this post was submitted on 17 Sep 2023
146 points (82.9% liked)

Privacy

32130 readers
1210 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (2 children)

The RAM shredding feature seems kind of silly to me, but I don't know the details. Ideally the operating system should clear pages before giving them to other applications... While I can see the appeal in also doing it in the application, it seems kinda wasteful, and I wouldn't trust the application to do a good job of that anyway. If the point is to prevent the app itself from leaking private keys on a buffer overflow or whatever... I guess I can see the value of that, but I'd rather see mitigations for the buffer overflows highlighted instead. I guess this just makes me a little suspicious of the actual value provided by the app.

[–] [email protected] 3 points 1 year ago

Okay, I got curious and looked into it... These are the relevant files for the "RAM shredding"

I'm not an Android dev, but at first glance it looks like all this does is try to allocate all of the free memory in the system, and walks through the pages and uses rand() to fill in all of the bytes. Technically it's possible for the pages returned by malloc to contain old data, but only if it was allocated by your process in the first place (maybe that's not the case on Android?)... So I guess the idea is that if Molly itself is compromised and an attacker is able to allocate memory in the Molly process they could conceivably get an old page from memory and that page might contain secrets from the Molly app itself... But at that point, surely you're fucked anyway, and the attacker can presumably read all of the currently allocated memory which is certainly far more of a security concern anyway? I just don't think it's worth the cycles.

[–] [email protected] 2 points 1 year ago (1 children)

The biggest thing molly has going for it is its f-droid repo and fully Foss version.

[–] [email protected] 1 points 1 year ago

That’s fair. Just when applications tout dubious security features it makes me a little sceptical of the expertise of the developers. At the very least I’m disappointed that they don’t have more details on this. If it is valuable, I’d be interested to hear more about it.