I was excited about this for a moment, since I was a big fan of Pushbullet before they decided to "evolve" into a messaging app.<p>I used it simply to send links between my phone/browser and to occasionally send a link via SMS. I would have happily paid for this functionality.<p>In a recent update, it became impossible to send SMS from the browser without also syncing your entire SMS history (images included) to their server without end-to-end encryption, so I nuked my account.<p>I just signed up again to test this out, and I didn't get very far before I realized they are still storing all my MMS images on their server un-encrypted.<p>Here's one from my SMS history:
<a href="https://dl.pushbulletusercontent.com/KWevdTT0b4Fe92yukWHDKlo0sHHtbWHq/436" rel="nofollow">https://dl.pushbulletusercontent.com/KWevdTT0b4Fe92yukWHDKlo...</a><p>I just "cleared my history" and deleted my account and the link still works, so we'll have to see how long my data stays on their server. I'm going to assume indefinitely :(.
Who exactly is getting behind using a closed-source service where a main developer can't understand the benefits of end-to-encryption, nor how it actually works? -> <a href="https://www.reddit.com/r/Android/comments/3bplym/hey_randroid_pb_dev_here_lets_talk_about_endtoend/" rel="nofollow">https://www.reddit.com/r/Android/comments/3bplym/hey_randroi...</a><p>Same as WhatsApp+Axolotl. Is it implemented properly? Is it flawed on purpose?<p>iMessage? What's stopping Apple from simply inserting new keys? They completely control the infrastructure and implementation.<p>Both a very big false sense of security, as is PushBullet's E2E.
To note is that 1) the encryption is not set by default, 2) it is closed source, and 3) it's a VC-backed company without an option for users to pay for the service.
So it's: Password -> KDF -> Key+Plaintext -> AES-CGM.<p>Better than nothing, but just that isn't very secure. It's not safe to use the same key indefinitely.
It's good to see Pushbullet release such an important feature as part of the standard product. I've seen many other products stuff encryption and other important security features into the premium/enterprise package under a "consumers don't care about this" mentality...