You can't prove that Google isn't shipping backdoored versions of the app to targeted individuals
this post was submitted on 15 Aug 2025
7 points (62.1% liked)
Privacy
3530 readers
122 users here now
Welcome! This is a community for all those who are interested in protecting their privacy.
Rules
PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!
- Be civil and no prejudice
- Don't promote big-tech software
- No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
- No reposting of news that was already posted
- No crypto, blockchain, NFTs
- No Xitter links (if absolutely necessary, use xcancel)
Related communities:
Some of these are only vaguely related, but great communities.
- !opensource@programming.dev
- !selfhosting@slrpnk.net / !selfhosted@lemmy.world
- !piracy@lemmy.dbzer0.com
- !drm@lemmy.dbzer0.com
founded 9 months ago
MODERATORS
I use apk version from the site
Do you verify the checksum? Each time you update?
Hi, look, even considering that this question do not have relation to post's subject I would suppose that if you are going to discuss this external threat (from users) I would begin from os level, not from dns level..
So I am not interested right now in this question, with respect
So you're not running a hardened OS, whether GrapheneOS or a locked down Linux derivate like Qubes? Strange, given your question I assumed you did.
Not 3veryone wants to answer this shit. Can you gyess why?
Did I say I am not ranning? Please be at the limits of the post's subject
Signal Foundation is a nonprofit in California, and they are the ones that operate the relays and maintain the FOSS app. Since they're a regular 501(c)3 and not a religious org, you can look into how their money is spent (to see if it's going to any suspicious recipients) and whether they're getting suspiciously large sums of money.
On top of that, they don't have access to the communication data itself. It's all E2EE, and the app being FOSS means you can inspect how that data is encrypted and sent (and even build your own from source, if you're paranoid). Even if they're unknowingly hiring covert bad actors, it's unlikely their activities would stay hidden for long.
So while it's certainly a concern that it's still centralized messaging, it's probably one of the best options due to the easy access for most people. Other than a billionaire buyout or government laws that force backdoors into encryption, the only real existential threat they currently face is operation costs. They were fortunate to have wealthy philanthropists in the beginning, but if they have an explosion in users (unlikely), it might bring the organization to its knees.
I don't find your particular scenario to be worrisome. And if it turns out that it's compromised in the future, there's other good apps out there, like SimpleX.
There's also XMPP(on which whatsapp is based on), it's quite good with OMEMO.
Yep, and I think there's a third option that I can't recall at the moment (not Matrix), but no matter what, there's alternatives that work and could be made to fit people's chat needs.
If you ever recall what the third option is, please post.
Hi, what about gnu linux xz utils backoor scenario? Also is there any regular auditing of signal by third party auditing company?
About simplex its not allowed in my threat model, I will rather use pure xmpp protocol with omem as an alternative.
Why not simplex?
Hi, what about gnu linux xz utils backoor scenario?
This was caught by the community thanks to it being FOSS, and it was somewhat distinct from the scenario we're talking about here, since the repository was wholly taken over by a bad actor who tricked the original (burnt out) maintainer to hand over the repo.
Could a bad actor get their claws in and take over the repo? Possibly, but given the fact that it's maintained by a foundation with lots of devs and not just one thankless hobbyist, that likelihood is probably small.
Also is there any regular auditing of signal by third party auditing company?
Regular? I don't know. They have been audited, iirc, and they have received numerous legal requests to turn over data to courts, to which they've been able to reply "what data?" Bear in mind that they would almost certainly not do this if it meant jeopardizing their entire business. No business is going to go to jail for us, after all.
You do what you feel is appropriate for your threat model, but as far as general threats to privacy or Signal's existence go, I'm not currently concerned about their future.
Hi, I think you not really understood threat that I published -undercover agents -developers that will apply for the job at signal and receive it, and they will do their backdoor without Signal foundation knowing,its obvious. About audites that you mentioned - could you provide some link to it?
Do you really think government/counter agents aren't already doing this?
Any security agency that wasn't aware of it before even we were, with projections of likely growth path, who else is looking at it, etc, etc, wouldn't be a very effective security agency.
Keep in mind that this is what I can think of off the top of my head, and I'm not an intelligence/security boffin.
Also, capitalization, punctual, etc are a thing for a reason... If you can't be bothered then people won't take you seriously. Is it really that hard to press shift as needed?
Was the post edited? It looks fine now. ._.
But you were bothered, yes?
Unfortunately looks like you wasnt interested in professional and respectful discussion so I block you
Signal is not a company, so in that case since it's Open Source they shouldn't be able to implement real hidden backdoors
Signal is non profit company, so my term is correct, being open source doesnt meant be secure and be immutable to internal divertions - see linux xz utils backdoor + thay rent amazon servers
Signal's source code has so much more eyes looking at it than xz-utils.
Hello, Could you point to me some specialists who reguralry check all the server code and app code concretely? And publish the result. So I can follow their eyes
Unfortunately, no. My assertion came from sheer popularity of their GitHub repositories and personal observation among my tech-savvy friend groups.
You can start checking out their code yourself, though. There are a lot of open-source software out there and it would be unfeasible for anyone to audit their code themselves. At some point, you'll have to put some trust into others. Be it software audit companies, or the Signal developers.
Yes, usually I trust audit companies like Cure53 but if I understand correctly there werent any audits for tge ladt years.. I only know that Snowden has recommended that 5 years ago I think, of cource he deserve trust but since then he didnt say anything about it if I remember. Probably he also did some audit that moment 5 years ago but not full audit because it seems impossible for one person...