Comment by londons_explore

One could imagine a design where even the app vendor is untrusted... You would send an encrypted chunk direct to the GPU, which would then decrypt and render the message text in some secure environment onto the screen.

Neither the OS nor the application would know the contents of your message beyond "it's 500x700 pixels".

Similar things are done for DRM video, and widevine level 1 or 2 haven't seen many breaches despite running on a wide array of hardware open to physical attack.

antonvs 4 days ago

Oh it's definitely possible. The (dis)incentives tend to be strongly against such secure systems, though.

Reply View 1 reply

londons_explore 4 days ago

In the messaging game, there is every incentive to be seen as the secure-est one.
If you can have an e2e chat between two iphones locked in a big glass box with a sign that says "Anyone who can hack into this conversation gets $100M", that's a really good marketing campaign.
If you can make the app use secure enclaves or whatever to take the ~100k people who write the source code of the libraries, app and OS out of the attack surface, that $100M becomes much safer.

Reply View | 0 replies