Molly vs Signal: Convenience

Elgoog

I can unlock Signal with a fingerprint. Molly requires I type my passphrase, which, o'er Molly's recommendation, is long. Molly then locks again after a few minutes. On the whole, it's really quite inconvenient.

Is there a way to unlock Molly with a fingerprint? Would it be significantly less secure?

NoahRaketic

Elgoog You can disable the database encryption and enable screen lock if you want that convenience.

Elgoog

NoahRaketic Thanks. Am I correct in understanding that 1) leaving the database unencrypted significantly reduces security, and 2) there is no way to decrypt the database with as fingerprtint?

NoahRaketic

Elgoog 1) leaving the database unencrypted significantly reduces security

It depends. What kind of security, and against what kinds of attacks? You're still very secure against both physical and remote threats using Signal/Molly on GrapheneOS, even without database encryption.

Elgoog 2) there is no way to decrypt the database with as fingerprtint?

Not that I'm aware of, but theoretically it would be possible for an app to do that if the hardware (fingerprint reader and secure element) supported it.

harp

These are two different features. The database encryption with passphrase is a security feature added to Molly by it's devs. The original Signal app doesn't have that. The unlocking feature by fingerprint is a feature of the original Signal app and so also existing in Molly.

In Molly's preferences you can turn on and of the automatic locking of the database. And if it's turned on there's a setting for the time limit of that locking you can set between 1 second and 720 hours. Again, that's only for the locking of the encrypted database, the app lock with fingerprint is independent from that.

Sagebath

harp

How valuable is that encryption if only 1of 2 users uses that encryption?

harp

Sagebath It depends. You don't have to use the database encryption, it's just an extra security feature, you can leave the db unencrypted if you want. How valuable it is on an already quite secure system like GOS can everyone decide for themself. Different people have different threat models. But you can use Molly not only on GOS but also on more vulnerable systems, where database encryption and lock might make more sense.

Sagebath

harp
What does the encryption protect against? Is it added security on the device in case it was physically compromised, or securing the data while it's transmitted through the internet?

My threat model is mostly privacy from big tech collecting all my data. So I'm not that worried, but like to learn :) and what good is privacy if it's not secure?

harp

Sagebath Is it added security on the device in case it was physically compromised

It's on device security added. If the encrypted database is locked, it's much harder to get it's data if someone has physical access to the device. But only if the database is locked, which means the app is closed and not in use. If Molly is open while someone has physical access, there's no further value, but that's the same with all (device-based) data-encryptions like Bitlocker on Windows, LUKS on Linux or other filesystem-encryptions. GOS has a strong system-based encryption so Molly's database encryption might not really be a benefit on these devices except someone gets hands on the phone while it's unlocked (or it has a weak PIN/Password) and Molly is closed and it's encrypted database is locked at the same time. Chances of that happening are probably very slim. But on devices easier breakable it might be more valuable.

Sagebath or securing the data while it's transmitted through the internet?

No, therefor it's no difference using Molly's database encryption or not.

Sagebath My threat model is mostly privacy from big tech collecting all my data.

In that case the database encryption is irrelevant.

Sagebath what good is privacy if it's not secure?

In general you're absolutely right. You can have security without privacy but there's no real good privacy without security. That's why people here like GOS so much, cause that's a main part of it's philosophy, unlike many other "privacy-friendly" projects.