Element-android: Login/register: allow to set home server and identity server urls

Quickly done, will have to make it better later.

ID server is still vector.im

Why identity server cannot be changed?

This case was closed, is it not considered a bug?

Workaround: Block riot.im and vector.im using Blokada and login to a server not hosted on matrix.org.

Given the extensive research documents on privacy, @bmarty @ganfra could you please take privacy seriously and the time to do this right directly? We know how "later" will play out already.

@maxidorius I don't they gonna do it. See https://github.com/vector-im/riot-web/issues/7757
They want to lock the users in.

Quickly done, will have to make it better later.

Aye, any progress updated?
This issue may be fairly severe.

Also could this issue be reopened until it's fixed so it's easier to track?

RiotX doesn't use an identity server (there is a reference to vector.im in https://github.com/vector-im/riotX-android/blob/master/vector/src/main/res/values/config.xml, but it looks like that that's been copy+pasted from the original android app config - I'll file a bug to get that removed).

https://github.com/vector-im/riotX-android/issues/445 is the issue to track vaping the unused config.

RiotX doesn't use an identity server (there is a reference to vector.im in https://github.com/vector-im/riotX-android/blob/master/vector/src/main/res/values/config.xml, but it looks like that that's been copy+pasted from the original android app config - I'll file a bug to get that removed).

@lampholder RiotX does use Identity server, here (saved to Wayback machine) to be precise, which is used in the authenticate method. Funny enough it uses a hardcoded (yet again) value to vector.im defined earlier in the code. There are identity server references in other parts of the code as well. Please clarify what you meant by "RiotX doesn't use an Identity server".

Hi @maxidorius - in #445 I said that I found a reference to vector.im in the RiotX codebase easily, and there might be more, and all references to using vector.is should be removed becuase RiotX doesn't use an Identity Server.

Please clarify what you meant by "RiotX doesn't use an Identity server".

I'm not sure what the lack of clarity is here, but I'm happy to try and elaborate.

Identity Servers provide services to support contact discovery, namely: bulk contact lookup, individual contact lookup, and publicly binding your own email or phone number with your matrix ID. RiotX doesn't do any of that. So whilst as #445 says there are references to vector.im as an Identity Server in the RiotX code base (resulting from those parts of the code being carried over from Riot Android, IIUC), RiotX doesn't actually communicate with an Identity Server at all, so this URL isn't part of the live code execution. Its being there causes confusion, though, hence #445.

Of course, RiotX is open source software, and the benefit of open source software is that anyone can see precisely what the code is doing. So if despite our efforts and intentions you spot something that contradicts the above please do bring it to our attention!

https://github.com/vector-im/riotX-android/pull/446 removed confusing code.

Identity Servers provide services to support contact discovery, namely: bulk contact lookup, individual contact lookup, and publicly binding your own email or phone number with your matrix ID. RiotX doesn't do any of that.

@lampholder You're right, RiotX itself doesn't do that, instead it will use that info in the create room code (that just got touched (but not removed!) by #446) which is sent to the Homeserver which in turn, can use it. That's still being used. You might tell me that because RiotX doesn't support inviting people to room, it's not used and you would be right. But as soon as that is added, it will use code which is already there, which comes back to my original comment:

could you please take privacy seriously and the time to do this right directly? We know how "later" will play out already.

This is the "later" I am talking about: there is communication that there is nothing Identity related in RiotX and so nothing to fear, nothing to consider, nothing to do. Please handle Identity server correctly and don't leave anything to chance. If Identity server is not used, then get rid of the code for it, or comment it out, or actually implement it right.

Either way, having a hardcoded IS URL in the code itself is dangerous for privacy (and is still in there even after #446). The exact same issue exist in the current Riot: remove the config value in config.json and the hardcoded value in code takes over, which is vector.im again. This is a high risk point: Default settings matter. That is the topic of my first research document.

just to be clear, once again, RiotX does not implement any identity service functionality at all yet. This is why it does not expose an identity server URL. When it does get added, we will of course make it configurable and function in a privacy preserving manner in line with https://matrix.org/blog/2019/09/27/privacy-improvements-in-synapse-1-4-and-riot-1-4

IS URL in the code itself […] is still in there even after #446

@maxidorius And… where would that be? (I hope you're not referring to the one in the tests.)

I linked to #607 (FTR) and close this one