Follow

periodic reminder that Signal has mandatory google play services in it which makes the whole thing completely useless

google can just read your messages after the app decrypts them. google is also part of PRISM

moxie has explicitly refused to make an f-droid build, which would mitigate this complete bypass of the e2ee security model by not including any untrusted google binaries. wonder why that is :thounking:

@haskal @grainloom honestly as someone who used to develop an open source Android app: fuck fdroid, caused me so many stupid support requests and so many headaches

@erincandescent @haskal @grainloom
The f-droid build was managed by the community though, and moxie explicitly said they were not allowed to communicate with his servers, basically shutting down the project.

It’s ”free software” but if you modify it you can’t use it.....

@erincandescent @haskal @grainloom On both sides projects where devs spend there sparetime and users contribute by tickets and testing, I guess a rude tone isn't anything appropriate ... 🙄

@haskal isn't it just because of gcm or does the code effect anything else?

@haskal wait, why does fucking ANYONE trust signal then?

@Ilian_Amarin @haskal because there are many super vocal people repeating that "signal was the most secure thigh on earth"

@haskal when are people gonna make a reimplementation of signal that doesn't depend on anything and just say fuck you to the original devs

@lunch @haskal It does exist. XMPP with Conversations on Android uses OMEMO encryption which is based on the Signal Protocol. It is even federated

@waweic @haskal other protocols exist but there's no way to talk to *existing signal users*

@lunch @haskal someone did, but that project was abandoned because Moxie Marlinspike said he was not OK with LibreSignal using the Open Whisper Systems servers and the name "Signal"

github.com/LibreSignal/LibreSi

@haskal they also explicitly forbid 3rd party clients

for your own safety, of course

@haskal warn me when someone decompiles google play services and shows that it can actually invade other programs' memory address space, okay?

@haskal Signal apparently still works with microG, so that's an option to cut out google

@uint8_t @haskal Not completely. A part of the play services is also built into each app that uses them.

@haskal Signal signs the builds published through their website and Play. F-Droid creates their own builds and publishes them with their own signature. Signal has to trust F-Droid to timely ship updates and take care of that signing key. Google can't just give a malicious version of to you specificly. The version of Play libs you get is the same Signal devs have tested with. Supporting multiple build flavors is too much support hassle for no practical security benefit.

@dadada @haskal Except that Google can trivially give you malicious versions, as finely targeted as they want and completely silently, since they also control the application that actually does the installations (not to mention the rest of the operating system).

@elomatreb @haskal If you have no Play services installed and have verified that there are no backdoors in AOSP I suppose you are fine. Then Play libs in any App would be an unnessasary attack surface from your perspective.

@elomatreb @haskal Not sure if Play services can replace an app that has been signed by signal devs.

@haskal isn't google play only required for location sharing? The app works just fine on my degoogled phone save for that

@dragon yeah but the point is signal includes the google library blobs in the app whether your phone OS is de-googled or not. the library code runs in the app context and has access to everything, including messages rendered on the screen

@haskal
Well, it is not mandatory... I downloaded it with Aurora so... No Google Play store or services on the device.

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Sign in to participate in the conversation
Cybrespace

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!