Skip Navigation

What's the risk of honey pot apps?

Given the amount of radical leftists using Lemmy, what's the risk that certain intelligence agencies create nice apps for Lemmy and put them on the app store to gather data on leftists?

It would be fairly cheap to do so.

I was looking for apps earlier today and noticed there's a bunch of new android apps for Lemmy and this thought occurred to me.

14
14 comments
  • The NSA's BULLRUN program suggests that the TLS encryption is compromised anyway. My money is on certificate authories having given the NSA a backdoor 'for national security'. I don't think that they need to compromise an app directly.

    If you need to communicate privately, please don't use an open forum. Use an OS without telemetry (not Windows), make self-generated keys for GPG emails or OMEMO chat, and verify the key signatures directly with your comrades. If you need to communicate anonymously, bear in mind that there is no silver bullet.

    • The NSA’s BULLRUN program suggests that the TLS encryption is compromised anyway.

      I doubt that. Potentially, at some point, that might've been true, but TLS constantly changes which encryption algorithms are used. The older algorithms that leaked documents state the NSA had cracked are no longer allowed in TLS and your browser will refuse to load pages that use them. Current algorithms are far more secure and the open source implementations used for them have no back doors. They're being audited constantly by hundreds of thousands of cybersecurity experts. If any back doors appear, we'll know pretty quickly. If you're using a proprietary browser like Chrome, however, there's no way to know if Google has altered the implementation in some way (although someone at Google probably would speak up if that was the case), so I'd recommend never using a proprietary browser. Use something like Firefox or Chromium instead. Ideally, Firefox or one of its forks such as Librewolf.

      My money is on certificate authories having given the NSA a backdoor ‘for national security

      This wouldn't do anything but make it a little easier for the NSA to run man in the middle attacks. It would not give them the ability to crack any encryption at all or even make that easier, and if the CA was ever discovered doing this, they'd go out of business immediately (this has happened before), so they're highly disincentivized from allowing it.

      I don’t think that they need to compromise an app directly.

      This is actually true, but not in the ways you listed. A lot of the web is now using Cloudflare's free CDN service. They proxy their traffic through it to make their sites faster and reduce server load. Cloudflare issues their own TLS certificates and the connection is made between the browser and their servers before getting forwarded to the destination. That means Cloudflare is in possession of plain text data from all users who use any site that happens to use Cloudflare. If Cloudflare has given the feds a backdoor (and they probably have), that would give them lots of data. Lemmygrad is not using Cloudflare, nor do any of my services including the genzedong matrix server.

      Also, most people are using proprietary OSes like Windows or Android with Google services. No one has any idea what data is being collected by those, and what is being done with that data. So, for anything truly sensitive, use an open source OS like Linux.

      If you need to communicate privately, please don’t use an open forum. Use an OS without telemetry (not Windows), make self-generated keys for GPG emails or OMEMO chat, and verify the key signatures directly with your comrades. If you need to communicate anonymously, bear in mind that there is no silver bullet.

      This is good advice. Ideally, if your life genuinely depends on being able to communicate or otherwise use the internet privately, use an amnesic OS like TAILS that will irretrievably erase anything you were doing once you shut down or for something more permanent, an OS specifically designed for protecting your anonymity, such as Whonix.

  • Just by using a proprietary version of Android with the Google Play services and a bunch of proprietary apps (even if the Lemmy client is open-source), you're already an easy target for data collection. Also, unless you're using some trustworthy proxy, any three-letter agency can easily find out that you've been visiting Lemmygrad

  • There would be no need because if you use a proprietary operating system as nearly everyone does, they can and do just take the data directly from your device.

  • Anyone in the alphabet boys could keep tabs on you without the app so I don't see our precious tax dollars going there. I'm also sure some of our opsec nerds would be the first to scream about packets being sent places they shouldn't be. :P

  • They really don't need to, that would be a waste of time and effort. They already have agents in the most decrepit and vile parts of the internet to keep an eye out on the most deranged and potentially dangerous individuals (or those that show any sort of threat).

    But they can simply just rely on your ISP information, VPN information, direct information from you phone, your texts, your calls, and so on. All of which are things they already have access to.

  • I just access through the web behind a vpn. I would hope it is common knowledge that installing apps or programs for stuff is less secure, but who knows what tech the five eyes/mossad have these days and I could be mistaken. there isn't even anything illegal going on here anyways

  • I would say expect zero privacy anywhere in the fediverse.

    If you need to converse privately you should PGP your message first (but not in Comments of course, that would be obnoxious)

    Things you post from your own or other instances get copied out across all the federated servers. Being run by volunteers, you KNOW some of them won’t have the greatest security.

    But no matter, simply leave nothing private here.

  • Just use FOSS apps

14 comments