github.com/mollyim/mollyi explains the implementation. It's primarily based around a passphrase with the hardware keystore as an additional layer of security, but apps can also implement this directly with the hardware keystore with a key set to require that the device is unlocked.
Conversation
Android is better at making complex things possible in these areas than iOS but is missing an easier to use declarative approach to make simple things simple.
In the end, what mattered is that the open source platform has a far more active open source app and library ecosystem.
1
5
23
Molly was implemented by a GrapheneOS community member and we've collaborated with them.
GrapheneOS can only exist because AOSP is open source. Molly could exist for iOS, but it doesn't and probably won't in the near future, and you won't convince Signal devs to care about this.
3
4
22
We've been talking to them about the possibility of optional hardware attestation support in Molly where you can opt into mutually verifying hardware/firmware/software and automatically preventing sending messages if it fails verification or the patch level ends up months behind.
1
2
12
This would be able to use a subset of our work on our Auditor app (attestation.app/about) and would be able to take advantage of the fancy new attest key feature which we proposed to Android a few years back and which ended up actually getting shipped for Android 12 / Pixel 6.
2
11
This Tweet was deleted by the Tweet author. Learn more
Replying to
Still do have to design the app around it to avoid trying to use that data while locked and to make sure the data get cleared out from memory. For Signal it would mean having a mode where it can be alerted that new messages are available without being able to decrypt them yet.
1
1
Simplest to wait until the device is unlocked to fetch them at all rather than storing them with asymmetric encryption in a staging area although that's possible and directly supported by one of the data classes. What matters most is that app developers want to actually do this.
1
1
iOS making it easy doesn't seem to have much of a positive impact in practice since there isn't awareness of the desire to harden apps. Signal also doesn't bother doing any kind of internal sandboxing for different chat contexts or different components like media handling, etc.
1
1
Android provides the Chromium layer-1 sandbox as a standard OS API (isolatedProcess) but I have never seen it being used outside of Chromium or AOSP. It's almost completely unused. It's simply a boolean turning a service process into a sandboxed service like a Chromium renderer.
1
1
Incredibly easy to use since it involves no new APIs beyond setting a boolean for the service process in the app's manifest. Communication with the sandboxed service from the app is simply done over the standard service interface. Almost no one uses it or even knows it exists.