The Following 14 Users Say Thank You to pacman For This Useful Post: | ||
|
2017-12-05
, 08:12
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#2
|
...
TL;DR: An important security protocol that is available on native Android 4.4.4 is not available under Alien Dalvik. This means that services that depend on using Android apps may not work on Alien Dalvik + SFOS, even though they do work on mainstream Android installations of the corresponding version. Android apps that work now on SFOS may stop working without warning if the services that they depend on drop support for older security protocols.
...
...
* The Android Wire app tries to use GCM (Google Cloud Messaging) to retrieve shared media such as pictures, video and previews of web pages. This fails if Google Play Services are not available.
* The Wire app then falls back on a WebSocket protocol to try to retrieve the media
* The service provided by Wire requires a handshake using TLS v1.2 for the WebSocket protocol to work
* Under Android 4.4.4, TLS v1.2 is provided by Google Play Services, so the handshake fails on any Android 4.4 platform where Google Play Services is not available, including Alien Dalvik.
* Wire are not prepared to support TLS of a lower version than 1.2 on their service: that would be an unacceptable weakening of their security.
|
2017-12-05
, 10:01
|
|
Posts: 89 |
Thanked: 532 times |
Joined on Sep 2015
|
#3
|
Weeelll... technically you are correct but WTF!
Anything that depends on Google Services cannot be secure by any lenght of imagination, the whole bloody pile exists there just for the purpose of taking your control away and massaging you into nice munchable bites of data for the G-machine...!
I suggest that you do the sensible thing and lose android, which means both the real thing and anything that is capable of running those applications...
The Following 4 Users Say Thank You to pacman For This Useful Post: | ||
|
2017-12-05
, 12:34
|
Posts: 301 |
Thanked: 531 times |
Joined on Aug 2010
@ The Netherlands
|
#4
|
The Following 18 Users Say Thank You to rob_kouw For This Useful Post: | ||
|
2017-12-05
, 12:56
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#5
|
|
2017-12-05
, 20:17
|
Posts: 286 |
Thanked: 259 times |
Joined on Jan 2006
@ Cambridge, England
|
#6
|
I have experimented a bit with Riot.im, and have found that with the Android Riot.im app on the matrix.org instance, images can be exchanged successfully. In principle, I could switch to this service, and try to persuade everyone that I currently communicate with on Wire to follow me to a Matrix-based service. I do not see this as a solution though: the administrators of matrix.org (or other Matrix instances) could drop support for older versions of TLS and I would then be in the same situation as I am now with Wire.
|
2017-12-05
, 23:04
|
|
Posts: 89 |
Thanked: 532 times |
Joined on Sep 2015
|
#7
|
A sports app I used has now been updated and insists on Google Play Services, Google has a lot to answer for!
With regards to Matrix have you seen there is a native Matrix client in openrepos here? I haven't used it myself yet, but thought it might be of help to you.
The Following 5 Users Say Thank You to pacman For This Useful Post: | ||
TL;DR: An important security protocol that is available on native Android 4.4.4 is not available under Alien Dalvik. This means that services that depend on using Android apps may not work on Alien Dalvik + SFOS, even though they do work on mainstream Android installations of the corresponding version. Android apps that work now on SFOS may stop working without warning if the services that they depend on drop support for older security protocols.
I started looking into why I could not see pictures or videos that other people sent me when using the Android Wire messenger app on SFOS, when I could see the media in the app when using it on Android. I also observed that profile pictures/avatar images and previews of shared web links are also unavailable on SFOS. Someone else posted about the same problem on TJC here: https://together.jolla.com/question/...e-no-pictures/
This GitHub issue https://github.com/wireapp/wire-android/issues/518 suggests that the problem happens when Google Play Services are not available:
* The Android Wire app tries to use GCM (Google Cloud Messaging) to retrieve shared media such as pictures, video and previews of web pages. This fails if Google Play Services are not available.
* The Wire app then falls back on a WebSocket protocol to try to retrieve the media
* The service provided by Wire requires a handshake using TLS v1.2 for the WebSocket protocol to work
* Under Android 4.4.4, TLS v1.2 is provided by Google Play Services, so the handshake fails on any Android 4.4 platform where Google Play Services is not available, including Alien Dalvik.
* Wire are not prepared to support TLS of a lower version than 1.2 on their service: that would be an unacceptable weakening of their security.
I have experimented a bit with Riot.im, and have found that with the Android Riot.im app on the matrix.org instance, images can be exchanged successfully. In principle, I could switch to this service, and try to persuade everyone that I currently communicate with on Wire to follow me to a Matrix-based service. I do not see this as a solution though: the administrators of matrix.org (or other Matrix instances) could drop support for older versions of TLS and I would then be in the same situation as I am now with Wire.
Some Android apps clearly do support TLS v1.2, for example pointing Android Firefox on SFOS to https://www.howsmyssl.com/ shows that TLS v1.2 is supported. This is presumably because the Android build of Firefox includes its own TLS library, and doesn’t rely on Google Play Services to provide it. However, it is not reasonable to expect every Android app to do this, if Google Play Services on Android 4.4.4 provides the latest version of TLS.
Is there any possibility that support for TLS v1.2 in Alien Dalvik on SFOS could be somehow be provided? Maybe in miroG, or by some kind of pass-through to SFOS itself? If this is doesn’t happen, support for Android apps in SFOS that require access to secure services will gradually degrade as service providers drop support for older versions of TLS. I suspect that Wire is not the only app affected by this. Porting security patches from Android 4.4.x to Alien Dalvik won’t make any difference to this issue.
One commenter on the TJC thread linked to above does see media load in the Wire app, and has speculated that this is because they have installed the NextCloud app and synchronise Wire media with their NextCloud storage. This is unconfirmed so far, but if it is true then it suggests that it is possible to provide support for TLS v1.2 without having to get into the internals of Alien Dalvik.
The lack of support for up-to-date security protocols in Alien Dalvik (as compared to SFOS itself) has also been noted on TJC here: https://together.jolla.com/question/...ersations-app/
As I said at the start, I would be grateful for any comments on this from anyone with real expertise in this area.