A few questions about Signal

Hi, there,
I’d like to ask a few questions about Signal.

First of all, if you’re using the app on iOs, what’s to stop the US government (or any other government for that matter) from forcing Apple to put out a fake update? A bit like what happened with encrochat. This fake update would send unencrypted messages to the authorities, for example.

And the other question, given that Signal’s servers are hosted by AWS etc., what’s to stop the authorities from modifying the servers’ code or intercepting communications?
Even if the message is E2EE, the metadata are not, and the Signal protocol doesn’t protect you from knowing who’s talking to whom at what time. Which is the most important thing. Especially when we know that our identifier is linked to a telephone number.

Stuff is encrypted client side meaning that the server cant decrypt it.

1 Like

On a technical level:

  • yes, malicious updates are possible, not just by forcing apple, but by forcing: google, fdroid, anyone else with the ability to build and then sign the signal app
  • modifying the server only lets authorities see the metadata, yeah

On a practical, realistic level:

  • they wouldn’t do it unless there was reason to believe the majority of signal users are terrorists because…
  1. Lots of feds are big signal users, and lots of people in e.g., cybersec outside of govs
  2. Would require a massive court order that’s airtight to not get challenged
  3. Would cause such bad PR that it would not be worth it
4 Likes

If the US government tells Apple to do shenanigans with their product, I think they will react negatively and protect their customers/clients.

If its the Chinese government, they might comply, unwilingly though, because at any rate Apple isnt happy with any government meddling in their affairs.

This is all speculation though. I seem to recall some few years ago Apple saying no to the FBI and made the FBI request public. Its far easier and cheaper to get something like Cellebrite and Pegasus involved.

Going back, if a government forced Apple to do clandestine malicious updates, its not a Signal problem anymore, its an Apple problem. This is where open source wins because iOS/Apple does not have transparency because of its proprietary nature.

There is no way to ruin Signal/Apple without ruining it for everyone. Even the Chinese/US elite and their government will need to rely on tech that cannot be made malicious against its will.

2 Likes

I’m pretty sure that they already track users based on metadata but that’s just a trust me bro from my side.

Signal do encrypt metadata. Ofc, one can observe packets being sent, but that apply to the internet as a whole.