Saturday, 15 March 2014

WhatsApp or Android, who's to blame for appgate?


Hang 'em high!

Scandal! Stop the presses! Any app on your Android phone can steal all your WhatsApp messages from your SD card. Facebook didn't have to waste 19 billion dollars to read your chats. They could just have made the Facebook app grab your WhatsApps off your card. Someone's gotta get fired over this, right?

But who?

Let's blame WhatsApp

WhatsApp stores its message database and nightly backups thereof in plain sight on your memory card, no matter if your memory is built-in or added on a microSD card. That's great if you want to mix'n'match your WhatsApps and SMSs with apps like Backup Text for WhatsApp and SMS to Text, but not so great if you want to keep nosy apps out of your texts. Anything with SD card access can read along.

WhatsApp could easily have prevented this by encrypting your messages. They gave it a shot after the shit hit the fan, but so far without success. That's because WhatsApp used the same key to encrypt all messages from everyone. Yep, that's almost impossible to believe, but they really used a skeleton key to lock up your private chats.

So here's what WhatsApp should do: use a proper full-blown encryption method to protect the database that holds your messages. While they're playing with encryption anyway, full end-to-end encryption to keep Facebook and the NSA out of our chats would be most welcome too.

Of course WhatsApp should provide a method to let other apps into your messages if you allow them to. I don't want to lose Backup Text for WhatsApp and SMS to Text, and the long overdue multi-network app that includes WhatsApp needs access to your WhatsApps too. To cut a long story short: WhatsApp should encrypt its database and let us decide for ourselves who gets the keys and who does not.

Let's blame Android

Android treats your memory card the same way your computer treats your hard drive. Apart from a tiny bit of protected storage (that mysterious ".android_secure" folder that tops the list in your file browser) anything on your card can be read, altered, deleted, stolen, smeared, raped, and tinkered with by any app that has the "storage" Android permission. Most apps have that permission, so anything on your memory card that is not encrypted is up for grabs. That includes all those naked selfies that you shot after emptying the final bottle.

But what about sandboxing? That works for the app-specific internal storage that you can only get at if you root your phone. It doesn't work for the storage that you can see on your computer when you hook it up with your phone's USB cable. If you give an app access to your memory card, it gets access to all of your memory card, including your private collection of wildlife movies.

But that's changing.

Let's blame Google

Recent editions of Android lock down your memory card, because Google hates microSD. They'd rather have you store all your data in their cloud services so their advertisers can take a peek. Starting with Android 4.4, apps can only read the "public" parts of your SD card, and they can't write anything outside their tiny little sandboxed piece of storage space.

That's good for privacy reaspons, and bad for other reasons.

The good news is that this could prevent future WhatsAppgates. The bad news is that it will break a lot of useful things too. Save your email attachments with your mail app and edit them with another app? Forget it. Delete a picture from an alternative gallery app like QuickPic? Forget it. Zap old Nandroid backups with ES File Explorer? Forget it. The sledgehammer approach to SD card security is a disaster for cross-app access to files and folders.

Now what?

Locking down your external storage is a bad idea. It breaks too much, and forces us to move our data to the cramped and expensive built-in storage, or send it to the cloud and burn up our data and battery for no good reason.

Keeping everything wide open is a bad idea, because I don't want Obama snooping around in my WhatsApps.

Solution? Fix the broken Android permission system so we can decide for ourselves what app can access what. The "external storage" permission should be split into two permissions: "access to folders created by my app" and "access to the rest of the memory card." Anything that's too sensitive for the second permission should be encrypted by the app that made it, and then the user should decide who gets the keys.

Until then, lets hope an Xposed module will fix what Android 4.4 broke.

Update: the Xposed module to fix external SD cards on KitKat is ready. It's called HandleExternalStorage. Grab your copy from the Xposed installer.

tweet this reddit digg this StumbleUpon digg this digg this

Sunday, 2 March 2014

Multi-network chat app imo commits suicide, Trillian is still alive



Remember back when you had to use a different app for each and every chat network? And then came apps like Trillian, Nimbuzz, fring, imo, etc. One app to talk to all your friends, even if they were scattered over different chat networks.

But multi-network chat apps are like lemmings. They bundle different chat networks, then they build their own, then they cut the other networks out, and then they die.

Nimbuzz dropped almost all third-party networks, and fring and eBuddy thought it was time to plug their own networks by yanking all the other chat networks out of their apps. Does anyone know if fring and Nimbuzz and eBuddy still exist?

And now imo decided to dig a grave for itself and jump right into it. There was a time back when imo connected to no less than 12 different networks, but I just received this farewell note from them:

Date: March 2, 2014
From: imo.im
Subject: imo discontinuing support for all third-party messaging networks
To: android underground

On March 3, 2014, we will start discontinuing support for all third-party instant messaging networks. We know change isn't always easy, but we hope our users will trust that this will make imo an even better service. You will be able to download your chat history on o.imo.im from third-party networks until March 7, 2014.

Yep, you read that right. I got a mail from imo late in the evening on March 2 telling me that the one and only reason why I use imo will be axed the next day. And I get less than a week to download a copy of my chat history. Guess what? When I tried to download my chats imo gave me an empty file!

First they rake in customers using Facebook, Google Talk, MSN/Windows Live/whatever M$ calls it now, VK, etc. as bait, then they spit out an app update that forces all users to make an imo chat account, and then they make that forced chat account the only network left in the app...

Bye imo.

They must be popping open the champagne at Trillian HQ now that their main competitor decided to kill itself.

Trillian
IM+

tweet this reddit digg this StumbleUpon digg this digg this