Molly is only available on Android, as far as differences it is a hardened fork of signal with an encrypted database, what that means in practice is even if someone was actively probing your phone to try to gain access to messages they wouldn’t be able to due to the encryption. It’s very useful if you are an active target or you don’t trust your phone os to play nice. I personally use it myself and really like it but in general it’s not terribly different.
What problem does am encrypted database solve? The phone itself is encrypted through a combination of hardware key storage and the user password, so offline storage attacks aren’t relevant.
If you can access the Signal database, you have root access or something close to it. If you have root access, injecting a simple Frida gadget into a running app is basically three commands away, which will allow you do do any operation as that app, including dumping the secret keys or emailing a copy to someone else.
Encrypted databases are a useful measure to slow down reverse engineering by a day or two, but they don’t provide any additional security. They do allow for harder to recover database issues to happen, though.
It’s only encrypted in a BFU state, (before first unlock). Police can probe your phone for data using a tool by cellebrite without root. GrapheneOS includes a auto rebooting feature to place it back in a BFU state but other phones will lack this feature. Using Molly’s database lock allows you to not trust the OS itself by encrypting it.
The main issue with encrypting the database using Molly’s setup is you’ll miss notifications and calls until you unlock, this might be able to be fixed using a different database encryption setup but as it stands it would be inconvenient for many.
Molly is only available on Android, as far as differences it is a hardened fork of signal with an encrypted database, what that means in practice is even if someone was actively probing your phone to try to gain access to messages they wouldn’t be able to due to the encryption. It’s very useful if you are an active target or you don’t trust your phone os to play nice. I personally use it myself and really like it but in general it’s not terribly different.
What problem does am encrypted database solve? The phone itself is encrypted through a combination of hardware key storage and the user password, so offline storage attacks aren’t relevant.
If you can access the Signal database, you have root access or something close to it. If you have root access, injecting a simple Frida gadget into a running app is basically three commands away, which will allow you do do any operation as that app, including dumping the secret keys or emailing a copy to someone else.
Encrypted databases are a useful measure to slow down reverse engineering by a day or two, but they don’t provide any additional security. They do allow for harder to recover database issues to happen, though.
It’s only encrypted in a BFU state, (before first unlock). Police can probe your phone for data using a tool by cellebrite without root. GrapheneOS includes a auto rebooting feature to place it back in a BFU state but other phones will lack this feature. Using Molly’s database lock allows you to not trust the OS itself by encrypting it.
edit: corrected cellbrite to cellebrite
deleted by creator
Yeah I realize it is android only and that makes sense that is exactly what I was looking for surprised signal doesn’t encrypt the database honestly.
They used to. Then they removed it. And Molly forked and put it back in.
Makes sense thank you for clarification
The main issue with encrypting the database using Molly’s setup is you’ll miss notifications and calls until you unlock, this might be able to be fixed using a different database encryption setup but as it stands it would be inconvenient for many.
That makes allot of sense why signal does not have it would be a issue for most regular users.