Author Topic: Version 1.8.0-153-dev - "work in progress", not in Google Play  (Read 2554 times)

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Version 1.8.0-153-dev - "work in progress", not in Google Play
« on: January 29, 2017, 03:52:35 pm »
https://www.aqua-mail.com/download/AquaMail-market-1.8.0-153-dev-23f50ca565e2.apk

---

+ The redesign continues: a few fixes, updated nav drawer

Please post your feedback, if any, here:

http://www.aqua-mail.com/forum/index.php?topic=5314.0

---

+ Обновление дизайна продолжается, некоторые исправления, обновили "navigation drawer"

Тема для обратной связи:

http://www.aqua-mail.com/forum/index.php?topic=5314.0
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

srt10coupe

  • Full Member
  • ***
  • Posts: 110
  • srt Design Labs
Re: Version 1.8.0-153-dev - "work in progress", not in Google Play
« Reply #1 on: January 31, 2017, 07:40:59 pm »
New Feature: Fingerprint Unlock for App Security?

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Version 1.8.0-153-dev - "work in progress", not in Google Play
« Reply #2 on: January 31, 2017, 08:00:42 pm »
Re: New Feature: Fingerprint Unlock for App Security?

This already exists as an "idea for future versions" in our task tracking system. But I don't anymore decide on the order / priority all by myself.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

srt10coupe

  • Full Member
  • ***
  • Posts: 110
  • srt Design Labs
Re: Version 1.8.0-153-dev - "work in progress", not in Google Play
« Reply #3 on: January 31, 2017, 08:31:52 pm »
Re: New Feature: Fingerprint Unlock for App Security?

This already exists as an "idea for future versions" in our task tracking system. But I don't anymore decide on the order / priority all by myself.
👍🏿

StR

  • Hero Member
  • *****
  • Posts: 1558
Just a comment on the issue of using fingerprints (or any other biometrics) for everyday simple operations security.
The short answer (and you are welcome to discuss this with any reasonable security experts): "This is a bad idea!"

Essentially, most (if not all) mechanisms of authentication rely on some information stored on the "secure" side, and the user who provides a token that must match that stored information. (There are additional steps in between related to encryption, exchange of information, etc., but those are not important at the moment.) That token can be a password, a one-time code provided to you by some device, or an image obtained from some part of you. Note that the image is ultimately also a sequence of bytes stored and transmitted similarly to how your password is stored and transmitted.

Let's consider that one of the secure-side storages is compromised (and it is not hard to imagine: big and small companies, ISPs, governmental agencies, including defense have been recently compromised recently). What do you do to mitigate the leaked passwords? You replace the password. And you do that in all other places you've used that password (even though you were told it was not secure to use one password in multiple places).
Now, if that password is your fingerprint, what are you supposed to do? It is very hard (close to impossible) to change fingerprints, irises, ears, etc.

So, if you are using your biometrics for authentication in multiple systems, first, you are neglecting the advise not to reuse the same password in different places. Second, you have no way to mitigate the consequences once it is compromised in one place.

I've seen fingerprints being used to authenticate by restaurant employees each time they enter a new food order into the computerized system. I've seen it being used for parents to authenticate at the daycare, where all what was needed is to check in/check out their kids for the day (for the ease of accounting for operational logistics).

But, some might say, it is just on my device that I own and control.
I am not going to question Kostya's ability to do things properly (and he may or may not have proper security expertise that is not the point), but even if he did everything correctly in his app, can you trust that your device itself is bullet-proof? With the reluctance of cell-phone carriers in the US to push Android updates, with the loose policies on permissions in Android and almost no serious checking for the apps distributed through Google Play, - the answer is "No!"
Just a simple example: since the system (Android) and many other apps have access to the camera (or fingerprint sensor), they all can catch your fingerprint or iris image during the scanning process. Then, your most irreplaceable "password" is compromised forever and will be sold somewhere in the dark part of the internet a few cents or a dollar each in a big batch.

While doing fingerprint or other biometrics authentication became popular (due to the ease of doing that in modern devices), I think it is a fad. The software/hardware developers should be responsible and should resist the temptation, and rather educate the population about the danger.