Can consider this for next release nevertheless. It's actually very easy to implement, the hard part is to not confuse end users. But really, all the hard work has to be done the Cloudron admin to communicate to their users.

1. Apps that have their own 2FA system, like Gogs, Gitlab, Wiki.JS, etc.
NOTE: I have used this trick in quite a few apps to save myself from having dozens of 2FA secrets. I simply replace the app's mfa_secret value with the secret from Cloudron (Hint: while setting up 2FA on your Cloudron account, select to enter code manually, and write the displayed secret in a piece of paper so you can copy it elsewhere).

Cloudron has access to the database so Cloudron could automate this process:

• enabling 2FA for that user in the app by authenticating as that user.
• replacing the TOTP secret in the app with the TOTP secret from the Cloudron user account.

The 2FA code from Cloudron will also work on the app, so no need to have per-app 2FA codes. But this approach has downsides:

1. The maintainer of this feature needs to keep things updated when the app's database schema changes!
2. The apps usually create a new account when the user logs in using LDAP. For the above approach to work, Cloudron should make those changes before the user's account is created on the app.

I have only done this with my own account because it's quite time consuming to replace the TOTP Secret for all users of my Cloudron instance; a script would certainly help.

2. Apps that do note have native support for 2FA
Proposed solutions:

• Cloudron adds a feature to support PASSWORD;TOTP as password, and validate TOTP by extracting it from the input. For this to work, all users must be informed. I wish password managers and authenticator apps had a feature to make it easier to auto-fill 2FA codes as well...
• can't think of another way, will add if I can come up with something

Enabling 2FA for all apps is an important feature for some users like me, because of compliance reasons & a bit of paranoia. I can't trust everyone to not fall for phishing attacks, so I really wish Cloudron team kept this feature in priority. For the time being, I'm enabling 2FA in per-app basis, and avoiding apps that don't have 2FA built in.

I've recently tried out Bromite (a privacy focused fork of Chromium) after someone mentioned when I tweeted about an annoyance with using Mastodon using Firefox on Andriod (with long toots it's impossible to reply because you can't get down to the Toot button)... I quite like it but even though it's using uBlock and other filters it doesn't seem to actually block as much as Firefox + uBlock (possible because Bromite doesn't support CSS filter, I think).

Have you looked into good open source source Chromium forks before? Ideally ones that block ads. I find Twitter works better in Chromium based browsers on Android than on Firefox, but I can't stand seeing ads and I don't see them on Firefox with uBlock...

@jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

One thing I've started doing is using the browser "install app/ add to homepage" whatever they call it feature for various things like Twitter/ Mastodon/ this and other Forums I use so they kinda sorta work like apps but really I'm just using the browser (but I stay logged in and don't have to install the actual app)

I hear a lot of the claims that you'd be able to see the bandwidth if audio was going to central servers

You need a ridiculously low amount of bandwidth to transmit proper audio: https://www.wowza.com/blog/opus-codec-the-audio-format-explained

But the discussion has already went off topic enough.

Let's just hope applications will be faster I'm adopting webauthn, than they are at implementing oidc.

I hear a lot of the claims that you'd be able to see the bandwidth if audio was going to central servers but with the computing power in phones I'm pretty sure they can do the local transcription and just send the data encoded for minimal footprint.

It mostly appears to be contact cross-referencing interests but given that any big ad network could acquire data by proxy from a chain of apps to keep their distance from the actual spyware themselves, I'm just increasingly aware of coincidences.

I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

I think it's just a coincidence ^^ There is no reason to think ad companies are literally listening to you 24/7 : it's too costly from a computing power standpoint, so not worth it.

What they're doing is "just" knowing everything else about you : who you're talking to, what your looking at online, what are your interests, your age, where you live ... And based on that, they can just guess that you may be interested in coffee machines.

(Which, if you ask me, is even scarier that being listened to ^^)

amazing how ridiculously insecure things were even 15 years ago.

I think people are going to think the same 15 years from now ^^

I deleted the Facebook app a long time ago

I never even installed it as it asked for such a ridiculous number of permissions.

Next time I look at Twitter the first ad is for a Nespresso machine.

I only ever look at Twitter through Firefox with ublock origin installed, so don't see ads on there.

The UX is a bit shit in the mobile browser (especially since recent Firefox update, ironically), but that helps me to use it less on my mobile!

I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

So, it doesn't matter how good my security is, we all rely on the security of everyone we are connected to.