By not storing decrypted message on device? You can also block screenshots if you have a reasonable suspicious your screen can be used to capture the text shown on the device.
Apps using Flag_Secure and Secure_display can block screencapture. While user apps stay below MDM apps in privilege. The MDN app themselves reside below the android system.
Do you have a source of MDM apps bypassing secure display and having the ability to capture the display?
Google maintains both the Pixel device management and Google Messages. Do you really think they would have locked their own MDM out of their own messaging app?
No, I saw, but the initial post is about RCS and Google’s MDM API. You’re fighting real hard over something Google has total control over. Signal might be fine, but if you’re not the device owner, you should always assume security is compromised in favor of the actual owner. With MDM, the company can install whatever they want on the device.
I won’t accept an MDM device for personal use. I was just replying about signal being compromised with regular MDM in work profile on a non-rooted phone.
Everything would still be monitored. But, messages in signal should not be.
This is why I carry two phones. My work phone is an iPhone managed by Intune. It does work stuff and only work stuff. My personal phone is a Pixel 9 Pro XL. It goes on a VPN when on work wifi.
I do not, nor will I ever, understand those who use their work-issued phone for personal things.
Messaging apps often implement various APIs for better Android integration. But even if they don’t, any management service can implement certain APIs, like the accessibility API, that gives them access to everything each app is doing. In that case, it can’t necessarily read the messages as data, but it can record your screen as image or video.
And how do those apps prevent device management from accessing the messages when they’re decrypted?
By not storing decrypted message on device? You can also block screenshots if you have a reasonable suspicious your screen can be used to capture the text shown on the device.
The apps run at less privileges than device management apps. They can’t do any of that
Apps using Flag_Secure and Secure_display can block screencapture. While user apps stay below MDM apps in privilege. The MDN app themselves reside below the android system.
Do you have a source of MDM apps bypassing secure display and having the ability to capture the display?
My dude.
Google maintains both the Pixel device management and Google Messages. Do you really think they would have locked their own MDM out of their own messaging app?
I was talking about signal. Did you miss that?
No, I saw, but the initial post is about RCS and Google’s MDM API. You’re fighting real hard over something Google has total control over. Signal might be fine, but if you’re not the device owner, you should always assume security is compromised in favor of the actual owner. With MDM, the company can install whatever they want on the device.
I won’t accept an MDM device for personal use. I was just replying about signal being compromised with regular MDM in work profile on a non-rooted phone.
Everything would still be monitored. But, messages in signal should not be.
This is why I carry two phones. My work phone is an iPhone managed by Intune. It does work stuff and only work stuff. My personal phone is a Pixel 9 Pro XL. It goes on a VPN when on work wifi.
I do not, nor will I ever, understand those who use their work-issued phone for personal things.
If the app has decrypted messages, device management can see them.
How? The decrypted messages would have to be stored in plan text to be read. Unless, it can be read from RAM…
If you can read it, they can read it. They have root on the company device.
If it’s rooted sure. But, regular work profile phones with MDM software are not.
Messaging apps often implement various APIs for better Android integration. But even if they don’t, any management service can implement certain APIs, like the accessibility API, that gives them access to everything each app is doing. In that case, it can’t necessarily read the messages as data, but it can record your screen as image or video.
True, but Accessibility API cannot bypass secure display, and secure flag I had replied that in another comment so I did not mention that here.
MDM has far more privileges than Accessibility will grant.