(www.androidpolice.com)

242 points raybb | 1 comments | 06 Apr 21 18:04 UTC | HN request time: 0s | source

Show context

ndiscussion ◴[06 Apr 21 18:42 UTC] No.26715675[source]▶

It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.

replies(4): >>26715714 #>>26715934 #>>26716233 #>>26718058 #

morelisp ◴[06 Apr 21 18:46 UTC] No.26715714[source]▶

>>26715675 #

What's in the Signal server to be compromised?

replies(2): >>26715770 #>>26716093 #

ndiscussion ◴[06 Apr 21 19:13 UTC] No.26716093[source]▶

>>26715714 #

If you use the Signal app from the app stores, and communicate with the server, you are using 100% closed source software.

They could easily add a backdoor in the client despite the fact that it's "open source", because no one builds it from source.

replies(3): >>26716277 #>>26716307 #>>26716329 #

morelisp ◴[06 Apr 21 19:27 UTC] No.26716277[source]▶

>>26716093 #

Are Signal's Android builds no longer reproducible?

replies(1): >>26716710 #

ndiscussion ◴[06 Apr 21 20:04 UTC] No.26716710[source]▶

>>26716277 #

It looks like they are, but there might be a minor issue in verifying the content: https://github.com/signalapp/Signal-Android/issues/10476

But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

replies(2): >>26717259 #>>26717290 #

morelisp ◴[06 Apr 21 20:53 UTC] No.26717259[source]▶

>>26716710 #

If your threat model includes the ability to force Apple to do X, then Signal is irrelevant.

replies(1): >>26718003 #

1. ndiscussion ◴[06 Apr 21 22:12 UTC] No.26718003[source]▶

>>26717259 #

That's probably a good point, I'm using GrapheneOS which is not identifiable to Google/Apple and can't be singled out for updates.

↑

It looks like Signal isn't as open source as you thought it was anymore