@risottobias @ryanprior

if you like to know about all the gory details of how we isolate apps from getting at any side channels, see this discussion which also includes a security audit by Cure53 delta.chat/en/2023-05-22-webxd…

And yes, it's maybe not perfect, but it's not just yet another web view that has arbitrary access. Also, even if an app manages to break isolation, it has no access to the social graph at all. See webxdc.org/docs/spec/selfAddr_… for what is exposed to apps from the messenger side.

Delta Chat: Bringing E2E privacy to the Web: 4th security audit 😅

Delta Chat’s “web apps shared in a chat” come with a unique privacy promise but in January it was shown to be compromised. We got into a surprising struggle with Web browser sandboxing issues that ...

^delta.chat

@ryanprior I don't even mean the isolation.

I mean the /app store/-ish part of this.

being phished into installing a malicious app?
being typosquatted into installing a malicious app instead of a good one?
an app being maliciously updated?
a vulnerable app not being updated?
a lack of community review?

@risottobias even if the app doesn't do any I/O at all, it can show a very official looking statement that looks like it's from my bank telling me $5000 has been deposited in my account, and it doesn't have a URL I can check to see whether it really is my bank's website or not. If it's an app on my security-focused messenger, it must be secure, right?

I am inclined to say it's irresponsible to ship an unaccountable open app platform with Delta chat or any secure messenger.

@risottobias @ryanprior

- each webxdc app includes a link to the source, both in the app store, and when you run the apps. Usually codeberg or github.

- most apps are final. This is not Android/iPhone app ecosystem where you constantly need to update in order to even still be runnable for users. for example, the checklist app. it was written one year ago. it still works unmodified. If there is a newer version you can use it in future travel plannings. Old ones are unmodified.

@ryanprior @alexia @risottobias For most attackers it's probably easy enough to just make you click a link that they send you in any messenger or e-mail. Why send a webxdc app when you can just send a link or a "DHL delivery status update: Your package is delayed, please visit this link ..."?

Also the webxdc app would be on your phone as a zip file, and whatever it does can be analyzed.

Not that bad, really

WebXDC apps don't have access to chat contents outside of what they themselves set (i.e a game only has access to it's own data), are self-contained, run offline (i.e no access to outside of the chat), and make use of the webview's sandboxing which tends to be quite strong (makes sense, malicious websites have to run under the same sandbox and not escape)

They also don't have access to much profile data, really just the name which can be changed at any time. When they send messages they can only send special status messages (i.e don't show up as being from a user). The WebXDC standard has also undergone a security audit so it generally follows good practices

The worst that happens is it stores a bunch of garbage data in a chat, from what I can tell. It can't even send your data anywhere cuz it doesn't have internet access; Except to your contact, which it can build an E2EE connection to with Iroh

but that shouldn't matter because in a freshly opened chat there's no data to forward anyways, and none a threat actor wouldn't have access to already anyways

It probably also helps to understand that the appstore is only there for convenience. WebXDC apps are effectively shareable entirely without one.

If someone wants to send you a malicious WebXDC app, they dont need the store to do so.

That said there are message requests so if someone randomly finds your QRCode/Link and then sends you a malicious WebXDC, you can simply press Reject on the request

Hehe - there is no factor

There is only Signal where you can read about upcoming wars and bombings