviridov]

On Mac consider encrypting locally stored data with key stored in Apple's Secure Enclave, available on most recent Mac platforms: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
It would require explicit user action (touch id or account password) when starting Signal.
I understand that improvement in security (assuming drive already encrypted by FileVault) is minor, but it's not nonexistent. Defence in depth and all that.

[kaushalyap]

In addition to what is mentioned by @resu, I also suggest encrypting the encryption key with the app password which is sitting in $HOME/.var/app/org.signal.Signal/config/Signal/config.json (on Linux) in plain text. Protecting the encryption key with FDE is not an option, since it does not defend the key in case of malware.

Paging @scottnonnenberg , @canerelci

[greg-]

On Mac consider encrypting locally stored data with key stored in Apple's Secure Enclave, available on most recent Mac platforms: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
It would require explicit user action (touch id or account password) when starting Signal.
I understand that improvement in security (assuming drive already encrypted by FileVault) is minor, but it's not nonexistent. Defence in depth and all that.

I'm new to the desktop app (macOS) and I'm surprised there's no way for me to lock the app, whether manually or automatically. Setting timeouts and reauthentication for local users is basic op-sec

[synthview]

I'm surprised there's no way for me to lock the app, whether manually or automatically. Setting timeouts and reauthentication for local users is basic op-sec

+1 for me. I find weird I can lock my app on mobile but not on my computer. It makes no sense!

[SinTan1729]

On Mac consider encrypting locally stored data with key stored in Apple's Secure Enclave, available on most recent Mac platforms: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
It would require explicit user action (touch id or account password) when starting Signal.
I understand that improvement in security (assuming drive already encrypted by FileVault) is minor, but it's not nonexistent. Defence in depth and all that.

I'm new to the desktop app (macOS) and I'm surprised there's no way for me to lock the app, whether manually or automatically. Setting timeouts and reauthentication for local users is basic op-sec

Ikr. This is a much needed feature as Signal is often referred to as the golden standard of private messaging. If its desktop client is vulnerable, it kinda defies all the benefits of having a robust mobile app imo.

[dnut]

Doesn't the android client have a similar vulnerability? It has encrypted storage, but how is the key stored?

First of all, signal-desktop needs to have encrypted local storage. Critically, the user should be able to configure signal to require a user-entered password to decrypt the local storage upon startup. This may require changes in both desktop and mobile.

This vulnerability means someone can login as you and spy on your future conversations from another device. It would be great if signal servers could help combat this by:

1. Uniquely identifying each signal session.
2. Recognizing a session has been compromised if it is logged in from multiple places at once.
3. Invalidating compromised sessions so their keys can no longer decrypt new messages.

[daveminker]

There's also a very practical use case where you're using Signal on a PC that's not your own, e.g. a company-owned device where your account is controlled by the company via active directory or the like, and they have the ability to change your password and log into the device as you once you leave the org. Having a pin or password on the app is a simple way to ensure your Signal conversations remain secure despite the fact that you don't have ultimate control over the environment you're operating in.

[krstp]

Absolutely would love to see this feature implemented. I understand all the conversations against it, but above post explains it in full, not sure why devs do not want to provide such an option: just an additional layer of security.

Telegram has something like this implemented; such as every few second the app window gets blocked; requiring pin to unlock.

[jonathanmmm]

I was shocked to see that Signal Desktop is unencrypted, I could extract everything.
This makes Signal Desktop a security risk and it should be warned about that if you install it, your security level decreases dramatically.
I have FDE but still, I don't trust every application that I install to not spy around (like Chrome Browser), same on Android.
A secure system like Signal should never trust that on the machine is not something installed that spies (without the user knowing). Malware, etc. could just copy all the databases.

If somebody knows of a fork that implemented something like this, would be great.
Leaving Signal unencrypted is like storing your passwords plaintext in your browser or never locking your password manager, every application has complete disk access to it.
This makes taking over a session easy, if the key is not encrypted.
Maybe getting Signal into Windows Store would help (I know that then Windows has some control over it, but I am not sure, that Windows Apps are more containerized and you could probably use TPM and Windows Hello Integration, which would be vastly more secure than now).

Hope that Threema when they implement Multi-Device Support will do it right and hope that Signal goes the right way.

I think Signal is a great great product, but what I hear and read and get is like that unsecure ways are defended.
Like SMS encryption, this was a signature part of Signal and I can't get other people using Silence with not fresh UI + Signal. Either keep encrypted SMS or get rid of SMS completely. It seems like a security downgrade. So now I have to try to bring both together myself, if I want to use it and then to distribute it to friends and somehow keep them updated.

[TheWidespreadDesolation1]

I was rather astounded to learn that this application stores ALL signal conversations in plaintext. Even if you have sensitive, secure conversations on Signal, linking to the desktop app to the mobile app immediately defeats all protection on every conversation.

While I get the idea of FDE, implementing even the most basic of encryption for messages is absolutely essential in my humble opinion.

[jonathanmmm]

True. Its the same reason a password Manager is locked and only unlocked in RAM, so no App or so can extract all passwords. Private messages could be similar of value for protection then your passwords.
It would be very bad to keep a password manager in plaintext on disk.

I know that malware can get any data, once on PC, but it can still be mitigated for malware that just copies files from disk. Else locking a password manager would be as same useless and it is done on every one you can find (even the less secure way and saving them in a browser can be protected via a master password or via windows hello).

Jus thought maybe to make a script that encrypts the key and pictures when closed, better than nothing, but problem: unencrypted data on disk while opened. Unencrypted data should only be in RAM.

[ankostis]

What i'm surprised is that people learned about this issue so late. This has been publicly reported from Oct 2018 and here from 2015(#452).

[ksaadDE]

Well it's time to fix it. I've seen it here too. I was also shocked.
I'll try to create a version with PR for it.

Someone wrote here that the conversations would be stored in plaintext, that's not really true. What is true is, that the enc key is unencrypted in the dir (more exactly the json in the dir) which makes it very easy for a common attacker to extract the data out of the sqlite db.

But I'm not sure if the guy above knows that a fingerprint is very "secure" (just a hint it's not).
A x chars password should be enough.

[jonathanmmm]

Well it's time to fix it. I've seen it here too. I was also shocked.
I'll try to create a version with PR for it.

Someone wrote here that the conversations would be stored in plaintext, that's not really true. What is true is, that the enc key is unencrypted in the dir (more exactly the json in the dir) which makes it very easy for a common attacker to extract the data out of the sqlite db.

But I'm not sure if the guy above knows that a fingerprint is very "secure" (just a hint it's not).
A x chars password should be enough.

Thats great, thanks @ksaadDE a password encryption would be the first step.

Enabling Windows Hello to unlock it would be a next step (for Windows users) and can be discussed after any encryption with a password is available.
Bitwarden seems to work with Windows Hello I believe they wouldn't do it, when it wasn't secure enough. That fingerprints can be comprimised or TPMs is another story, everybody has to ask himself what kind of target he is and what level of security he will take.

[ksaadDE]

can be discussed after any encryption with a password is available.

Yes, of course. Step by step.

Bitwarden seems to work with Windows Hello I believe they wouldn't do it, when it wasn't secure enough.

I just ask you: Do you think anyone provides Signal or any other privacy or security-oriented App to OS like Windows or iOS/OSX just because they are secure or just due to the convenience and maybe the leading to a handover to more secure (and privacy-oriented) Systems like Linux or FreeBSD?

If you are serious about honesty, your personal security and privacy, don't use Windows or iOS/OSX (and so on).
There's no other argument to it. Nobody can trust closed source implementations by Companies and organisations known for implementing horrible backdoors and flawy implementations (either accidentally or intentional).

Don't waste your time with Windows Hello. Even it is secure for a while, Microsoft will always rate their company growth and financial income higher than their protective intentions. They just don't care about the Users privacy and even not their security, although they're telling it in the advertisements - which can just be interpreted as a bad joke xD

Another topic is that they don't think about what they do. Just imagine: larger criminal organisations, not telling anyone, already abusing the flawy implementations and backdoors build-in for the "good". What is the good, if the outcome is horrible?

Also, a side note: I don't blame the Devs at Apple and Microsoft for it (just two examples, randomly picked). They're just doing their job. Some of them are highly accepted members of the Open Source Software Community, and most of us like them in the sense of their expertise.

Even the APT Defenders at Microsoft and also Apple are just good people working at the more or less "wrong" side.

Also, a note to TPMs. If they rely upon closed source Hardware or closed source Software (unlike intel does, since they have a TPM-oss stack here on Github), they can't be secure!
The specs papers by TCG (a Microsoft led initiative for making more money, not security - just to underline it) are full of unclear side effects and aspects. This by no means automatically implies that they have build-in some backdoors, it would be speculative.
But let's say.. they even brought up China participating in the project. You can be sure there's some large space of unanswered questions yet.

Another question I asked myself.. does a computer in a computer making my computer securer?
The Chain of Trust relies upon that the security device (either an HSM or TPM or whatever) is fully trustable and not compromised. This is a core root (problem).

I think we will look forward to implementing stuff for TPMs, if the attestation stuff, crypto-capabilities, and so on, having common and stable libraries (for Electron and Chromium), which is not yet the case.

[jonathanmmm]

@ksaadDE
I know that Windows and MacOS are not the best way for privacy, but some tools are not on the power on open source side, I would love to use linux, but many programs are not available natively, it is a tradeoff yes. If we can't trust TPMs (which can also be compromised) we can't trust any intel or amd chip, e.g. Intel ME could potentially even snoop on any operating system.

Signal is available on Windows, MacOS, Google Play Store, App Store (iOS), as long as it is there it should use secure features from theses OSs. Think like Signal would not include fingerprint login on Android, because we can't trust Samsung, or any other manufacturer and not Google.

Signal will only be good, if many people are using it and that way people have to be gathered where there are at and people at companies maybe don't have a choice of their OS.
Trying to get people to more open source is the next step.
Step by step ;-)

[ksaadDE]

@ksaadDE
I know that Windows and MacOS are not the best way for privacy, but some tools are not on the power on open source side, I would love to use linux, but many programs are not available natively, it is a tradeoff yes. If we can't trust TPMs (which can also be compromised) we can't trust any intel or amd chip, e.g. Intel ME could potentially even snoop on any operating system.

Signal is available on Windows, MacOS, Google Play Store, App Store (iOS), as long as it is there it should use secure features from theses OSs. Think like Signal would not include fingerprint login on Android, because we can't trust Samsung, or any other manufacturer and not Google.

Signal will only be good, if many people are using it and that way people have to be gathered where there are at and people at companies maybe don't have a choice of their OS.
Trying to get people to more open source is the next step.
Step by step ;-)

Thanks for agreeing. Well, we are only able to convince people, that's the whole point of freedom in Software and Hardware.

It's not about supporting these garbage OS, it's just showing them how better Software and Hardware works. That's why we shouldn't rely on their horrible flawy implementations, instead, let's make them (only if needed) the last option.

Yup, we can't trust Intel and other closed Source manufacturers, but the good thing is: they try to provide us with Open Source in their new products. They see the issue and shifting towards us. More in Software than in Hardware, but it will also shift towards Open Source Hardware soon.

Until the new age arrives we have to bridge between Open Source Software and Hardware (and closed Source Hardware).
I'm not saying the age isn't near, but they have to search for new ways to steal information from their users (making money) xD

If I remember correctly these CPU Backdoors were very soon fixed on the Software side, especially in the Linux Community.
So no, not on every System :p

Greetz

[ksaadDE]

should be fine now see PR #5465

[ksaadDE]

@indutny-signal