This is my absolute favourite kind of post on HN. It's got everything; intrigue, mystery, scandal and of course heavy on the technical side too. All packaged up in a compelling narrative.
There is software that lives up to these claims, it's Tinfoil Chat. The article is correct about the necessary trade-offs: due to peer to peer transport (onion hidden service 2 onion hidden service) both ends of the conversation have to be online -- it at least spools the message waiting for the recipient to appear.
For hole punching and signaling that has to be done by third party, well, the third party is TOR
TFC then goes on to break out the encryption and decryption machines from the network and passes messaging over opto-couplers to prevent your keys from getting exfiltrated. Qubes qrexec could similarly isolate the components.
The problem with these tools is that they're extremely complicated to set up and use. Grandma wants a phone number, not a v3 Tor Onion Service address.
I'm interested in usable E2EE messaging apps -- that's what I compared Converso to. Whatever this is (I will read the docs some day) is in another realm.
If memory serves, I was once told by an IP lawyer that during the time period when you have a patent pending (regardless of merit) some unscrupulous types then leverage that face to juice their valuation to potential investors.
I had this same thought. The problems with this app are serious enough to be a danger for certain people who might rely on it (journalists for example)
Have you by chance looked at the new update? Not that anyone should ever use this app in the first place, but I'm curious whether the massive vulnerability you discovered was fixed.
It's actually kind of sad to see people actually using this and believing in the claims being made. And this is all supported by Google who, frankly, should be denying service to what should be considered spyware. I mean, I swear this type of app used to be considered spyware...
It seems these days if your data ends up on a server that's A-ok! With all the talk on HN about the "GDPR" it sure seems like an absolute failure - where's the QC from Google looking at the code and proactively doing something about the real, potential harm that can come from this? It really seems if you want to harvest user data you can whip together an app that looks and feels okay, but behind the scenes is designed to do nothing but collect your data for whatever nefarious purpose the developer has in mind - and this is all 100% legal and the chances are whoever was involved will not even get so much as a fine!
Now there's an app that openly collects user data and is publishing it as a matter of public record, consequences be damned.
Android and Google need to take responsibility here and use Play Protect to treat the app as harmful and to better shield users.
This is an excellent write-up and investigation which is something Google should be doing to expose the dangers of their own platforms - hacking together a few API's/SDK's to mass harvest user data is absolutely not okay. Frankly, they should be legally mandated to review these apps in depth, and be provided full, unobfuscated source code, along with a detailed network-map of all URL's the app accesses, API keys etc and should approve (similar to Apple) before Android allows it to be used. If you install it outside of the app-store a very strong warning should be in place to let users know of potential spy/malware
I also discovered this app is actually on the play store [1]! And the app data safety says "No data shared with third parties Learn more about how developers declare sharing". It's an absolute JOKE this is not being enforced by Google at all. Shame on them.
I believe Mozilla did an investigation and found most apps are outright LYING about their "data safety" so that feature is beyond useless when Google doesn't actively moderate it.
I wonder if there might be grounds for any users to sue based on the publishing of their personal data online and misrepresentation of the product and its security features.
cyclotron3k|2 years ago
crnkovic|2 years ago
joemazerino|2 years ago
jazzyjackson|2 years ago
For hole punching and signaling that has to be done by third party, well, the third party is TOR
TFC then goes on to break out the encryption and decryption machines from the network and passes messaging over opto-couplers to prevent your keys from getting exfiltrated. Qubes qrexec could similarly isolate the components.
https://github.com/maqp/tfc
crnkovic|2 years ago
I'm interested in usable E2EE messaging apps -- that's what I compared Converso to. Whatever this is (I will read the docs some day) is in another realm.
anaganisk|2 years ago
urbandw311er|2 years ago
lucakiebel|2 years ago
crnkovic|2 years ago
randyrand|2 years ago
I just checked and your blog post does not come up in the results for Converso.
tailspin2019|2 years ago
purecatprsn|2 years ago
haser92|2 years ago
jasonladuke0311|2 years ago
kotaKat|2 years ago
What are you, a cop?
jasonladuke0311|2 years ago
deepserket|2 years ago
r0xz|2 years ago
Seriously? What the fish?!
tailspin2019|2 years ago
Great investigative blog post!
Tldr; Do not under any circumstances use or recommend “Converso”.
crnkovic|2 years ago
apollo_mojave|2 years ago
Have you by chance looked at the new update? Not that anyone should ever use this app in the first place, but I'm curious whether the massive vulnerability you discovered was fixed.
crnkovic|2 years ago
Which massive vulnerability in particular? You'll have to be more specific, haha.
I confirmed the Firestore collections had some kind of server-side security rules added before publishing the post.
ementally|2 years ago
"Man Creates Messaging App FBI Can't Crack and Anyone Can Download, Stopped at Airport Days Later"
I would just use SimpleX tbh [1]
[0]https://www.westernjournal.com/man-creates-messaging-app-fbi...
[1] https://simplex.chat
gerikson|2 years ago
> This article was sponsored by Converso.
aboringusername|2 years ago
It seems these days if your data ends up on a server that's A-ok! With all the talk on HN about the "GDPR" it sure seems like an absolute failure - where's the QC from Google looking at the code and proactively doing something about the real, potential harm that can come from this? It really seems if you want to harvest user data you can whip together an app that looks and feels okay, but behind the scenes is designed to do nothing but collect your data for whatever nefarious purpose the developer has in mind - and this is all 100% legal and the chances are whoever was involved will not even get so much as a fine!
Now there's an app that openly collects user data and is publishing it as a matter of public record, consequences be damned.
Android and Google need to take responsibility here and use Play Protect to treat the app as harmful and to better shield users.
This is an excellent write-up and investigation which is something Google should be doing to expose the dangers of their own platforms - hacking together a few API's/SDK's to mass harvest user data is absolutely not okay. Frankly, they should be legally mandated to review these apps in depth, and be provided full, unobfuscated source code, along with a detailed network-map of all URL's the app accesses, API keys etc and should approve (similar to Apple) before Android allows it to be used. If you install it outside of the app-store a very strong warning should be in place to let users know of potential spy/malware
I also discovered this app is actually on the play store [1]! And the app data safety says "No data shared with third parties Learn more about how developers declare sharing". It's an absolute JOKE this is not being enforced by Google at all. Shame on them.
I believe Mozilla did an investigation and found most apps are outright LYING about their "data safety" so that feature is beyond useless when Google doesn't actively moderate it.
[1]: https://play.google.com/store/apps/details?id=com.conversoap...
ssss11|2 years ago
crnkovic|2 years ago
unknown|2 years ago
[deleted]
urbandw311er|2 years ago
unknown|2 years ago
[deleted]
randyrand|2 years ago
This big question — who is paying to develop this terrible app and why? Do they know it’s terrible?
egberts1|2 years ago
Good job, keep it up.
tortoise_in|2 years ago
Michelangelo11|2 years ago
compilator1|2 years ago
[deleted]