This is my absolute favourite kind of post on HN. It's got everything; intrigue, mystery, scandal and of course heavy on the technical side too. All packaged up in a compelling narrative.
There is software that lives up to these claims, it's Tinfoil Chat. The article is correct about the necessary trade-offs: due to peer to peer transport (onion hidden service 2 onion hidden service) both ends of the conversation have to be online -- it at least spools the message waiting for the recipient to appear.<p>For hole punching and signaling that has to be done by third party, well, the third party is TOR<p>TFC then goes on to break out the encryption and decryption machines from the network and passes messaging over opto-couplers to prevent your keys from getting exfiltrated. Qubes qrexec could similarly isolate the components.<p><a href="https://github.com/maqp/tfc">https://github.com/maqp/tfc</a>
IMO you should consider putting Converso in the title of your blog post so that it shows up when people Google, as a warning.<p>I just checked and your blog post does not come up in the results for Converso.
A quick search after the CEO turns out, the man is a genius: "Tanner Haas, who is an M.I.T. drop out" was a human health specialist in 2020:
<a href="https://londondailypost.com/this-denver-based-startup-aims-to-create-a-new-category-in-human-health/" rel="nofollow">https://londondailypost.com/this-denver-based-startup-aims-t...</a>
...now he is a crypto expert.
Amazing.<p>Have you by chance looked at the new update? Not that anyone should ever use this app in the first place, but I'm curious whether the massive vulnerability you discovered was fixed.
This was an article about the app [0].<p>"Man Creates Messaging App FBI Can't Crack and Anyone Can Download, Stopped at Airport Days Later"<p>I would just use SimpleX tbh [1]<p>[0]<a href="https://www.westernjournal.com/man-creates-messaging-app-fbi-cant-crack-anyone-can-download-stopped-airport-days-later/" rel="nofollow">https://www.westernjournal.com/man-creates-messaging-app-fbi...</a><p>[1] <a href="https://simplex.chat" rel="nofollow">https://simplex.chat</a>
It's actually kind of sad to see people <i>actually</i> using this and believing in the claims being made. And this is all supported by Google who, frankly, should be denying service to what <i>should</i> be considered spyware. I mean, I swear this type of app used to be considered spyware...<p>It seems these days if your data ends up on a server that's A-ok! With all the talk on HN about the "GDPR" it sure seems like an absolute failure - where's the QC from Google looking at the code and proactively doing something about the real, potential harm that can come from this? It really seems if you want to harvest user data you can whip together an app that looks and feels okay, but behind the scenes is designed to do nothing but collect your data for whatever nefarious purpose the developer has in mind - and this is all 100% legal and the chances are whoever was involved will not even get so much as a fine!<p>Now there's an app that openly collects user data and is publishing it as a matter of public record, consequences be damned.<p>Android and Google need to take responsibility here and use Play Protect to treat the app as harmful and to better shield users.<p>This is an excellent write-up and investigation which is something Google should be doing to expose the dangers of their own platforms - hacking together a few API's/SDK's to mass harvest user data is absolutely not okay. Frankly, they should be legally mandated to review these apps in depth, and be provided full, unobfuscated source code, along with a detailed network-map of all URL's the app accesses, API keys etc and should approve (similar to Apple) before Android allows it to be used. If you install it outside of the app-store a very strong warning should be in place to let users know of potential spy/malware<p>I also discovered this app is actually on the play store [1]! And the app data safety says "No data shared with third parties Learn more about how developers declare sharing". It's an absolute JOKE this is not being enforced by Google at all. Shame on them.<p>I believe Mozilla did an investigation and found most apps are outright LYING about their "data safety" so that feature is beyond useless when Google doesn't actively moderate it.<p>[1]: <a href="https://play.google.com/store/apps/details?id=com.conversoapp.android">https://play.google.com/store/apps/details?id=com.conversoap...</a>
I wonder if there might be grounds for any users to sue based on the publishing of their personal data online and misrepresentation of the product and its security features.
This is so embarrassing. How can they even attempt to exist after this?<p>This big question — who is paying to develop this terrible app and why? Do they know it’s terrible?