Hello,
I am trying to improve my overall privacy and security.
For that, I am trying to find the best tools to use, and right now I am looking for my next messaging app that I will use, but there are a lot of “E2E” apps, and I cannot choose between all those.
I need help.
For example when I am looking on this website, https://www.securemessagingapps.com I see that it’s not recommended to use what’s app, because what’s app is my main app for messaging currently.
That means I will have to convince my family to switch to another app, but because I don’t want to ask them to change every two days I need help to find the right one.
On this same site, Telegram isn’t recommended, the things that I like about Telegram are the stickers and the smoothness of them, but it’s the only things that I prefer there (compare to what’s app for example).
On the site https://www.securemessagingapps.com it seems that signal, simpleX and session are great options, but which one to choose? Which one is the “best” ?
I see that on signal you can have custom and animated stickers, which seems cool for conversation, and this feature seems not to be available on session and simpleX, and I see that other apps like Status exist and Delta Chat exist but are never mentioned on guides like privacy guides and techlore for example.
Please, can you help me to take a decision and ditch what’s app (meta) software, to increase my security and my privacy.
Yes my family is not particularly tech savvy but for the initial setup I will do it for them, as I do for what’s app (when I thought it was a good solution).
But why I would choose simpleX over Signal, or session or Status, and why status is not mentioned anywhere ?
And it’s not better to use decentralized (peer-to-peer) application instead of centralized one, the company could block me access to the server if the gouvernment ask them to do it no ? while it is more difficult with a decentralized system no ?
If it’s not working reliably all the time your family will probably not keep using it. This is just something I know from experience from countless people reporting it back to us. Even when SimpleX/Session might be better in certain aspects that doesn’t matter when it’s too complicated to use or sometimes doesn’t work properly.
Unless you have specific reasons to use a different app just go with Signal. It’s super easy to use, it’s highly polished and just works and it certainly has the best chances that your family will actually use it with you.
Now that I think I have found the messaging app I am going to use for my communication and to keep them private.
I am wondering, signal for example is open source, so developers with knowledge can read the code to be sure their is no backdoor (for the gouvernment for example), but how to be sure that the app I am downloading for the store of my phone, or from the website for my laptop is the exact source code of the app ?
For example if the app signal would be developed by a gouvernment I think they would have enough money to pay developers that develop the source code we can see on github but before each release an other group of developer add backdoor before compiling and sending app to the store ?
How could we be sure that our app is not compromised ? We can only eyes closed trust them ?
Same for website that have a fingerprint or a hash just under the download button (to check that the downloaded app have not been compromised), but if and hacker has access to the source code of the website to change the file behind the download button, he could easily change the fingerprint (or hash …) to match the compromised app he made us download no ?
Reproducible builds help to verify that the source code in our GitHub repository is the exact source code used to build the compiled Signal APK being distributed through Google Play.
Essentially you can build it yourself and that build will match the one on the Play Store. Not all open source apps are necessarily reproducible though.
And about audits, does the team who are doing the audit have a way to check that what the developer team send to the stores, and compare hash of the app ?
Why not all open source apps are necessarily reproducible ?
Because they add certificates that are not on the public repository ? so the final hash is not reproductible ?
Ok I see, and if we would be able to compile our self an app and then install it on our iphone (like apk on android as I understand) we would be able to compile the app from the public repo source code and then install it on our iphone and then use the app like we would install it from the store ?
Honestly no need to harp really hard on reproducible builds, for iOS (and perhaps MacOS) I would download it on the App store or binaries provided by Signal. (you can use file hash checking if you need this still)
But about file hash to compare, if a hacker can change the file I am downloading (and send me an edited version with a backdoor) he could easily change the hash on the webpage with the hash of his edited app no ?
I mean he successfully break the website security to change the file we download he could easily change the html of the website too no?
You’re putting very hypothetical scenarios here, it is if hypothetically attackers get access to signal web and file servers.
Also on the App Store it is safe to just install it (for iOS and MacOS), Hypothetical scenarios aside.
Yes of course it’s really hypothetical.
But do you think it’s really worth adding the hash verification? I mean if a hacker is able to hack a website server to change the file it’s too easy for him to hack the website in front of it I think.
no, it would not, it would require for signal to have some kind of vulnerability it’s impossible.
also hash verification is important because as long as you have the official hash provided by the software developer, any modification that has been done to the software itself, the hash will be different from the one provided by the dev.
Hackers can’t simply just change a hash provided by the official dev.
there’s also GPG verification which would be more robust.
And again, none of this is an issue with using the Apple App Store.
