from Hacker News

CoverDrop: A secure messaging system for newsreader apps

by andyjohnson0 on 6/9/25, 7:53 AM with 14 comments

  • by mdhb on 6/9/25, 3:06 PM

    I love this as an idea, it reminds me a lot of when the CIA were caught making all those obscure websites like Star Wars fan sites etc that were really designed as covert communication systems.

    The guardian doesn’t call it that explicitly but that’s exactly what they have built here and I think the cover of a news app is brilliant in a lot of ways.

    The only thing I would mention on top here as well is if you are planning to leak something using this app I still wouldn’t feel comfortable doing it on any device that could be investigated.

    For example a work provided phone. While having the guardian app is itself in no way incriminating if you were to play out the scenario of an internal leak investigation at an organisation that has just ended up on the front pages of the guardian I think you could end up with a very short list by simply asking:

    1. WHO had access to that information to begin with?

    2. WHO had that app on their phone or the App Store shows it as previously downloaded or they wouldn’t make their phone available for inspection.

    So if you’re in a scenario where you’re leaking something only known to a small group and / or your device can be inspected by someone relevant… I’d continue to strongly recommend making contact via a device that isn’t tied to you like your partner or someone you trust.

    Remember, the ACTUAL goal here is to defeat the investigation and the best thing you can possibly do here is to not stand out from the crowd of suspects any more than anyone else.

    There’s a very short link however between this app and the information you provided turning up in the guardian specifically that might not actually give you the cover you think you have (beyond the technical parts that they took care of which look brilliant for the record). But the next best thing by far I think you could do to help with that larger goal is to use a device not linked to you and that can’t be inspected to begin with.

    I just wanted to point that out because it wasn’t called out in the threat model and I could realistically see people getting caught that way.

  • by ajb on 6/9/25, 8:20 AM

    Perhaps more explanatory is the main website https://www.coverdrop.org/

    It's worth noting that in the UK, the official secrets act 1920 actually protected anonymous contacts with newspapers. It's a shame this was dropped in later legislation

  • by agotterer on 6/9/25, 8:32 PM

    Many news organizations use https://securedrop.org/. How is CoverDrop different/better?

    Supported outlets: https://securedrop.org/directory/

  • by ramon156 on 6/9/25, 6:02 PM

    When are releases coming so I can add it to Obtainium?