←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 1 comments | 06 Apr 21 18:04 UTC | HN request time: 0.23s | source
Show context
ndiscussion ◴[06 Apr 21 18:42 UTC] No.26715675[source]
It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.
replies(4): >>26715714 #>>26715934 #>>26716233 #>>26718058 #
morelisp ◴[06 Apr 21 18:46 UTC] No.26715714[source]
What's in the Signal server to be compromised?
replies(2): >>26715770 #>>26716093 #
ndiscussion ◴[06 Apr 21 19:13 UTC] No.26716093[source]
If you use the Signal app from the app stores, and communicate with the server, you are using 100% closed source software.

They could easily add a backdoor in the client despite the fact that it's "open source", because no one builds it from source.

replies(3): >>26716277 #>>26716307 #>>26716329 #
morelisp ◴[06 Apr 21 19:27 UTC] No.26716277[source]
Are Signal's Android builds no longer reproducible?
replies(1): >>26716710 #
ndiscussion ◴[06 Apr 21 20:04 UTC] No.26716710[source]
It looks like they are, but there might be a minor issue in verifying the content: https://github.com/signalapp/Signal-Android/issues/10476

But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

replies(2): >>26717259 #>>26717290 #
greysonp ◴[06 Apr 21 20:57 UTC] No.26717290[source]
> But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.

Hi there! Signal-Android developer here. App signing verification is done at the OS-level, and Google does not have our signing key, so they wouldn't be able to give an existing user a different APK and have it successfully install.

replies(1): >>26717997 #
ndiscussion ◴[06 Apr 21 22:11 UTC] No.26717997[source]
Is that really true? Couldn't Google forcibly turn off the code-signing requirement on an individual's phone?

They've been known to reset passwords remotely in the past: https://www.theverge.com/2016/3/30/11330892/fbi-google-andro...

replies(1): >>26718205 #
1. codethief ◴[06 Apr 21 22:31 UTC] No.26718205[source]
No, they could not. And if you don't want to trust $random_manufacturer's Android ROM, you could switch to GrapheneOS[0] whose developer Daniel Micay attaches a lot of importance to reliable app signatures (which is why GrapheneOS doesn't come with MicroG as the latter would need signature spoofing).

[0]: https://grapheneos.org/