With Signal not releasing their server code and now this, I regret using and asking a good chunk of my base to move to Signal.
replies(8):
Traceable by Google every time you open the App... and using Google's Backup service to store the private keys unencrypted. Well, so much for E2EE.
This combined with what went on with LibreSignal and legal threats from moxie made me realize it's just a company selling privacy claims without proof.
(if you don't think this is true, use AppWarden or decompile the APK. Play Services, Firebase and Recaptcha are still integrated years after LibreSignal was forked.)
> Google PREF cookie
The PREF cookie is for Google's safe browsing feature. How on Earth would that find its way into Signal? (I doubt the link preview feature uses that, given how much effort they put into making sure they get it right[2].)
> Traceable by Google every time you open the App...
How so? AFAIK the Signal app doesn't connect to the Google servers directly (reCAPTCHA aside – I have yet to see it in Signal but even then it would be a one-time thing), so even if the cookie existed, it wouldn't get transferred anywhere. The Firebase Cloud Messaging library / Google Play Services on your phone do connect to Google but they carry unique identifiers, anyway (or otherwise push notifications would not work). If you don't want that, use a phone without all the Google stuff – Signal works fine without it (though it might need more battery).
> and using Google's Backup service to store the private keys unencrypted
Could you provide a source that's more accurate than "decompile the APK" or "read the source code"? AFAIR the app's database is encrypted at rest by a key in the phone's hardware key store precisely because the Signal developers did not want Google Backup to get access to the app's data. (Which is why they ended up rolling their own backup solution.)
> This combined with what went on with LibreSignal and legal threats from moxie made me realize it's just a company selling privacy claims without proof.
What legal threats? (I'm familiar with the discussion but I have yet to see Moxie threatening anyone.)
[0]: https://signal.org/blog/giphy-experiment/
It does connect to google's servers for pretty much everything [1] - you can look for these constants in the codebase and you'll find lots of things that would worry any netsec person, including the key backup related stuff.
Signal doesn't only use firebase for the sake of Push Notifications. Also have in mind that push notifications/firebase is unnecessary with a high priority notification, which is what e.g. other f-droid FOSS forks of other apps use instead.
> What legal threats? (I'm familiar with the discussion but I have yet to see Moxie threatening anyone.)
Granted, most of the discussions in LibreSignal's repo [2] got very heated very quickly. Can't find the twitter thread of @moxie at the time, and lots of replies in there got deleted from both sides. Maybe someone else can provide an archived version or screenshot? [3]
> Could you provide a source that's more accurate (...)?
Make an Access Point, use smartphone to connect to it. Run Wireshark, and you'll see what's happening. Use an AOSP ROM and use the Signal Download without Google Play Services (to be sure that it's not Google Play noise you're observing) [4].
[1] https://github.com/signalapp/Signal-Android/blob/d74e9f74103...
[2] https://github.com/LibreSignal/LibreSignal/issues/37
For what else does it use Firebase?
> Also have in mind that push notifications/firebase is unnecessary with a high priority notification, which is what e.g. other f-droid FOSS forks of other apps use instead.
That's news to me. OTOH I'm not familiar with the term "high-priority notification" outside the FCM realm. Unfortunately, a quick Google search only yielded results related to FCM. Could you explain what you mean?