Signal team needs to address this.
“Signal should warn users who are likely using insecure IME apps”
Apparently Signal added a new support page for this: https://support.signal.org/hc/en-us/articles/360055276112-Incognito-Keyboard
“Signal Is A Good Start, But Beware”
@andreas Anti-virus is out of scope for a messenger. Signal is designed to be a private messenger, not a privacy suite or anti-virus system. If you want one of those, install them. Once Signal starts the ongoing effort to catalogue all IMEs, their endpoints, versions and reputations, have the app download lists and check the phone for them every now and then, it's no longer a private messenger. Effort and resources are now split between the two widely-different projects.
@andreas Once you're reviewing, cataloging, scanning and detecting IMEs you should also do the same for all types of malware - for malicious software can pivot at any time to say, adding in a malicious IME as well. Now you're down the full-blown anti-virus system and you have to ask if you will also review, catalogue, discuss, scan and warn for Potentially Unwanted Software, and the can of worms that opens.
@andreas Meanwhile your anti-virus team is not making privacy and you're saddled with technical debt on an ongoing basis.
@pasco This isn't about AV, it's simply a request to at minimum add a warning. From https://community.signalusers.org/t/signal-should-warn-users-who-are-likely-using-insecure-ime-apps/10272/48:
> If someone is typing something into signal it is reasonable that they expect it to be secure.
> We are not advocating for AV or for full phone scans. Specifically for a warning to those millions of users potentially put at risk for messages they type because of a Man-in-the-middle that might be collecting clear text they aren’t tech savvy enough to know about BUT SIGNAL SHOULD BE
@andreas I appreciate that, but why not also detect other, similar malware? There are no end of reports of keylogging and middleware reporting back to nation states. And you've not addressed the fact that the foundation would have to invest in checking IMEs, cataloging them, detecting them and alerting the users. Presumably this would need to be an ongoing effort. What of Swiftkey, that has mandatory telemetry to Microsoft? What of GBoard? Where is the line drawn and who draws it?
@pasco Those are good, challenging questions that I think the Signal team + community should answer. Focusing on this keyboard issue, adding a general warning when any 3rd party keyboard is detected (sounds more feasible than enumerating all and) aligns with Signal's development ideology stating, "There are no power users." https://github.com/signalapp/Signal-Android/blob/master/CONTRIBUTING.md#development-ideology
@pasco I'd hope they achknowledge this gap and explore some options which would go a long way to help normal users but that's just my take. Another idea is "a dedicated page/warning for users about these common attack vectors. Similar to the guides @torproject has. This is so at-risk folks can have this info available to them so they can manage risk." https://nitter.net/jerryaldrichiii/status/1349785634144043009
Personal instance of nitrohorse (nitrohorse.com).