Molly notifications with the screen locked

Anti2030

Hi team, I just installed Molly on a Pixel 9 running Grhenos. I installed version v8-7-2-1 of Accrescent. When the screen is locked, I don't receive calls or messages. I uninstalled the app and reinstalled it, but I'm still having the same problem. I installed Signal from GitHub, and I can receive calls and messages even when the screen is locked.
Is there a specific setting to fix the Molly issue?
I’d prefer to use Molly over Signal. Is the GitHub version of Signal without Google services notifications secure?
Thanks in advance

Dan-Jessen

Anti2030 have you activated the passphrase encryption? I know this stops notifications for me but when not on or locked its fine

Anti2030

Dan-Jessen If I've enabled password encryption, can I still receive calls and messages with the screen locked if I don't enable password encryption?
Why does it work on Signal but not on Molly when the screen is locked?

Dan-Jessen

Anti2030 when the screen is locked yes, but not after the passphrase is installed from my experience

harp

Dan-Jessen but not after the passphrase is installed from my experience

It's not setting the passphrase itself. When the passphrase is set and then - after using Molly - the database (Molly) will be locked - either you do that manually or in Molly's settings is a timeout set, so after the time Molly not used it closes and locks the database automatically. If you unset the tiemout, you should get notifications.

Anti2030 Why does it work on Signal but not on Molly when the screen is locked?

It doesn't depend on screen locked or not. The reason I described before. Signal doesn't provide database encryption, so that won't happen.

But you can use database encryption in Molly with being able to get notifications although the database is locked. It depends on the used notification method you set in Molly. What you have is only an issue when you use the built-in websocket method for Molly-notifications. You can alternatively use Google FCM (Play Services) or better Unified Push.

Edit: I've read the opening post again seeing it's also on receiving calls. With database locked and using Unified Push you would just get a notification that somebody tried to call you. You wouldn't be able to answer the call directly from the lock screen. I don't know if that's even possible with Molly with unlocked database. Maybe you need to grant telephone permission to Molly or you need Play Services? Never tried that.

Anti2030

harp I'm using WebSocket for Molly notifications. I don't use Google services on my phone, and as far as I understand, Unified Push works best with a self-hosted server, which I can't set up right now.
What's the issue with Molly when I have it configured with WebSocket notifications?
When you get a signal from GitHub, where do you receive the FCM notification?

Johnnyloans

Anti2030

Try websockets and unified push for a while and decide which is best for you.

I would recommend not self hosting unified push. It's easy to be misconfigured or not update promptly. You'll open yourself up to get hacked.

Anti2030 When you get a signal from GitHub, where do you receive the FCM notification?

I don't know what this means. The first half is totally wrong. Just try the 2 options available and decide which is best.

harp

Anti2030 What's the issue with Molly when I have it configured with WebSocket notifications?

I described it in the post you answered to. If you use Molly's database encryption (you can use it without, if you like) and lock Molly (the database), either manually or by timeout, you won't get notifications until you open Molly again. Many people use Molly with built-in Websocket and without locking.

Anti2030 Unified Push works best with a self-hosted server

Why do you think so? Some people think, it's a bit better in privacy if you don't have to trust another party (who runs the Mollysocket and UP-servers). But that doesn't mean it works "best" that way. And there are a couple of providers who are trusted by many people. And maybe much more important:

Johnnyloans I would recommend not self hosting unified push. It's easy to be misconfigured or not update promptly. You'll open yourself up to get hacked.

So:

Johnnyloans Try websockets and unified push for a while and decide which is best for you.

And your last sentence:

Anti2030 When you get a signal from GitHub, where do you receive the FCM notification?

I also don't really understand what you mean! "get a signal from GitHub"? Do you mean installing the Signal app from Github? AFAIK you can use Signal not only with Google FCM but also with Websocket. I never tried that, but have read that configuring Websocket is not as easy as for Molly. With Molly you have all the three options for notifications, FCM, Websocket and Unified Push.

Anti2030

harp If I install Signal from GitHub, which of these three services—FCM, WebSocket, or Unified Push—will I use to receive notifications in Signal?
I'm asking because I tested it with Signal, and I receive calls and messages even when my phone's screen is locked, which isn't possible with Molly.

Dan-Jessen

@harp this is my experience also, locking molly when passphrase is toggled, stops notifications.

Anti2030

Dan-Jessen I need to receive notifications on Molly when the screen is locked, and I also need to receive calls on Molly when the screen is off. Right now, in order to receive calls, I have to be inside the app, and the same goes for reading messages. Honestly, I’m not sure what the easy solution to this problem is.

harp

Dan-Jessen this is my experience also, locking molly when passphrase is toggled, stops notifications.
No, not only if this toggle is on.

That only happens if Molly/it's database is locked when this toggle is set. That's a well known fact and inherent in the way the database locking works and mot a "bug" or something else. As described the database is locked either manually - klicking the three-dots-menu in the upper right corner>lock Molly - or automatically if a timeout is set for locking in the preferences, which can be e few minutes or hours - or turned off, of course. If no timeout is set and you just "close" Molly by swiping the GUI it's not locked and you'll get notifications through built-in websocket. For FCM or UP database locking doesn't matter.

Anti2030 I need to receive notifications on Molly when the screen is locked, and I also need to receive calls on Molly when the screen is off.

For clarification: Screen lock and Molly's lock are completely different things and are not related. If Molly is locked, you won't get notifications via websocket, if the screen is locked or not.

Anti2030 If I install Signal from GitHub, which of these three services—FCM, WebSocket, or Unified Push—will I use to receive notifications in Signal?

Signal doesn't support Unified Push. You can use Google FCM - you need sandboxed Google Play Services installed. Or the built-in websocket - because Signal doesn't provide the database encryption like Molly, it should work - at least for notifications. But you receive the same with Molly if you don't set a passphrase for database encryption or don't lock Moööy/don't set a timeout.

I don't know about answering Signal-calls on GOS directly from Lockscreen because I've never tried that. As written before maybe the app - Molly or Signal - needs telephone permission for that, but that's just a suggestion.

Anti2030

harp Don't you think that leaving Molly without setting a database password or a PIN would be a security and privacy issue?

Anti2030

harp So what you're telling me is that I have to leave the Molly app without encrypting the database and without setting a PIN just to be able to get notifications and calls when the app is locked?

MyIdentityIsntImportant

Anti2030 Don't you think that leaving Molly without setting a database password or a PIN would be a security and privacy issue?

This is a question you'll have to answer yourself based on your personal threat model. To me personally it's not.

If your phone has a (proper) lock screen method that you can trust, Molly's data is already encrypted by the OS. Any physical attackers wanting to get access to Molly's data would have to go through that first. Also, assuming that your device isn't compromised by malware, other apps can't read Molly's data as per Android's sandboxing rules.

Adding Molly's own database encryption doesn't really add much security to that setup in my opinion. Sure, your messages are encrypted with a separate layer, but how much protection could that realistically get you? If your device is compromised by malware, it can simply wait until you unlock Molly's database, which you'll eventually have to do to read your messages. And if you're facing physical attackers who are ready to "compel" you to give up your passwords, is there really a scenario where you're ready to give up your master password to your lock screen but not to Molly after that? Just something to think about.

And just to make the distinction clear, Molly's database encryption is separate from Molly's screen lock, i.e. Molly asking for your biometrics when you open up the app. You can have the latter without the former.

Anti2030 So what you're telling me is that I have to leave the Molly app without encrypting the database and without setting a PIN just to be able to get notifications and calls when the app is locked?

If you're not willing to use GMS/FCM or to use UnifiedPush integration, then yes.

harp

Anti2030 Don't you think that leaving Molly without setting a database password or a PIN would be a security and privacy issue?

As written by @MyIdentityIsntImportant it depends on your threat model. Beside other improvements of Molly over Signal app according just to database encryption it's no more security and privacy "issue" than using Signal app.

harp

Anti2030 So what you're telling me is that I have to leave the Molly app without encrypting the database and without setting a PIN just to be able to get notifications and calls when the app is locked?

You can set a passphrase for database encryption. As long as you don't lock Molly (don't set a timeout for locking or set it to off) and you don't lock Molly manually, you should get notifications via Websocket. But I described exactly that two times before at least.

With PIN do you mean the PIN for re-setting up the app (not for the database), what you're asked for inside Molly from time to time to make sure you remember? That PIN has nothing to do with database and/or notifications.

Anti2030

MyIdentityIsntImportant Thanks for the reply; it's a little clearer to me now.

Anti2030

harp thanks 👍