I’m self hosting both too. MollySocket’s docs are pretty clear that it never gets an encryption key for your account, so it can’t read your messages. It only gets/forwards alerts that something happened on your account AFAIK. So I’m not sure what data it has that’s worth encrypting.
For Signal/Molly, it’s less that the notification is encrypted as I understand it. It’s more the notification content is just “Hey! Stuff happened” for Signal. The app then reaches out directly to the Signal servers to see what’s new. So the message content is never sent via the push notification service (UnifiedPush or Google’s service).
That would require a lot of data privacy concerns to be addressed. Even if it’s an explicit opt-in. The current method uses sample text which can’t include PII. Using user supplied text would almost guarantee they’d get names and other PII in their data set.
I also imagine it’s harder to train the model when you don’t know exactly what the user was trying to type. I.e. Was the swipe detection wrong, or did the user delete the word because they changed their mind on what to write?
The issue isn’t a big deal for the average user. The vulnerability required them to first get your username and password, physically steal your Yubikey, spend half a day using $10-15k worth of electronics equipment to repeatedly authenticate over and over, they then could potentially make a clone of the key.
When I migrated emails last time, I setup my old email to automatically forward to the new email. Then on my new email, I setup an automatic label for any email that was addressed to the old address. Every week or two I’d review what was sent to it and either update the email address used or unsubscribe. Eventually it got to a level where I wasn’t getting much at the old email anymore and finally deleted it.
Bridge doesn’t support the calendar yet from what I’ve heard.
You can get notifications in other profiles. However it’ll be a generic “Profile X has a notification”. Tapping it will swap profles, but not exactly seamless.
It’s not that it’s closed, it’s more that none of the exiting email protocols support a server which can’t read your email (as it’s all encrypted). They do offer Proton Bridge which you can run locally which will handle all the decryption and local mail clients can talk to that as the would any other mail server.
I don’t know off hand if it supports calendar syncing though.
I’d say the main benefit Futo has over Heliboard is that it has native swype typing with its own model (and also own voice typing model).
Still a bit light on customisation (certainly compared to Heliboard), but a nice first release certainly.
Another vote for Immich. It’s a really nice experience on both the web and app.
I believe Steve has said that he hates the title/thumbnails too. But Google’s algorithms heavily incentives them, so he reluctantly uses them while maintaining the good quality content.
I do the two profiles on mine as well. The Google profile isn’t allowed to run in the background so it’s only active when I’m using an app that really needs it. Down to just a single app now that needs it.
This was the tool I used. It worked great for me.
Mine was having issues the other day too. Couldn’t see any apps when I opened it. Started working again when I checked it the next day.
I’ve swapped to using it since I switched to GrapheneOS. Only apps I’ve got using it so far are Tusky (Mastodon), Molly (Signal fork with UnifiedPush), and some of my self hosted stuff which allows for web hooks.
I really hope it catches on in more apps. Especially as their library has automatic fallback to Google’s service.
It’s not about it being locked. It’s being able to re-lock it after unlocking. You can unlock it, flash something like GrapheneOS on to it and then re-lock it. If it’s left unlocked, then anyone with a few minutes access to your phone could flash anything over the top allowing them to bypass the standard protections, install any app as at the system level.
I’ve tried a few of them now and have settled on Eternity.
FYI, last week someone saw that Signal merged in code for username (no phone number) support. So it might not be long until you see a beta release which allows you to sign up without a phone number.
I swapped to it at the start of the year. I’ve been really enjoying it so far. I’m down to a single app which requires Google Play Services installed. As it’s only one app I’ve created a second profile specifically for it and only have Google services installed in that one. I’ve disallowed it running in the background too, so my phone is never running the services outside the brief times I need to use the app.
Losing contactless payments was a minor inconvenience, but I picked up one of the cases which can fit a couple of cards inside as an alternative.
The UnifiedPush server is intended to be a single source your phone can keep a persistent connection open to, rather than needing a connection per service/app (this is how Google’s Firebase notifications work too).
As Signal doesn’t support UnifiedPush, MollySocket keeps a permanent connection open to Signal’s servers to listen for new activity and forward them to your UnifiedPush server. This saves your phone keeping a permanent connection open to Signal’s servers and draining your mobile battery more.