Remote wipe from a lost device

Delta Chat already Disappearing Messages feature and settings to configure deletion of messages from the device and from the server after selected time period.

These features however do not help if device is lost or stolen because messages are not deleted immediately. For this case there should be a way to remotely wipe a profile from the device.

One way to implement it would be to generate a device code that will wipe the profile when received. This solution is independent of the server. There is unfortunately no way to know if the message is lost to a spam filter and if it was ever downloaded by the remote device.

Another option would be to integrate this feature into IMAP server as a part of more general device management:

We can also add FAQ entry describing how to wipe lost mobile devices using built-in features.

Once profile is removed from the device or device is wiped, user should be able to rotate the key:

Signal does not have a way to remotely wipe a device. It is possible to disconnect a linked Signal Desktop device, but this does not remove message history from the device. This feature has been requested on Signal Community forum:

Telegram has FAQ entry Q: My phone was stolen, what do I do?

For personal devices Apple has Find Devices feature and Android has Find My Device feature to track and remotely wipe devices that have Apple or Google accounts.

Google Workspace allows admins to remotely wipe devices:

2 Likes

Previous similar topic:

1 Like

One idea we had: users can go to the settings to generate a ā€œwipe this deviceā€ token, and send it to a chat. Then everyone in the chat can click on it (with a confirmation message I’d say) to wipe the device remotely. I think nothing speaks against sending out a ā€œI received the wipe commandā€ message before starting with the wipe, it would be useful information whether the device still had wifi etc.

The typical case would be getting arrested at a protest; your friends watch it happen and can wipe your device, because you enabled them beforehand. But the police might put the phone in a faraday bag before you think of wiping it; so getting a confirmation message would be very useful.

After the protest you can revoke the wipe token by clicking on it in the chat, or maybe also in the settings with an overview where you left tokens.

1 Like

I think the ā€œwipe this deviceā€ token is a great idea! Another idea I would suggest, maybe you already have thought of this, is the option to create a special type of group chat where any member can delete any message (even other people’s messages) from everyone’s device or clear the whole chat on everyone’s device. This could be suitable for small groups of trusted activists. Obviously this should not be the default type of group chat, and it should be clear to all group members how it works when they join the group chat.

Of course, it’s great that you’re coming up with something here, but don’t you think that it’s all solved by simply installing a pincode on the chat, or the application itself? Whether it’s activists or journalists, no one has the right to use the same PIN code to provide access to their personal data, violating private property. And the data, as mentioned earlier, is encrypted securely by the android or iPhone operating system itself. After all, this is why developers refuse to do local encryption, and I agree with them, why reinvent the wheel when it can be provided to google.

Passwords do not protect against this threat: xkcd: Security, which is common in many regions. A duress password which wipes the device when you enter it might help, as GrapheneOS offers it. But I also think it is the job of the OS to provide disk encryption, duress passwords, etc., and can’t be solved by the applications themselves.

1 Like

There are forensics tools which can restore deleted files even if they were encrypted; with Android’s file-based encryption this might be easier than with the old Android full disk encryption.

To protect against such a case, we can issue a lot of sqlite UPDATE commands which overwrite database rows instead of deleting them; the longer they run (until the phone is turned off, probably), the harder it is to recover the data by forensic means.

Agreed, PIN codes can be subverted, wiping the data provides better guarantees. Overwriting database rows like you suggested would be best, but I guess this is a ā€œbest effortā€ and there is no way to be completely sure you’re overwriting the right location when the hardware uses wear leveling?