I have a question for the #DeltaChat crowd: What if someone has a quick access to one of my devices, let’s say I forget to lock my phone or laptop and an attacker adds their phone as a secondary device to my profile. Is there any mitigation possible? Could I realize it? Could I disable their access?
Simplest idea I would have for that would be to switch off multi-device mode, change the password and add trusted devices again
But if they had access to your device, why would they spend time on only Delta, instead of just installing a rootkit? My point being, it’s often said that if an attacker had physical access, the game is already lost
@ineedmana
Your account is on the devices, not on the server. You can’t change your password (unless you’re using non-chatmail servers)
@lou_de_sel
Maybe I’m missing some detail on how DC works but you have to have an account in order to get your messages. Even in Arcane, which is aimed at being more non-technical-friendly, you can see your login and password in the “relays” settings
@ineedmana
At this point it becomes technical jargon but “account” kinda implies storing settings, profile, and such. A relay address has none of this, it’s relay just a queue you have exclusive access to.
This setting allows you to modify the password to access the address on the relay, but you can’t change the password of the address on the relay
Hmm. So to invalidate all other accesses one would have to reach out to relay admin?
Since technically it’s an email server underneath, maybe that feature could be available via mail web ui if the relay had one?
@ineedmana
I’m not part of the team, but that is counter to the philosophy of where chatmail relays are going, which is “no admin of mail accounts”. All administration must be doable on the device with no dependency on the server. It is important that the server can be offline, or just disappear with no warning, and that the user can still do everything.
Well, in that case administration of password change seems to not be doable on the device
@INeedMana yeah I know it’s a serious security breach but I’m not thinking about big time attacker but someone like a partner in a toxic or abusive relationship, or a treasonous friend.
Someone who you unknowingly trust but has not really the means to install a rootkit. Just open Delta chat, flash the QR code and put the phone back down.
Someone doing that with Signal/Molly or would eventually get caught or at least blocked next time I review my devices list. But that can’t happen with deltachat ?
I’ve only found this
EDIT: and this. Maybe there is some app locker on f-droid for older androids