yeah, the most shady part of this is that SimpleApps’ code was available in Github. They could have just used that and upload it to the Play Store.
why did they buy it from the developer instead? because thousands of people already had these installed, so when buying it from the developer they get to push their new, ad infested versions to the unwary users had the apps installed.
This is a very dark pattern IMO.
There are a bunch of good FOSS Lemmy clients, which I’d argue are as good as Sync or Boost (I can’t know for sure since I don’t use proprietary software, I judge by the screenshots).
Jerboa sucks, I’ll give you that. But both Voyager and Eternity are high quality clients that work amazingly well and are constantly updated. They have plenty of features and are very configurable.
How can I intercept this traffic quickly?
Assuming an Android app, this is the app that I use: https://www.f-droid.org/en/packages/com.emanuelef.remote_capture/
If you’re building a program for desktop, Wireshark works great.
in that case, you’d be better by not using Google Messages. According to the discussion I linked there seem to be a few other proprietary RCS clients in the Play Store, other than Google’s and Samsung. Not sure of this myself, but it’s worth looking into it.
If you don’t want to install Google Play services, your best bet is trying your luck with any RCS client other than Google’s. Even Samsung’s (if it even works outside of Samsung phones) has a bigger chance of working without Google Services installed.
Once you find one that works on a degoogled Android, just follow the usual recommendations: install it in a separated profile, give it as little permissions as possible, maybe a VPN if you don’t want them to get your IP (although given that your RCS provider will probably be your ISP this might prove pointless), etc.
And remember to assume that it is not private at all and they are harvesting all your metadata. The encryption is proprietary too, so there’s that.
Edit: I just remembered that encryption is probably exclusive to Google Messages. So you’re screwed, I highly doubt Google Messages will work without Google Services.
I’m guessing that in the near future when Apple launches RCS, we will have more options in Android too. So just keep up with the RCS news.
Google’s implementation of RCS is proprietary and that’s what most providers use. Relevant discussion here:
https://forum.f-droid.org/t/rcs-supported-message-sms-mms-app/13423
if you’re a developer, there’s a very easy and practical way of testing this without trusting anyone’s (not even Google’s) word:
compile the most basic of flutter apps or some demo and see if the app makes any kind of request to the internet.
edit: a single web search reveals that Flutter has indeed Google telemetry enabled by default. developing your web searching skills is a good habit for developers.
Telegram has been leaking your IP to your chats and calls for months: https://techcrunch.com/2023/11/03/psa-chat-call-apps-reveal-ip-address/
It’s encryption algorithm (only used in secret chats BTW) is proprietary which is huge a red flag.
have you read the article I linked?
I didn’t say it was ultimately what funds matrix, they sell servers too, but they recollect data that’s for sure.
Quoting the article here:
matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviors of the software.
Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:
The Matrix ID of users, usually including their username.
Email addresses, phone numbers of the user and their contacts.
Associations of Email, phone numbers with Matrix IDs.
Usage patterns of the user.
IP address of the user, which can give more or less precise geographical location information.
The user’s devices and system information.
The other servers that users talks to.
Room IDs, potentially identifying the Direct chat ones and the other user/server.
With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:
Matrix IDs mapped to Email addresses/phone numbers added to a user’s settings.
Every file, image, video, audio that is uploaded to the Homeserver.
Profile name and avatar of users.
This is good reading on XMPP
https://privacy.awiki.org/im.html#XMPP
And one about matrix
https://hackea.org/notas/matrix.html
I think that XMPP is obviously the superior choice here. Matrix is funded by venture capitalists that need to make money some way and they are actually recollecting users’ data for that.
Not on a daily basis, but I like to browse freenet occasionally. It’s interesting that sites uploaded to freenet are up as long as people visit them, no matter if the original uploader is long gone. It acts as a decentralized wayback machine.
Beware that iirc, unlike Tor and I2P, Freenet leaks your IP, so I recommend to use a VPN.
Edit: I was talking about the “old” Freenet, recently renamed to Hyphanet. I haven’t used the new Freenet, which apparently is different in design. https://www.hyphanet.org/freenet-renamed-to-hyphanet.html
Website hosting companies tend to need your real name, real address, and real billing info to verify those things are correct. Isnt Medium more private, because you don’t need to feed it any of that?
No, if you know where to look. Medium is just awful. There are too many things wrong with Medium that I won’t elaborate here, but I’ll leave some sources:
The alternatives that I recommend on my comment have decent privacy policies and are not even close as an abuser as Medium is. They are also free software.
Here there are some decent server providers recommendations for self-hosters which require nor your real name or billing address in case anyone is interested.
neither github, gitlab or medium are private. stay away from those.
specially from medium. medium has been trying to centralize and paywall the previous decentralized and open blog ecosystem.
I recommend bearblog.dev which is more akin to Medium, where you don’t need to create the website, you just write the content.
neocities.org is more similar to github pages, they host a static site for free. Although you’d be better by using a cheap VPS.
Avoid the likes of tumblr, netlify, vercel and a long etc. They all have important privacy issues or open access of information.
I personally don’t like Tutanota for a lot of reasons. The other day I recommended Tutanota to someone that needed a new email account and they weren’t able to create the Tutanota account using Tor. They tried using a VPN and they weren’t able. Tutanota said their IP address was being used for abuse.
What’s the point of a private email if you block anonymizers?
Some people might find a use case for it, of course. And their post advocating against anti-encryption laws is good. But I don’t think it’s a good email provider and I won’t be recommending them again.
I’m totally against anything proprietary. That’s the first requisite for anything I use. And I’m not advocating for proprietary algorithms at all, that would be very much the demise of encryption.
I’m just worried that a sufficiently influent actor (let’s say a government) could theoretically bribe these institutions to promote weaker encryption standards. I’m not even saying they are trying to introduce backdoors, just that like the article suggest they might bias organizations to support weaker algorithms.
AES 128 bits is still considered secure in public institutions, when modern computers can do much stronger encryption without being noticeable slower.
their clients use the same JS implementation, they are the web version wrapped in electron.
The major problem with these JS implementations (including Proton and any other program that uses JS for encryption) is that it would be trivial for them to grab your private key from your browser and send it to their servers. And yes, we have the code. But it’s virtually impossible to verify that the code they are sending to your browser each time is exactly the same one that they publish on github, after JS minimizers and all that.
A third party that found a vulnerability in a browser could also inject their own JS and steal your private keys.
You’re obviously right about everything else and email’s inherent insecure nature.
I still find it useful because it’s the only online communication channel that is widely adopted, that can be self-hosted without depending on third party servers or you can simply choose a provider you trust. I’d love to have that with XMPP or SimpleX or something like that, but currently we’re stuck with email.
I’m perfectly aware of all that. but cryptography is an extremely complicated discipline that even the most experienced mathematicians have a hard time to design and scrutinize an algorithm, they heavily rely on peer review. If one major institution like the NIST is biased by the NSA, they will have a bigger chance of compromising algorithms if that are their intentions.
not if governments are compromising the encryption algorithms themselves.
edit: source https://slashdot.org/story/420213 https://www.newscientist.com/article/2396510-mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/
I’ve never had the need for any of those things. A text-only chat is a cleaner and better chat. Specially reactions, those are rather absurd and irritating.
Audio is definitely a different use case, and Mumble works great for that. You can just host both on the same domain and be done with it. You could even write a client that supports both IRC and Mumble if you wanted to, instead of constantly reinventing the wheel.
And I’m sure you could implement in-line images in IRC if you wanted, after all Twitch’s chat is IRC and they have images.
it’s probably some sort of Snapchat automatic alert detecting the words bomb or Taliban.