this post was submitted on 01 Apr 2026

1 points (66.7% liked)

ArcaneChat Forum

148 readers

1 users here now

Private chats for the family 🥳

ArcaneChat is a private and secure messenger focused on privacy and friendly user experience.

ArcaneChat is a Delta Chat client and it is compatible with other Delta Chat clients.

WARNING: if you are reading this in the fediverse, this is not an official communications account of ArcaneChat project but a Lemmy community/forum

founded 1 year ago

MODERATORS

adbenitez@lemmy.ml

I have a question for the #DeltaChat crowd: What if someone has a quick access to one of my devices, let's say I forget to lock my phone or laptop and an attacker adds their phone as a secondary (eldritch.cafe)

submitted 5 days ago by lou_de_sel@eldritch.cafe to c/ArcaneChat@lemmy.ml

13 comments fedilink hide all child comments

Cc @delta @ArcaneChat

top 13 comments

sorted by: hot top controversial new old

[–] adbenitez@lemmy.ml 2 points 5 days ago (1 children)

hi, with the laptop it is easier to exploit, but in the case of phones it is not so easy: the pin/lock is asked when someone tries to add a second device or create a backup so they can't just snap your profile there

besides that, to completely block access to certain apps, not only ArcaneChat/DeltaChat, android has a feature called "Private space" where you can protect with your lock/pin apps from being opened or even visible at all

in case it was in a laptop where it is much easier to steal since even if you could show an unavoidable warning about the profile transfer as discussed at https://support.delta.chat/t/dont-allow-to-delete-device-messages-chat-and-some-of-its-messages/4693 also the program data folder could be just copied, this is a problem of the low security of desktop systems, better never let anyone use your laptop in the same session as your personal session, you could have a guess session/user for such situations

if the worse happened and you suspect someone took your profile, there is no safe way out of it, since your identity lives in your pockets in your devices (the encryption identity) and not in a server, if someone gets it the only safe way out is to create a new profile and tell everyone to block the older contact and remove the old contact from all groups etc

[–] arcanechat@fosstodon.org 1 points 5 days ago

@lou_de_sel highlight from previous answer about how to notice if someone took your profile (mainly if it is a non-professional spy but just some toxic partner):

you would notice because some messages you didn’t read are not notified and appear as already read

[–] dnipro@twiukraine.com 1 points 5 days ago

@lou_de_sel @delta @ArcaneChat
В #arcanechat не знайшов налаштувань безпеки де можна було б ввести умовний pin для блокування/розблокування самого застосунку.

[–] rtn@chaos.social 1 points 5 days ago

@lou_de_sel @delta @ArcaneChat Good question! If you use a vpn which doesn't allow LAN connections you could at least make it harder for them to add their device as second device.

Difficult to realize they have done this unless they start writing messages on your behalf and you can tell something was written that wasn't you.

[–] INeedMana@piefed.zip 1 points 5 days ago (2 children)

Simplest idea I would have for that would be to switch to single device, change the password and add trusted devices again

But if they had access to your device, why would they spend time on only Delta, instead of just installing a rootkit? My point being, it's often said that if an attacker had physical access, the game is already lost

[–] rakoo@blah.rako.space 0 points 5 days ago (1 children)

@ineedmana

Your account is on the devices, not on the server. You can't change your password (unless you're using non-chatmail servers)
@lou_de_sel

[–] INeedMana@piefed.zip 1 points 5 days ago (1 children)

Maybe I'm missing some detail on how DC works but you have to have an account in order to get your messages. Even in Arcane, which is aimed at being more non-technical-friendly, you can see your login and password in the "relays" settings

[–] rakoo@blah.rako.space 1 points 4 days ago (1 children)

@ineedmana

At this point it becomes technical jargon but "account" kinda implies storing settings, profile, and such. A relay address has none of this, it's relay just a queue you have exclusive access to.

This setting allows you to modify the password to access the address on the relay, but you can't change the password of the address on the relay

[–] INeedMana@piefed.zip 1 points 4 days ago (1 children)

Hmm. So to invalidate all other accesses one would have to reach out to relay admin?

Since technically it's an email server underneath, maybe that feature could be available via mail web ui if the relay had one?

[–] rakoo@blah.rako.space 0 points 4 days ago (1 children)

@ineedmana

I'm not part of the team, but that is counter to the philosophy of where chatmail relays are going, which is "no admin of mail accounts". All administration must be doable on the device with no dependency on the server. It is important that the server can be offline, or just disappear with no warning, and that the user can still do everything.

[–] INeedMana@piefed.zip 1 points 3 days ago

Well, in that case administration of password change seems to not be doable on the device

[–] lou_de_sel@eldritch.cafe 0 points 5 days ago (1 children)

@INeedMana yeah I know it's a serious security breach but I'm not thinking about big time attacker but someone like a partner in a toxic or abusive relationship, or a treasonous friend.

Someone who you unknowingly trust but has not really the means to install a rootkit. Just open Delta chat, flash the QR code and put the phone back down.

Someone doing that with Signal/Molly or would eventually get caught or at least blocked next time I review my devices list. But that can't happen with deltachat ?

[–] INeedMana@piefed.zip 1 points 5 days ago* (last edited 5 days ago)

I've only found this

EDIT: and this. Maybe there is some app locker on f-droid for older androids