Protest security - Signal app

Looked into it again and it really did. I can see why the international community seems to prefer Telegram. I do wonder if their encryption protocol has been audited as extensively as Signal’s.

Also, on Signal for Android at least, you need to permit the app being able to see your contacts. If you deny that, then there is no way for the App to check and notify people with your number that you are using the app?

Or was it saying that the server is checking your number against other users who have allowed the app to access their contacts?

According to the link from Signal you provided here, one answer states: “They just see a number they know is registered. If someone knows how to send you an SMS, we want them to see that they can send you a Signal message instead.” While my English is not even close to be perfect, can you explain what is that @ChriChri, together with myself, are getting wrong from sentences I’ve just copied here, from their official page? Is it “somewhat invasive” = invasive, or just = somewhat invasive on top of GDPR?

1 Like

I’m sorry if I’ve done so and I mean it really.

If I’ve done so, please tell me where I’m wrong and please post a reference.

I didn’t read everything about Signal and to criticize and discuss it I believe I do not have to. And I’m really willing to learn if I’ve been wrong.

BTW, I asked on the Signal forum about this. I’m not sure if those who commented were developers or just people believing that they know what they are talking about.

For that reason I checked the behaviour I criticise in a test setup and was able to reproduce it. You can try for yourself if you have a second SIM.

Just in case this didn’t become clear: If I’d known about this behaviour beforehand or if I’d have been informed about it during install I’d not have registered with Signal. That’s my main critic: Not telling the user what will happen.

1 Like

Thanks @Quarnero - that is really the information I’ve been looking for and that should be presented to any new user during registration and for this I believe they should ask for consent. If I missed it during registration, I missed it twice and maybe I’m dumb.

But I really read the stuff during installation, because I do not want any software on my mobile that allows others to send me messages without at least the cost of an SMS.

With the move to do away with the use of numbers, which I believe is the app’s strongest objection worldwide, all of this will be a moot point hopefully in the future. Threema for example does not require a phone number to register with the service. It is almost a carbon copy of Whatsapp.

Feature wise, Signal is absolutely feature complete. It really is a great chat app.

1 Like

This is called Private Contact Discovery Service and for the sake of transparency (and if reaction to this thread), here is another telling info, recently published:

IMHO, accepting this as trustful and justified or not (by considering other available options), my personal interpretation of it (in context of seller … user or perhaps in context of both) is actually what counts here or there, for my private or some other user needs.

Here is another expertise: “Ultimately, the federal government is going to have to step in with blanket legislation that will take precedence over the fractured state-level initiatives.

1 Like

The discussion about Signal on Librem 5 (and GNU/Linux) is there btw: Signal / Silence on GNU+Linux : A comprehensive summary | Librem 5 app

1 Like

My huge concerns are also about the fact that Signal currently has a proprietary dependency on Google libraries:
https://directory.fsf.org/wiki/Talk:Signal

Isnt that dependency just for notification support (please correct me if Im wrong)?

The apk from their site advises of this too and requires a seperate service to be running in the background.

Dont mean to restart an old thread, feel free to correct via DM :slight_smile:

1 Like

Yeah it’s only for push notifications.

2 Likes

The point is that if you want to use Signal, you are forced to use proprietary software because of libraries dependency.
Even if you trust Signal, you cannot trust such proprietary libraries.

I don’t see why you are forced to use proprietary software. Installing Signal doesn’t install those software. If the PlayServices aren’t installed on your phone, you won’t have push notification, that’s all. And if you want push notification, then you can install MicroG, which is an open implementation of them.

Edit: I’m not sure how to write on the FSF wiki to tell them that… Can someone please guide me?

3 Likes

You need an account for writing in the wiki:
https://directory.fsf.org/wiki?title=Special:CreateAccount&returnto=Talk%3ASignal

I created one, but the Talk page looks like a normal page, I’m not sure where I am suppose to write.

https://directory.fsf.org/wiki/Free_Software_Directory:Participate

This. No proprietary if Google play services aren’t installed. Push notifications are not entirely necessary anyway. Just check messages when you have time.

3 Likes

Within Signal, you get push notifications without Google Play services via websockets as a fallback. Can confirm this works as good as the proproprietary dependant solution so no problem here.

4 Likes

I’m curious about the power use of a web socket solution. That would only work if the signal process was always sunning in the background. That is kind of the whole point of push notification. It allows the app in question to not even be running.

They were using some google utility functions until recently:


Then there’s still Google Maps for the location feature.

2 Likes

So, is Molly-FOSS the Signal app fork with completely no more dependency from Google libraries?

2 Likes