https://proton.me/news/security-audit-all-proton-apps?utm_campaign=ww-en-2a-generic-coms_email-g_eng-newsletter&utm_source=proton_users_mail&utm_medium=email&utm_content=2022_-_ma
There is some real bullshit.
Protonmail claimed to have had a full security audit on all their apps and they claim they all passed yet there is a glaring security fault in their Android Protonmail app that has existed for years, that I have reported to them THREE TIMES and has persisted through every version update of the app.
If you use Protonmail on Android you can easily verify this security fault.
Go to settings - Account Settings - Privacy
Turn on "Prevent Taking Screenshots".
This setting prevents the Android app manager, and any third party apps from taking screen captures of the decrypted inbox and emails while the user is reading them which is a good security measure right?
So now log out of Protonmail.
Now log back in and again go to settings - Account Settings - Privacy.
You see the setting you previously turned on to prevent screenshots is now turned off!
This is the only setting that resets back to off every time you log out. It gives no warning of that. All the other settings are persistant. So the average user who turned on screenshot protection is gonna assume it stayed like that right? He will believe his decrypted email is protected from screen captures thereafter when in fact it is not.
So how can a professional security audit not notice this obvious security flaw? Anyone who examined the code should surely see there is something different about that setting? If they could miss something as glaringly obvious as a security setting that does not stay set then how can anyone trust they did not miss more subtle flaws that could compromise encryption keys and passwords?
I strongly suspect this is deliberate. It allows Google to capture images of the inbox and their users decrypted email while the user reads it.
[–][deleted] 8 insightful - 2 fun8 insightful - 1 fun9 insightful - 1 fun9 insightful - 2 fun - (1 child)
[–]Jesus 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (0 children)
[–]Anman 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 1 fun5 insightful - 2 fun - (2 children)
[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (1 child)
[–]Anman 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (0 children)
[–]NuclearBadger 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 0 fun5 insightful - 1 fun - (0 children)
[–]Drewski 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 1 fun4 insightful - 2 fun - (0 children)
[–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (0 children)
[–]brimshae 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 1 fun2 insightful - 2 fun - (1 child)
[–]raven9[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (0 children)
[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (0 children)
[–]Tigerbitecrazy 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (1 child)
[–]raven9[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (0 children)