Telegram xD

I so wish I actually could get WebXDC working on any of the platforms I care about x3

it sounds to me like a haven for insecure side channels. "Wow a bonanza of apps to connect to my secure messenger which doesn't use a secure ratchet" sounds like a punchline. For now I'll keep using an e2e messenger that doesn't offer this feature.

@ryanprior

if you like to know about all the gory details of how we isolate apps from getting at any side channels, see this discussion which also includes a security audit by Cure53 https://delta.chat/en/2023-05-22-webxdc-security

And yes, it's maybe not perfect, but it's not just yet another web view that has arbitrary access. Also, even if an app manages to break isolation, it has no access to the social graph at all. See https://webxdc.org/docs/spec/selfAddr_and_selfName.html for what is exposed to apps from the messenger side.

increases code base and therefore potential attack vectors. Why can't a messenger just be a messenger? 🙄

thank you, I will be reading these links. It seems like you strongly believe in your mitigations here, and if that's the case, I would brag about this relentlessly and mention it every time you mention availability of apps.

I don't even mean the isolation.

I mean the /app store/-ish part of this.

being phished into installing a malicious app?
being typosquatted into installing a malicious app instead of a good one?
an app being maliciously updated?
a vulnerable app not being updated?
a lack of community review?

these general app store considerations and critiques are valid but have no meaning in the context of #webxdc apps. They are zip files, anyone can put them into a chat. Anyone can curate/maintain their own list of interesting zip files. https://webxdc.org/apps is just a community collection. Users don't need to go there to get or use an app. Apps also don't get updated in-place. Once posted, they stay exactly the same.

I'm nodding along with all this. Before I'd adopt Delta chat or any similar platform I'd have to understand how it disempowers bad actors and sloppy users.

apps and app stores have such a bad security track record that the original post in the thread, touting Delta's many apps, comes off as very cavalier about security. Then you put yourself in the position of having to backpedal, explaining how your apps are different and safe. Maybe true, I still need to read and educate myself; but counterintuitive at minimum!

not everybody is deep into security (e.g. the billions of users of WhatsApp or Telegram). We choose "app" and "app store" terminology because it's what people understand, and have an idea what they can do with it. We have gone through serious security scrutiny and efforts, some hundreds of hours. Dismissing this out-of-hand is your sovereign choice of course.

even if the app doesn't do any I/O at all, it can show a very official looking statement that looks like it's from my bank telling me $5000 has been deposited in my account, and it doesn't have a URL I can check to see whether it really is my bank's website or not. If it's an app on my security-focused messenger, it must be secure, right?

I am inclined to say it's irresponsible to ship an unaccountable open app platform with Delta chat or any secure messenger.

the Web is an amazing open platform for apps, and it's also full of scams and abuse. I would hope a security focused platform would do better than to say "ship whatever apps you want, we won't exercise any oversight." That's just washing your hands of the responsibility.

in the classic app world you are right. with webxdc not. But we are running circles here. We have written down a lot of security details and pointed to it. Not much more we can do here.

I won't dismiss it out of hand, I appreciate the effort you're putting in and will educate myself before making firm conclusions. I hope my comments provide useful perspective from somebody who's security conscious but doesn't know much more than surface level info about Delta chat.

thank you again!

it's pretty useful to hear your security-conscious/experienced view without knowing much background. We don't claim it's perfect but we are making a serious effort there (and chromium is the biggest enemy, as you'll see if you read the webxdc-security-audit post)

- each webxdc app includes a link to the source, both in the app store, and when you run the apps. Usually codeberg or github.

- most apps are final. This is not Android/iPhone app ecosystem where you constantly need to update in order to even still be runnable for users. for example, the checklist app. it was written one year ago. it still works unmodified. If there is a newer version you can use it in future travel plannings. Old ones are unmodified.

It probably also helps to understand that the appstore is only there for convenience. WebXDC apps are effectively shareable entirely without one.

If someone wants to send you a malicious WebXDC app, they dont need the store to do so.

That said there are message requests so if someone randomly finds your QRCode/Link and then sends you a malicious WebXDC, you can simply press Reject on the request

how bad is it if I don't reject the request though 👀 that's what I really wanna know. Because I sometimes accept things I shouldn't have. Part of the reason crypto coins suck is because pressing "accept" on the wrong thing sends terrorists all your money. That's part of my security model.

Not that bad, really

WebXDC apps don't have access to chat contents outside of what they themselves set (i.e a game only has access to it's own data), are self-contained, run offline (i.e no access to outside of the chat), and make use of the webview's sandboxing which tends to be quite strong (makes sense, malicious websites have to run under the same sandbox and not escape)

They also don't have access to much profile data, really just the name which can be changed at any time. When they send messages they can only send special status messages (i.e don't show up as being from a user). The WebXDC standard has also undergone a security audit so it generally follows good practices

The worst that happens is it stores a bunch of garbage data in a chat, from what I can tell. It can't even send your data anywhere cuz it doesn't have internet access; Except to your contact, which it can build an E2EE connection to with Iroh

but that shouldn't matter because in a freshly opened chat there's no data to forward anyways, and none a threat actor wouldn't have access to already anyways

I send you an app that looks like I'm sending you something you need, you just gotta log in to a website, and you for whatever reason of brain fog or ignorance trust the app, then the app sends me your password and 2fa code. There's no app store I can get banned from, nobody can post reviews of my app, it has source code attached to it making it look like it's normal and reviewable but there's no indication or requirement that anybody's actually reviewed it. Correct?

For most attackers it's probably easy enough to just make you click a link that they send you in any messenger or e-mail. Why send a webxdc app when you can just send a link or a "DHL delivery status update: Your package is delayed, please visit this link ..."?

Also the webxdc app would be on your phone as a zip file, and whatever it does can be analyzed.

the difference is we've got years of training that email/sms are insecure and you have to mistrust every email. If I migrate somebody to a secure messaging platform, why would I choose one that supports unaccountable ad-hoc app delivery where I'm gonna have to do the same work training folks that you have to mistrust every app? It would be helpful if there were some kind of app reputation where I can discover people say this is a scam, or my friend endorsed this, etc.

Is there something that can send and receive location data, like #zoodlocation? Need a replacement for it on the "desktop" (Linux mobile).

Hehe - there is no factor

There is only Signal where you can read about upcoming wars and bombings

We already had Discord and Telegram, and all the mainstream news for this. If anything, we need more places where we don't get to read about wars and bombings.