Key Takeaways
- The Electron safeStorage API has been implemented to use the system keystore for local database encryption keys on supported platforms.
- A temporary fallback option is provided to help users recover their message database using their legacy database encryption key if issues arise.
- This significant change, prompted by criticism of the desktop version storing encryption keys in plain text, requires extensive testing and will be rolled out in an upcoming beta release before reaching non-beta testers.
Recent Signal Desktop Criticism
Signal, a popular encrypted messaging app, recently came under fire for a security flaw in its desktop application.
Researchers and users are concerned about the app's handling of encryption keys on desktop devices. Cybersecurity experts Mysk revealed that Signal's desktop version stores encryption keys in plain text, potentially exposing users to data theft.
Mysk shared on Twitter that the desktop app keeps local chat history encryption keys in a plaintext file, making them accessible to any system process. Mysk emphasized,
"End-to-end encryption is useless if any of the ends gets compromised."
They warn that Signal users linking a desktop app might have a false sense of security.
Implementation of Electron safeStorage API
Signal is subsequently implementing support for the Electron safeStorage API to start using the system keystore. This implementation migrates to encrypted/keystore-backed local database encryption keys on supported platforms.
The implementation includes additional troubleshooting steps to address potential issues during the migration process.
This fallback option aims to minimize data loss if keystore-related bugs are found during the rollout.
Testing and Acknowledgements
The new feature will start rolling out in an upcoming beta release, with production release expected soon after.
More information on the beta process and how to join the Signal Desktop beta is available here for those interested in participating.
