Add Internxt as a Drive alternative and as a Send tool

Internxt is end-to-end encrypted, and a great replacement for Google Drive, iCloud Storage, Google Photos, encryption Send tool, and more. It’s open source too.

It seems to me it’s not E2EE

This was discussed earlier last year we decided not to add it. There does seem to be an audit now:

Their blog does seem to be SEO optimized nonsense however.

It is:


Considering the security audit was not bad, and they already fixed all the issues in it (i contacted them to double check), and it’s FOSS, I think it should be added.

At first glance it seems alright. Their use of buzz words like “web3” raises some red flags for me though.

I think we’d want to evaluate it based on software stability, does it do what it’s main purpose is, and that is a place to dump files etc.

If we had one other option that was audited, and open source we could tighten the criteria. Though technically we do have two options now Proton Drive, and potentially Internxt if it’s any good.

@user1 is may be right.

Intext-Mobile: SECURITUM-226409-019

According to the zero-knowledge encryption policy, no one, except the user, can access the user’s data.
However, it was noticed that it is possible to access and decrypt the user’s files using only data sent to the
Internxt servers.

As a result, an internal attacker who has access to data sent between users and Internxt
servers is able to decrypt users’ files.

1 Like

Data needed to decrypt user’s files (plaintext mnemonic value) should be processed only on the client-side code.

The plaintext mnemonic value issue has been fixed. We can contact them to double check or review the code.

The auditor did not approve the “zero-knowledge encryption” claim, which may not have been the audit’s goal, considering that this issue is listed as a low severity level.

The PrivacyGuide team can read the audit report and make an informed decision. The Internxt team is welcome to comment and provide clarifications for listing.

From Internxt:

All the reported feedback in the Securitum audit has now been implemented; that’s the exact reason why we paid for it and why we made it public (as making it public without the implementation would be unwise).

Hello, I’m the community manager of Internxt. As mentioned by @user_of_privacy we have already fixed the High-risk issues pointed out by Securitum in their audit. Regarding to the last retest where 001 appears as ‘Medium’ instead of Fixed, this was before talking with them, as the referenced open ‘proxy’ no longer exists.

It should reflect as fixed in the next retest.

We are working hard to fix all of the issues pointed out by the audit and added new features requested by the community. Please feel free to contact me if you need to have any questions answered.

1 Like

Wait why is this discussed again? Wasn’t internxt this company with facebook trackers in the platform and google ads on the homepage?

Thanks for your input @Nilinking! Question for you:

At one point you were publishing an APK file for your Android app so that it could be installed without Google Play, because of the issue open at Android App inclusion to F-Droid App Store. · Issue #64 · internxt/drive-mobile · GitHub. I can see that in December you were still doing that because the download at Release v1.5.22 · internxt/drive-mobile · GitHub has an app-release.apk download available.

However, the latest release on Releases · internxt/drive-mobile · GitHub (published yesterday) does not have an APK file download, so clearly this process was never automated. I assume that’s also the reason issue #64 on your repo is still open.

Do you know if automatically publishing Android builds to GitHub Releases is still planned and when that might happen?

1 Like

Hi @jonah,

You are correct, it’s being done manually, and for now, it’s not a priority for us to automate it. This does not mean that it will not happen at some point, but they are being signed and uploaded manually on each build for now.

We are aware some people are degoogled, so we will continue to build the apks as a standalone too.

1 Like

Hi @ph00lt0, thanks a lot for your feedback. I’m glad to tell you these issues were already addressed. We no longer use trackers or analytics on our websites or apps. We are working on reducing the number of permissions too.

Hi @Nilinking,

Can you confirm again that issue “[NOT IMPLEMENTED][INFO] SECURITUM-226409-019: Zero-knowledge encryption policy violation” mentioned by @OyeMate is fixed? You said high severity issues are fixed, but this one was not listed as high.

1 Like

I will check with our devs tomorrow (they have already finished their shift today) to be 100% sure it’s fixed before I give you an answer. I said all High severity issues were fixed for the sake of accuracy, as there could be a couple of low-priority ones still remaining. But in reality, I think almost all of the issues pointed out by the security audit have been addressed.

This sounds very much against the fundamentals of privacy by desgin but other than that your website still loads Google Ads. In your role you may be unaware of this but ain’t a good look.

1 Like

I am a community manager but also a highly technical user. I have performed several tracking tests myself on the website, and as of last week, there was just one tracker measuring traffic on the website (rudderlabs).

However, I just made a new scan, and there seem to be new trackers added probably to track the performance of the currently ongoing campaign; I will bring this up to the team tomorrow. Thanks for pointing it out.

Some more feedback:
This is a very strange take on security. This seems to have changed since I last tested your service because I didn’t have this issue before.

The portal still connects to rudderlabs. Not as bad as Facebook like before if I recall correctly but still unvoluntarly analytics which are in violation of EU regulation. Besides that I would urge you to not expose users to Sentry as you may unintentionally ship user data to a third party. If you use it at all consider selfhosting it or allow the user to opt in.