I am confused about which one of them would suit me? Signal will soon support usernames. Will Molly/FOSS also support it when that happens? My needs is beeing as secure you can get and as anonymous I can be. So which one would suit me?
Second. What is this? https://github.com/mollyim/mollyim-android-unifiedpush
How does this work and how would you use this?
PMUSR Signal will soon support usernames. Will Molly/FOSS also support it when that happens?
I fail to see a reason why they wouldn't. Molly periodically merge the Signal changes so it should get it as well.
Second. What is this? https://github.com/mollyim/mollyim-android-unifiedpush
How does this work and how would you use this?
From my understanding, Molly has the ability to encrypt the message database and have it completely "locked". This results in the app needing to be unlocked/decrypted to properly receive messages and calls. I believe the UnifiedPush addition now produces a generic "You have new stuff" message so you know to unlock the app.
Also, I don't think you need to use that fork, as Molly has merged this into the main repo, it seems.
Edit: In actual fact, they even explain it in the notes:
We are happy to introduce the latest addition to Molly: the ability to receive generic activity notifications when the app is locked with the data-at-rest passphrase. Simply enable "New activity while locked" in your Molly notifications settings.
I am confused about which one of them would suit me?
The apps are obviously quite similar. Molly is a "hardened" fork of Signal and the open source Signal Protocol. If your threat model has the police extracting data from your phone via Cellebrite/GrayKey, then you might consider Molly with its encryption at rest. Signal had this years ago, but they removed it when iOS and and eventually Android got file-based encryption on by default, which is now full-disk encryption by default.
Since the cops confiscating and analyzing my phone is not much of a concern for me, I stick with Signal as it is tried and true and Molly provides for a larger attack surface with more code and a better chance a security flaw can be exploited on Molly in the wild. Signal's Android app has 24.3k stars on GitHub, and when you add all the other Signal apps, Signal has 59k overall stars. On GitHub Molly shows 1.1k overall stars. Thus, Signal has really been gone over by the developer/security researcher/cryptography community and Molly not so much for the code in it's fork of the Signal Protocol. I think Molly is fine, but if your threat model gets up there, something to think about. Same with Signal not having encryption at rest for the app.
The most important feature of molly is indeed the ability to encrypt the database. Signal never had the ability to do this. Moxie itself repeatedly said that the lock at the time was nothing more than a useless screenlock. There was a lot of discussion about it before the big cleanup on GitHub. Moxie claimed that once you enter the key, you can never get it out of memory again. This is not true. Molly deletes the RAM memory completely after it is closed. This has been extensively tested. In addition, molly has other very useful features. Signal is aware of molly. We are working hard to make the app more secure for Android and would implement many more groundbreaking features if we had the financial support. Remote attestation, text only, sandboxing webrtc to name a few. Currently monero is the primary target.
Nuttso We are working hard to make the app more secure for Android and would implement many more groundbreaking features if we had the financial support.
You're a Molly developer?
I use both Signal and Molly. My use case is that I have two phone numbers, one for personal, one for professional (hence dual-SIM Pixel). This way I can use Signal for one (pers) and Molly for the other (prof). Combine this with using Signal desktop for one and Signal desktop-beta for the other, and I am able to effectively run "two instances of Signal" on the one phone, each paired with a desktop form. In the past (before GOS and before I knew about Molly) I did this using the Work profile hack, with literally two instances of Signal installed, which incidentally also meant running two instances of the VPN on the phone, one for each profile. This was clunky and chewed data, so the above is a neater solution to my use case. YMMV.
[deleted] He's the owner of Molly afaik and have been told
GrapheneLover valldrac is the main developer. We startet the project Feb 2020.
MoonshineMidnight Molly provides for a larger attack surface with more code and a better chance a security flaw can be exploited on Molly in the wild
Some features add more surface, but other make it smaller. Speaking in a general sense doesn't make sense. Even GOS can be set up to have a larger attack surface than stock Android. It's true that Molly has stronger default's settings, but considering the additional party, it doesn't sum unless you particularly untrust Signal or Google, or prefer to support the project
I'd say... Don't need any of Molly's extras? Just use Signal. But don't say it's because of the larger attack surface, because it doesn't make sense unless for your specific situation
As an example, the latest vulnerability with the profile key. Molly had protection against it with Block Unknown. This was a real thing, not some hypothetical scenario
By the way, Molly has fewer code than Signal: no donations, no badges, no payments (yet), some debugging stuff was removed...sms was removed before signal removed it
Showing 1,692 changed files with 27,684 additions and 66,261 deletions
https://github.com/mollyim/mollyim-android/compare/v6.40.4..v6.40.4-1
I've been a big fan of Molly since I first found it around a year ago, I like all the features of it. Very useful and I have peace of mind knowing the messages are locked down even if someone got access to the device. Thanks @Nuttso and the other developers for all of your hard work.
GrapheneLover you're welcome
So back to the first original question, how do we active it, because once Ive download v6.40.4-1.up1 and go into notifications and use the slider for New activity while locked, I get a window that pops up saying its unavailable. I have check down at the bottom for my delivery method and I have it set for Unified Push...
Thanks
beammer335d you need to get a mollysocket up and running to use that kind of push notifications or use the fcm version.
Thanks got it
