Password-protected messages compliance

[sosnovsky]

To ensure password-protected messages comply with security rules, client apps must check the subjects of composed password-protected email messages for specified strings. If any configured terms are found, the application should display an error message indicating that the password encryption method is incompatible with the composed message.

Client configuration will have 2 new optional properties (subject check should be performed only if both properties are set):

• disallow_password_messages_for_terms (string[]) - specifies an array of strings to check against the subject of the composed password-protected message. If any string in this array is found in the subject, an error alert must be displayed.
• disallow_password_messages_error_text (string) - defines the text to be displayed in the error alert. May contain URLs which should be auto-detected and be clickable in the displayed alert (for example, Password-protected messages are disabled, please check https://flowcrypt.com)

related FlowCrypt/flowcrypt-browser#5878

[sosnovsky]

Hello @DenBond7, can you please pause your work on thread functionality and implement this feature, as it's a customer request which needs to be released sooner.
And after implementing this one, let's make a new release and continue working on threads feature, as it'll require a thoroughly testing before publishing to play store. Thanks!

[DenBond7]

Sure, I'm switching right now.

[DenBond7]

disallow_password_messages_for_terms (string[]) - specifies an array of strings to check against the subject of the composed password-protected message. If any string in this array is found in the subject, an error alert must be displayed.

@sosnovsky is it a case-sensitive search?

for example, I have the following subject: Nise subject with Android and

"disallow_password_messages_for_terms":[
         "Android", //1
         "ANDROID",//2
         "android",//3
         "AnDroid",//4
 ]

Which option will be matched? Only 1 or all?

[sosnovsky]

Good point! Let's make it's case-insensitive, so all options will match in your example

[DenBond7]

I have a few more questions

1. ...messages for specified strings. If any configured terms are found, the application should display an error message indicating that the password encryption method is incompatible with the composed message.

What about the following case?

subject: Android developers from Europe and across the globe will converge this year at droidcon in London

"disallow_password_messages_for_terms":[
         "Droid",
         "ANDROID",
 ]

We have the word droidcon and one term Droid. Is it our case or should the search be word-oriented? Like

subject: Android developers from Europe and across the globe will converge this year at DROID con in London

2. disallow_password_messages_for_terms (string[]) - specifies an array of strings to check against the subject of the composed password-protected message. If any string in this array is found in the subject, an error alert must be displayed.

Should I expect that disallow_password_messages_for_terms will contain only non-empty strings?

Like

"disallow_password_messages_for_terms":[
         "Droid",
         "ANDROID",
 ]

but not like

"disallow_password_messages_for_terms":[
         "",
         "",
 ]

[DenBond7]

tests

• case when disallow_password_messages_for_terms and disallow_password_messages_error_text are not present
• case when disallow_password_messages_for_terms is present, disallow_password_messages_error_text is not present
• case when disallow_password_messages_for_terms is not present, disallow_password_messages_error_text is present
• case for a few terms in subject, URL in the error text

"subject":"Android developers from Europe and across the globe will converge this year at droidcon in London",
"disallow_password_messages_for_terms":[
   "Droid",
   "Android",
   "ANDROID",
   "android",
   "AnDroid"
],
"disallow_password_messages_error_text":"Password-protected messages are disabled, please check https://flowcrypt.com",

[sosnovsky]

We have the word droidcon and one term Droid. Is it our case or should the search be word-oriented?

Let's just search for the same string, not word-oriented. It's expected to have some specific terms in disallow_password_messages_for_terms, which won't be a common words, but some abbreviations for categorizing emails.

Should I expect that disallow_password_messages_for_terms will contain only non-empty strings?

I think there won't be empty strings, but let's have additional check for non-empty strings, to be sure that configuration is correct.

Thanks for such detailed questions!

[sosnovsky]

We have the word droidcon and one term Droid. Is it our case or should the search be word-oriented?

I also asked customer about this case, to be sure that it works correctly.