That is a problem with most desktop or laptop computers, too. I don't
   think "runs on a smartphone" is practically different from "neglects
   client endpoint security". A properly built and programmed smartphone
   is indistinguishable from a regular computer.

   On 24 July 2014 09:29:11 GMT+01:00, stef <s@ctrlc.hu> wrote:

On Thu, Jul 24, 2014 at 08:39:35AM +0200, Stephan Neuhaus wrote:

     On 2014-07-23, 23:59, stef wrote:

     exactly this prompted me to come up with the seven rules of thumb to
     detect
     snakeoil:
     not free software
     runs in a browser
     runs on a smartphone
     the user doesn't generate, or exclusively own the private encryption
     keys
     there is no threat model
     uses marketing-terminology like "cyber", "military-grade"
     neglects general sad state of host security

     In order to qualify as snake oil according to this definition, do
     all of
     these have to be true, or is any criterion sufficient?

     any is enough, but combo-bonuses are combo-bonuses.

     Because if it's "any", then this
     [1]https://www.cylab.cmu.edu/safeslinger/ is
     snakeoil, which I think is unfair. (Note that I'm not saying that
     this is a
     secure app; I haven't looked at the code. But you can't fault the
     authors on
     threat modelling etc. Its only "fault" is that it runs on a smart
     phone.)

     well, you have a baseband stack behind it, and a vendor/provider
     delivering
     stuff without your consent, etc...

   --
   Sent from my Android device with K-9 Mail. Please excuse my brevity.

References

   1. https://www.cylab.cmu.edu/safeslinger