Molly.im

23Sha-ger

Joe-FastFeet
Check the official manuals. Those capabilities exist.
Not sure for iPhone 17, but when I used to work with them,
this was not an issue. iPhone pre-15 I can guarantee.

userofgos

Joe-FastFeet now that is more clear what you mean and intended to say than the 6 statements/questions you mentioned above. Sure, audits can be beneficial to open source projects, but I tend to think their are better approaches.

https://xcancel.com/GrapheneOS/status/1879265831634497963#m

https://grapheneos.org/faq#audit

Joe-FastFeet

And an independent audit could confirm that Molly securely encrypts data, not allowing it to be extracted when accessing the device after the AFU password. So personally, I will wait for the audit, and based on the results I will make a decision. In the meantime, Signal did not give reason to doubt its reliability and safety.

23Sha-ger

Joe-FastFeet I will wait for the audit, and based on the results I will make a decision

Some governments, have a very effective non technical approach to extraction. Cellebrite is not required. ;)

userofgos

Joe-FastFeet well it seems you are highly invested in the fact that they haven't been audited by experts, so maybe you'd like to make that known just like you did here.

Joe-FastFeet

userofgos I did not open this topic of discussion. But after reading it, he expressed his opinion, like all the other participants in the discussion. I think I have the same right as all other users.

userofgos

Joe-FastFeet and I think it's a valid point to consider, I didn't say otherwise. It just seems so important to you that you might want to mention it to the actually Molly devs/community and not just here. That's all I'm saying :)

Joe-FastFeet

userofgos I think we can hardly influence the decision of the developers to conduct an independent expert assessment. It is also worth noting that not everyone is ready to undergo an independent audit. Although, of course, firstly, it would be interesting for users, and secondly, as we have already discussed, it would give an additional boost to the development of the project. After all, there would be much more trust in the application. It is one thing when the topic of security is discussed by users in the chat, and quite another when an expert assessment is formulated by specialized authoritative representatives in security security.

n3t_admin

I can't believe people here are wasting their time on this very obvious rage bait, as also demonstrated in the Accrescent thread. This thread should be sanitized properly...

Tlhokaina

Could you please explain the differences between Signal, Molly.im and Molly FOSS?

userofgos

Tlhokaina You can find this information here: https://github.com/mollyim/mollyim-android

gta3

Tlhokaina molly-foss has the closed source google blobs removed, signal doesnt(who knows what the google code does)

Along with more usful features.

Also the code base was less last time I checked, less code usually means less attack vectors

Sombody gave u the link for more info

Tlhokaina

Thanks for the reply.

So, would not having FCM offer more privacy? Does Google's FCM keep a record of push notifications?

DeletedUser495

Tlhokaina Google's FCM keep a record of push notifications

Yes.

I am not well versed in this but I think apps enroll with Firebase to get an ID token I believe with device specific information that enables correct notification routing. Although it is not talked about much, it is suspected Google has been compelled to record this information which can be leveraged under subpoena. So using notification methods avoiding Firebase breaks this link. Correct me if I'm wrong.

userofgos

Tlhokaina This is a detailed article, I'm not versed in this area and have not read the whole thing as it's quite lengthy. https://unifiedpush.org/news/20250513_push_security_privacy/

argante

@"Joe-FastFeet"

Please, uninstall Molly as soon as possible and install whatever you want: Signal, WhatsApp, Telegram. Take your pick. And stop cluttering this thread with your posts.

In response to your accusations about the lack of an official audit, I understand that you have similar accusations about this project?

n3t_admin

argante And stop cluttering this thread with your posts.

Thank you. 50 posts added because of one individual throwing around nothingburgers and not understanding at-rest-encryption, blobs or audits.
I am 100% sure this is rage bait.

gta3

frosty0886 it sees the notification data unencrypted the lasttime I read.

It was a known spy vector for many messaging apps... If they use Google's push server then the msg is exposed.

Also via the google keyboard on stock android phones

de0u

frosty0886 Genuine question: Does google receive the notification data unencrypted?

gta3 it sees the notification data unencrypted the lasttime I read.

For the notification service to work, FCM must know who to notify, and it also knows which app is sending the notification. But there is no requirement that the push notification include message data (let alone clear-text data). Even if the push notification is "empty" the device will receive it, and the device will contact the appropriate server(s) to fetch the actual data. In the case of Signal, the push notification does not contain unencrypted message text (the Signal servers don't have the unencrypted message text).

gta3

de0u then how does the recieving device receive the notifaction balloon msg

de0u

de0u Even if the push notification is "empty" the device will receive it, and the device will contact the appropriate server(s) to fetch the actual data.

gta3 then how does the recieving device receive the notifaction balloon msg

When the device receives the push notification, it reacts by contacting the appropriate server(s) to fetch the actual data. Then it can display the notification, if configured to do so.

gta3

Joe-fastfeet is coming across as a shill, one of those FBI guys who misinforms ppl into using vulnerable applications

Im still going to use molly-foss and promote it to all my friends.

Have a good day

« Previous Page Next Page »