Signal should warn users who are likely using insecure IME apps

November 22, 2019, 6:00pm 1

Inspired by this thread: https://twitter.com/RealSexyCyborg/status/1197695344575799296

“68.3% of smartphones in China are using third-party IME apps.” (http://web.cse.ohio-state.edu/~lin.3021/file/SEC15.pdf)

Anecdotal evidence (from the above thread) warns that users unfamiliar with IME (or careless about its risks) are promoting Signal as “secure” without pointing out the dangers associated with third-party IME. This undercuts the purpose of the app for a large group of people, many of whom face far graver consequences for insecure communications than their English-speaking counterparts.

When Signal detects the user speaks a language likely to be accompanied by third-party IME, it should visibly warn the user of the risks.

Welcome to the forum.

What does IME stand for?

https://twitter.com/JTremback/status/1197933457113878529

I could not have summed it up better… While I understand the concern, I don’t see Signal being responsible for solving this threat vector.

When Signal would do that, the same people would go nuts, saying that this is a violation and Signal should not track that. This time I would agree.

PiCob November 22, 2019, 8:09pm 4

input method editor (e.g. software keyboard)

Herohtar November 22, 2019, 8:37pm 5

I too, have to agree that Signal should not police how you are using your device (nor should any other software, unless it is a specific tool designed for that purpose).

Can Android apps get checksums of other apps? Then it could warn about some non legit apps at least.

johanw666 (Johanw666) November 22, 2019, 11:38pm 8

Ony if you have root. But they can get a list of installed packages.

mac9416 (Michael Crenshaw) November 23, 2019, 1:06pm 9

Wait so just to be clear, the “signal vulnerability” is that Android’s Chinese keyboard sucks and people use a third party app?

While I understand the concern, I don’t see Signal being responsible for solving this threat vector.

“Responsibility” is a bit illusory. I think it’s more useful to consider how easy it would be to add a feature that could really help people. If the impact outweighs the difficulty (and I think it probably does), then whether Signal is obligated to make the change seems like a red herring.

One philosopher could argue that the developers are responsible for nothing, since the app is free. Another could argue that they’re responsible for every possible “butterfly effect” of their decisions. That debate is a bit academic and I don’t think especially helpful for making decisions about feature requests.

When Signal would do that, the same people would go nuts, saying that this is a violation and Signal should not track that. This time I would agree.

Loss of users’ trust if the app gives the impression of “spying” on their language is a fair concern. But I think it could be implemented in a way that “tracks” nothing and offers a warning that allays any user concerns. For example, there could be a heuristic of “50% or more Chinese characters”. The first time an outgoing message triggers that heuristic, Signal could display a one-time warning. For example" It looks like you’re writing in Chinese. If you are using a third-party Chinese keyboard, it may not be secure. Consider using the phone’s built-in keyboard."

mac9416 (Michael Crenshaw) November 23, 2019, 1:09pm 10

I too, have to agree that Signal should not police how you are using your device (nor should any other software, unless it is a specific tool designed for that purpose).

Absolutely, and I wouldn’t recommend any form of policing. But a well-timed and well-placed warning of this very common threat wouldn’t be (and I don’t think would even be perceived as) policing. The warning could be phrased in a way that emphasizes the risks of using third-party IME alongside Signal and makes no general claims about whether the user should take advantage of those apps in other contexts.

mac9416 (Michael Crenshaw) November 23, 2019, 1:14pm 11

That sounds like it has the potential to be a really slick heuristic. “You seem to be using X app… here’s why that might be a problem.” On the other hand, there might be a higher risk of false positives than with a “50%+ Chinese characters” heuristic. I’ll have to defer to folks who know more about app development.

johanw666 (Johanw666) November 23, 2019, 1:18pm 12

Well, it has sometimes uses if you want to launch another app from an app with an intent. For example, if your app includes a user manual in pdf form and wants to show it in the standard pdf reader on the device. If there is no pdf reader you want to give a warning explaining the issue.

Code to heck it is really easy, see this article on Stackoverflow how to do that.

The asked for checksum would require to locate the installed apk and read it, which requires root. And split apk’s would make it even more difficult.

wrapper (Bobby) January 12, 2021, 2:40pm 13

Just here to bump this issue as it is clearly still relevant and is quite concerning that Signal isn’t offering a response?

newuser January 12, 2021, 3:00pm 15

There was a lot of discussion on warning users that notifications could also be logged. It seems like there are a lot of problematic things in Android that people need to be aware of and protect themselves accordingly. I’m not sure how much of a role Signal should play in that or even if it needs to.

Other things I can immediately think of:
export a photo?it might get stored in some cloud service
listening to a voice note? the digital assistant might also be listening to it

wrapper (Bobby) January 12, 2021, 3:18pm 16

I understand the argument. The issue is that with the huge influx of new users, Signal do have a responsibility to flag such potential security flaws.

It seems like a pretty obvious thing for them to offer an untracked keyboard option in the app anyway, like some banking apps do. Or just a warning to ensure your Android device is secure.

jwithing (Jeff) January 12, 2021, 3:24pm 17

I agree that Signal should warn users who are using insecure IME. Signal has a responsibility to clearly communicate attack vectors to users, especially as an increasing number of less sophisticated users join the platform.

newuser January 12, 2021, 3:33pm 18

Do you mean the incognito keyboard setting or do you want them to include a keyboard of their own? If the latter, it probably could be a well vetted separate app that someone else provides.

wrapper (Bobby) January 12, 2021, 3:41pm 19

Incognito is a Gboard specific setting afaik. We can discuss potential solutions but ultimately the Signal team need to acknowledge this is an issue first

newuser January 12, 2021, 3:45pm 20

Obviously your keyboard can spy on you just like a keylogger. Are there Chinese keyboards which aren’t problematic?

FYI: you don’t need any additional permissions and you don’t need to collect info about installed apps for that. Android provides an API to determine current IME by just one line of code:

val currentInputMethodName = Settings.Secure.getString(getContentResolver(), Settings.Secure.DEFAULT_INPUT_METHOD);

valldrac January 12, 2021, 5:17pm 22

It is also possible to get the signatures (the certificate fingerprint) of any installed package, without additional permissions.

See the flags GET_SIGNATURES and GET_SIGNING_CERTIFICATES. For example:

public static String getSignatureHash(Context context, String packageName)
        throws
        NameNotFoundException,
        NoSuchAlgorithmException {
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    Signature sig =
            context.getPackageManager()
                    .getPackageInfo(packageName, PackageManager.GET_SIGNATURES).signatures[0];

    return (toHexStringWithColons(md.digest(sig.toByteArray())));
}