My fears with a Mega mobile application

Mega is making a mobile application: and this makes me nervous...

*tl;dr*: Encryption & Decryption are hard. So if there really is a mobile app for Mega I fear they're trading convenience for security.

If Mega truly follows a "trust no one" security model (as they say) it would be INCREDIBLY hard for an Android app to work.

Essentially what Mega is doing is holding a blob of encrypted data that only *you* know the key to. So if someone were to have physical access to their servers or hack in all they would get is blobs of *strongly* encrypted random noise - which wile not impossible to crack would be *very* cumbersome even with modern hardware.

Which brings me to my next point...

Here's what I see going down with the Android app:

A) You have to place files you want to access via mobile in a separate folder where the encryption is not so strong and mobile devices can read it off the server on the fly.

B) They do NOT have a "trust no one" security model where only you hold they key - they in fact have the key and can decrypt it on the fly for your mobile device.

C) There is some technological breakthrough I'm not aware of that would allow mobile devices to decrypt 2048bit AES encryption on the fly.

Example: with Dropbox & Google Drive your files are semi encrypted, but Dropbox has the key and can decrypt them for you - for your mobile device when it's logged in. If a Dropbox employee went rouge they could potentially decrypt and steal your files.

Another Example: Carbonite gives you the option to enable a "trust no one" security mode where they simply hold a blob of encrypted data for you, but this disables the ability to use their mobile app to access your files.

Yet Another Example: LastPass holds a blob of data, but they allow access via their mobile apps where the data is downloaded and decrypted locally. Although, basically all that's being downloaded is a smallish text file of your usernames & passwords. So performance isn't really a problem with text files, but with documents, music, & videos it could become an issue.

So I'm curious to see how this shakes out.

by Ben Pike