Nuttso I am sendign a tiny donation right away, to "signal" the support and to have a truly anonym, secure and audited chat app finall. Besides, I find SimpleX very promising. But not many talks about it...

      Hey, just gave Molly another try after reading this, and I have some questions.

      • is signal still not encrypting its database? Does this matter? I thought every android app has its own encrypted storage in /storage/emulated/0/android/data/
      • I am confused about device pairing. Can Molly + Signal Desktop work? Because there is no "add device" button in Molly for me, so I would need a signal phone
      • why cant you use fingerprint for unlocking the DB?
      • in the f-droid repo there only is one molly client, no molly-foss one. Same with Accrescent. Why?

      really cool project!

        missing-root Can Molly + Signal Desktop work? Because there is no "add device" button in Molly for me, so I would need a signal phone

        Yes. It works. Check Settings | Linked devices.

          missing-root is signal still not encrypting its database? Does this matter? I thought every android app has its own encrypted storage in /storage/emulated/0/android/data/

          Signal is encrypting it's database. But the key is available after you unblock your phone. It's more about key availability what differs.

          Signal uses an SQLCipher database to store contacts, chat history, and attachments, in the app-specific directory on the device. The database is encrypted with AES 256-bit keys randomly generated the first time the app is run.

          The encryption key is wrapped with Android KeyStore and stored in the Shared Preferences. If the KeyStore is unavailable as in Android 5.1 (Lollipop) and previous, the key is written as-is to the Shared Preferences.

          In Signal, Shared Preferences are plaintext XML files stored along with the database.

          However, Molly protects the Shared Preferences with the user's passphrase, providing full encryption of data at rest regardless of the way Android may or may not be encrypting its own storage.

          missing-root in the f-droid repo there only is one molly client, no molly-foss one. Same with Accrescent. Why?

          Those are the molly Foss clients.

          missing-root I am confused about device pairing. Can Molly + Signal Desktop work? Because there is no "add device" button in Molly for me, so I would need a signal phone

          It works with pairing signal desktop and it also supports linking other molly instances.

          missing-root why cant you use fingerprint for unlocking the DB?

          Only alphanumeric passwords are considered secure. You have the possibility to use a screenlock on top of the encryption which supports fingerprint. It's implementation is superior to what signal does. For example set the timeframe for the BB lock to 6 hours and activate the screenlock. You won't have to type in the password for the db in that 6 hours.

          easthvan I am sendign a tiny donation right away, to "signal" the support and to have a truly anonym, secure and audited chat app finall. Besides, I find SimpleX very promising. But not many talks about it...

          Thx a lot. We are working towards making molly the most secure communication app available. There are a lot of features on the roadmap that will be a game changer.

                      Hey @Nuttso, do you know of plans to make a non FOSS version of Molly UP? I'm interested in using Molly for calls whole driving, but there is only the FOSS version in the UP repo

                        Nuttso thanks for the reply! So the encryption is not important on modern Android?

                        I guess password is more secure, but its a balance. I can comfortably lock Signal instantly, using my fingerprint. But I would not type in a password all the time.

                        Also I would agree a scrambled Pin is more secure in many scenarios, as people see you type that password a lot if you set it to lock quickly, which I assume you should.

                          Nuttso Sorry! Forgot to mention I want to use the Android Auto feature. Molly non-FOSS shows up on AA, and I assume it allows calls etc. while driving. However the FOSS versions don't show up on AA, I assume because it doesnt include the Google libraries for it. The UP fork of Molly doesn't have a non-FOSS version yet, so I was wondering if you knew of any plans for it

                              beppi it's unlikely that we will address this for now. If you take a look around the gos board you might find a working solution how to get it working. I doesn't need to be non foss a far as I am aware.

                                  Nuttso Hmm yeah I see the AA declaration in the Android manifest file for Molly UP.... I'll make a thread for it maybe. Thanks for the reply!!!

                                    Nuttso Thx a lot. We are working towards making molly the most secure communication app available. There are a lot of features on the roadmap that will be a game changer.

                                    Fingers crossed and I wish you or Simplex makes the finest, best chat app of all, 99.9% anonym, 99.9% secure and 99.9% private and 100% simple and fail safe for any user. So Briar + Cwcth + TOR + Simplex + Signal/Molly + 100% anonimity and all a beautiful simple UI should be melted together :D

                                    What are your main thoughts about SimpleX and Cwcth? Any truly major concerns?

                                      Are there any ideas to make Molly a stand-alone client which could be used by self hosted servers ala XMPP or something similar without relying on Signal servers?

                                        Hathaway_Noa Are there any ideas to make Molly a stand-alone client which could be used by self hosted servers ala XMPP or something similar without relying on Signal servers?

                                        We need to finish implementing monero. After that there are several features planned:

                                        Remote attestation (based on auditor)
                                        Sandboxing webrtc
                                        Text only molly
                                        Molly infrastructure (no personal identifiers)

                                            Nuttso

                                            Ideas, requests: Integrated TOR by a single switch and with a verification status bar which also shows the circuit? Customizable TTL for messages on server...? Optional online presence displaying like in Briar which would come with zero second TTL or maybe a few minutes (only in server RAM without persistance on reboot)?

                                                There's probably more projects I should donate to but am officially donating to GrapheneOS and now Molly.im. Secure os and a secure IM are extremely important.

                                                We have a list of messaging apps to chose from but it seems Molly.im is headed in a direction we should be supporting.

                                                easthvan all feature request are welcome. This year will be a great year for Molly. When monero gets implemented an audit will be a must. We would like to do it after monero, remote attestation and sandboxing webrtc is done. When these features are implemented we think about releasing a text only molly. Then we can sit down with the community and find the best way to handle Molly's own infrastructure. We would love to still keep it possible to talk to signal. On top of that add the possibility to talk on molly network.

                                                    10 days later

                                                    Nuttso About which version to use. I meant if that version of Molly in the link I posted above works with instant notification when database is at rest/locked? Do you have a version that works with FCM too? Link?