Most active commenters
  • ndiscussion(6)
  • morelisp(3)

←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 11 comments | 06 Apr 21 18:04 UTC | HN request time: 0.001s | source | bottom
Show context
ndiscussion ◴[06 Apr 21 18:42 UTC] No.26715675[source]
It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.
replies(4): >>26715714 #>>26715934 #>>26716233 #>>26718058 #
morelisp ◴[06 Apr 21 18:46 UTC] No.26715714[source]
What's in the Signal server to be compromised?
replies(2): >>26715770 #>>26716093 #
1. ndiscussion ◴[06 Apr 21 19:13 UTC] No.26716093[source]
If you use the Signal app from the app stores, and communicate with the server, you are using 100% closed source software.

They could easily add a backdoor in the client despite the fact that it's "open source", because no one builds it from source.

replies(3): >>26716277 #>>26716307 #>>26716329 #
2. morelisp ◴[06 Apr 21 19:27 UTC] No.26716277[source]
Are Signal's Android builds no longer reproducible?
replies(1): >>26716710 #
3. mdaniel ◴[06 Apr 21 19:29 UTC] No.26716307[source]
"No one" is a bit harsh; I even helped a poster in r/Signal set up a CircleCI build for the repo in order to show that it's not oppressively hard, just tedious (as with all things CI/CD)

The Signal android build now uses some PKCS11 machinery that requires patching out to build without using a smartcard, but otherwise it works as expected.

I dove into this darkness while trying to fix the borked MMS handling on Visible (a Verizon MVNO), and is the reason I'm generally with you: if someone can't build the project, then it's not effectively open source, IMHO, because I lose my "right to repair"

4. Caligatio ◴[06 Apr 21 19:31 UTC] No.26716329[source]
By this standard, there is practically nothing that qualifies as open source. Compile something yourself? Well can you really trust your compiler unless you compiled it? How do you compile your compiler without a compiler? Obviously this is possible but no one does it; therefore no software is truly open source.
replies(1): >>26716692 #
5. ndiscussion ◴[06 Apr 21 20:03 UTC] No.26716692[source]
I disagree that these are on the same level - compiling something yourself, or having something compiled by ie the Arch Linux maintainers requires a number of people to comply.

The app store is a single point of failure with huge reach.

6. ndiscussion ◴[06 Apr 21 20:04 UTC] No.26716710[source]
It looks like they are, but there might be a minor issue in verifying the content: https://github.com/signalapp/Signal-Android/issues/10476

But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

replies(2): >>26717259 #>>26717290 #
7. morelisp ◴[06 Apr 21 20:53 UTC] No.26717259{3}[source]
If your threat model includes the ability to force Apple to do X, then Signal is irrelevant.
replies(1): >>26718003 #
8. greysonp ◴[06 Apr 21 20:57 UTC] No.26717290{3}[source]
> But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

Hi there! Signal-Android developer here. App signing verification is done at the OS-level, and Google does not have our signing key, so they wouldn't be able to give an existing user a different APK and have it successfully install.

replies(1): >>26717997 #
9. ndiscussion ◴[06 Apr 21 22:11 UTC] No.26717997{4}[source]
Is that really true? Couldn't Google forcibly turn off the code-signing requirement on an individual's phone?

They've been known to reset passwords remotely in the past: https://www.theverge.com/2016/3/30/11330892/fbi-google-andro...

replies(1): >>26718205 #
10. ndiscussion ◴[06 Apr 21 22:12 UTC] No.26718003{4}[source]
That's probably a good point, I'm using GrapheneOS which is not identifiable to Google/Apple and can't be singled out for updates.
11. codethief ◴[06 Apr 21 22:31 UTC] No.26718205{5}[source]
No, they could not. And if you don't want to trust $random_manufacturer's Android ROM, you could switch to GrapheneOS[0] whose developer Daniel Micay attaches a lot of importance to reliable app signatures (which is why GrapheneOS doesn't come with MicroG as the latter would need signature spoofing).

[0]: https://grapheneos.org/