Open ghost opened 6 years ago
is this still accurate? i thought Signal was available as a plain APK download now... https://signal.org/android/apk/
(can't speak to your other criticisms regarding Signal's support page being blocked by Tor, however)
Looks like users are being advised to use the Playstore, but not required. I think I saw the "Danger Zone" section before, but ignored it because nothing appeared below the "danger zone" label (due to noscript). Now I can see that the APK is available outside of Google's jail, so the first bullet along with it's sub-bullets is not strictly correct. It's still considerable though because they've deliberately made the APK hard to find and designed the website so most users will think they must use the PlayStore. Note that the fingerprint did not match the APK when I checked it.
CloudFlare problems expanded in https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544
Signal is centralized in Amazon AWS, a privacy abuser. Even if Signal is secure enough that users need not trust Amazon, Amazon is still benefiting financially from Signal. At a minimum Amazon gets the IP addresses of Signal users and can then cross-reference that IP address with other tables. Haven users can possibly be de-anonymized if they use the Signal mechanism by comparing timings of onion traffic with AWS traffic (investigation needed).
I'm also disappointed that the options are SMS or Signal. I'd very much like to see support for the Matrix protocol. In this case you can configure your own server if you like, need no phone number, and get notification on any device. https://en.wikipedia.org/wiki/Matrix_(protocol)
We will be adding Matrix support, as well as a pure Onion-to-Onion sync between multiple Haven apps.
(Guardian Project has a secure matrix client project underway called Keanu: https://gitlab.com/keanuapp)
Jami seems to use google firebase and also has a firebase tracker in the app https://reports.exodus-privacy.eu.org/en/reports/63024/ There has also been a lot of reports of messages being lost and bad audio/video quality (not sure if these are true anymore. I have not used jami in a while)
They are at F-Droid so maybe they have a separate variant without those.
They are at F-Droid so maybe they have a separate variant without those.
I just tested the F-Droid version using exodus-standalone. The output:
=== Information
- APK path: cx.ring_144.apk
- APK sum: b7e8c2654ae7d788e62f699d053426c4f22cb84410bbce240fcc3934b31964bb
- App version: 20190103
- App version code: 144
- App UID: 28E35987AE316D25D5761E00267FF6F86525C708
- App name: Jami
- App package: cx.ring
- App permissions: 21
- android.permission.INTERNET
- android.permission.RECORD_AUDIO
- android.permission.MODIFY_AUDIO_SETTINGS
- android.permission.PROCESS_OUTGOING_CALLS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.ACCESS_WIFI_STATE
- android.permission.ACCESS_NETWORK_STATE
- android.permission.READ_CONTACTS
- android.permission.READ_PROFILE
- android.permission.BLUETOOTH
- android.permission.VIBRATE
- android.permission.READ_CALL_LOG
- android.permission.WRITE_CALL_LOG
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WAKE_LOCK
- android.permission.CAMERA
- android.permission.CHANGE_WIFI_STATE
- android.permission.READ_PHONE_STATE
- android.permission.FOREGROUND_SERVICE
- App libraries:
- Certificates: 1
- Issuer: countryName=UK, stateOrProvinceName=ORG, localityName=ORG, organizationName=fdroid.org, organizationalUnitName=FDroid, commonName=FDroid
Subject: countryName=UK, stateOrProvinceName=ORG, localityName=ORG, organizationName=fdroid.org, organizationalUnitName=FDroid, commonName=FDroid
Fingerprint: 3f47e291c57b7d55cb0d4e28ea792ce96a207c76
Serial: 1402691044
=== Found trackers: 0
So there should perhaps be a warning advising users to favor the F-Droid version.
GNU RingJami is the de facto non-controversial secure IM tool for tree-hugging hippy freedom lovers and has support on phones and desktops. The Android app is on f-droid.org. This is a conflict-free open community tool that should be supported.Signal is apparently supported because of its popularity and/or Snowden's endorsement. But it's a poor choice for many reasons:
That's a lot of evil right there. I suggest:
(update) The above is obsolete. See https://github.com/privacytoolsIO/privacytools.io/issues/779 for current OWS Signal privacy abuses