Signal-desktop: Feature Request: Lock App + Encrypted Database

As previously discussed, you can use the guest account available in your OS of choice for that 'friend using my computer' scenario.

Maybe you can talk a little about why you feel things have changed with the Standalone app?

you can use the guest account available in your OS of choice for that 'friend using my computer' scenario.

not necessarily, ie they need to work with your apps/data, so it makes sense to lock-protect the app.

Also the data should be imho stored only in an encrypted way, as even with FDE, once the computer is on, all the data is unlocked. A virus can access your conversations on disk. if the data is kept encrypted (in RAM also?) and on disk and only decrypted by the app when needed, this can be reduced.

A final touch would be if Signal could store its keys in TPM for extra security?

As a quick gut check, a few more questions:

• When you lend your machine to a friend to use your apps/data, do you also log out of all web sites with persistent logins? Could they post to social media as you? Buy something on your favorite web store?
• If they opened your email app, could they send email on your behalf?

do you also log out of all web sites with persistent logins? Could they post to social media as you?

Yes, I log off easily, as all "important" sites are logged in in the "porn view", so it's just a matter of killing a browser window.

could they send email on your behalf?

Could not, webmail. But I see your point, in many reasonable cases they could impose me (ie skype, etc).

I feel the thing is:

• Signal is a niche, thus it's used by a) privacy-freak friends, b) for sensitive data, therefore the extra layer of security would be welcome.
• As you say, Skype,Telegram do not have it, so it would be a bonus feature over them.

I was looking into the "Implementation POV":

• encFS could be used to encrypt, and unlock-on-demand the Signal's data folder?
  
  
  
  • that would also "break" the apps functionality (intended), so all we'd need to un/lock Signal is:
  
  
  • signal depends on encFS containers, data stored in one
  
  
  • add a GUI button "Log On/Off" that would open the container
  
  
• there are "privacy container" apps on Android, that do just that - hide&disable an app/folder and ask for a password to access it. Does something like that exist for desktop linux (open-source)?

I totally agree with @breznak about at least a configurable password protection. I can spend some time on developing this feature if you think it's nice to have. In fact, I think having two passwords would be great to have:

• One decoy password, which unlocks the UI in alarmed state, in which shows empty chats windows for selected contacts or totally hide them.
• One real password to unlock the app back in normal state.

Who talked about being privacy-freak? :)

Decoy behavior is not something we've put in place on any of the Signal apps, so I don't think we want to do that yet.

Regarding the password, you're welcome to start brainstorming visual designs and potential code changes, but we're not ready for a pull request yet.

I'm not in a hurry either :) I have lots of things on my desk, but still, I would like to contribute as much as I can.

fwiw, I really like the idea of a Lock function/button for the desktop app, too. Something like the way it is on the Android app would be great. I'd make it myself if I knew how.

On Mac consider encrypting locally stored data with key stored in Apple's Secure Enclave, available on most recent Mac platforms: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
It would require explicit user action (touch id or account password) when starting Signal.
I understand that improvement in security (assuming drive already encrypted by FileVault) is minor, but it's not nonexistent. Defence in depth and all that.

In addition to what is mentioned by @resu, I also suggest encrypting the encryption key with the app password which is sitting in $HOME/.var/app/org.signal.Signal/config/Signal/config.json (on Linux) in plain text. Protecting the encryption key with FDE is not an option, since it does not defend the key in case of malware.

Paging @scottnonnenberg , @canerelci

On Mac consider encrypting locally stored data with key stored in Apple's Secure Enclave, available on most recent Mac platforms: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
It would require explicit user action (touch id or account password) when starting Signal.
I understand that improvement in security (assuming drive already encrypted by FileVault) is minor, but it's not nonexistent. Defence in depth and all that.

I'm new to the desktop app (macOS) and I'm surprised there's no way for me to lock the app, whether manually or automatically. Setting timeouts and reauthentication for local users is basic op-sec

I'm surprised there's no way for me to lock the app, whether manually or automatically. Setting timeouts and reauthentication for local users is basic op-sec

+1 for me. I find weird I can lock my app on mobile but not on my computer. It makes no sense!

On Mac consider encrypting locally stored data with key stored in Apple's Secure Enclave, available on most recent Mac platforms: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
It would require explicit user action (touch id or account password) when starting Signal.
I understand that improvement in security (assuming drive already encrypted by FileVault) is minor, but it's not nonexistent. Defence in depth and all that.

I'm new to the desktop app (macOS) and I'm surprised there's no way for me to lock the app, whether manually or automatically. Setting timeouts and reauthentication for local users is basic op-sec

Ikr. This is a much needed feature as Signal is often referred to as the golden standard of private messaging. If its desktop client is vulnerable, it kinda defies all the benefits of having a robust mobile app imo.

Doesn't the android client have a similar vulnerability? It has encrypted storage, but how is the key stored?

First of all, signal-desktop needs to have encrypted local storage. Critically, the user should be able to configure signal to require a user-entered password to decrypt the local storage upon startup. This may require changes in both desktop and mobile.

This vulnerability means someone can login as you and spy on your future conversations from another device. It would be great if signal servers could help combat this by:

1. Uniquely identifying each signal session.
2. Recognizing a session has been compromised if it is logged in from multiple places at once.
3. Invalidating compromised sessions so their keys can no longer decrypt new messages.

There's also a very practical use case where you're using Signal on a PC that's not your own, e.g. a company-owned device where your account is controlled by the company via active directory or the like, and they have the ability to change your password and log into the device as you once you leave the org. Having a pin or password on the app is a simple way to ensure your Signal conversations remain secure despite the fact that you don't have ultimate control over the environment you're operating in.

Absolutely would love to see this feature implemented. I understand all the conversations against it, but above post explains it in full, not sure why devs do not want to provide such an option: just an additional layer of security.

Telegram has something like this implemented; such as every few second the app window gets blocked; requiring pin to unlock.

I was shocked to see that Signal Desktop is unencrypted, I could extract everything.
This makes Signal Desktop a security risk and it should be warned about that if you install it, your security level decreases dramatically.
I have FDE but still, I don't trust every application that I install to not spy around (like Chrome Browser), same on Android.
A secure system like Signal should never trust that on the machine is not something installed that spies (without the user knowing). Malware, etc. could just copy all the databases.

If somebody knows of a fork that implemented something like this, would be great.
Leaving Signal unencrypted is like storing your passwords plaintext in your browser or never locking your password manager, every application has complete disk access to it.
This makes taking over a session easy, if the key is not encrypted.
Maybe getting Signal into Windows Store would help (I know that then Windows has some control over it, but I am not sure, that Windows Apps are more containerized and you could probably use TPM and Windows Hello Integration, which would be vastly more secure than now).

Hope that Threema when they implement Multi-Device Support will do it right and hope that Signal goes the right way.

I think Signal is a great great product, but what I hear and read and get is like that unsecure ways are defended.
Like SMS encryption, this was a signature part of Signal and I can't get other people using Silence with not fresh UI + Signal. Either keep encrypted SMS or get rid of SMS completely. It seems like a security downgrade. So now I have to try to bring both together myself, if I want to use it and then to distribute it to friends and somehow keep them updated.

I was rather astounded to learn that this application stores ALL signal conversations in plaintext. Even if you have sensitive, secure conversations on Signal, linking to the desktop app to the mobile app immediately defeats all protection on every conversation.

While I get the idea of FDE, implementing even the most basic of encryption for messages is absolutely essential in my humble opinion.

True. Its the same reason a password Manager is locked and only unlocked in RAM, so no App or so can extract all passwords. Private messages could be similar of value for protection then your passwords.
It would be very bad to keep a password manager in plaintext on disk.

I know that malware can get any data, once on PC, but it can still be mitigated for malware that just copies files from disk. Else locking a password manager would be as same useless and it is done on every one you can find (even the less secure way and saving them in a browser can be protected via a master password or via windows hello).

Jus thought maybe to make a script that encrypts the key and pictures when closed, better than nothing, but problem: unencrypted data on disk while opened. Unencrypted data should only be in RAM.

What i'm surprised is that people learned about this issue so late. This has been publicly reported from Oct 2018 and here from 2015(#452).