top | item 25764764

(no title)

sjaak | 5 years ago

In the case of Signal, I imagine people assume all of the following:

1. the protocol between client and server is setup in such a way, even if Signal wanted to store interesting information, they could not access anything interesting even if they wanted to (for example, messages), thus they don't store anything since it's useless

2. the app implements the protocol faithfully and this has been checked by people perusing the source code

3. the binary downloaded from the app/play store phone is compiled from the sources listed on github

discuss

rozab|5 years ago

This might seem like a naive question, but how is it possible to verify that 3 is true?

I get how it might be done in theory but real life is complicated. Has anyone attempted to do this?

floreen|5 years ago

Signal has reproducible builds for at least Android: https://github.com/signalapp/Signal-Android/tree/master/repr...

You compare the result you get compiling the app yourself with what you downloaded from the Play Store. For iOS this might be harder

CarelessExpert|5 years ago

> I get how it might be done in theory but real life is complicated. Has anyone attempted to do this?

This is mentioned elsewhere, but the answer is: reproducible builds.

You can take the Signal client source (which is available on Github), build an APK or whatnot yourself, then get the SHA256 hash or whatever and compare that to the artifact downloaded from the app store and validate that it's the same.

Has anyone done it? No idea!

tdons|5 years ago

I imagine it's non-trivial. I think it would involve (in case of iOS):

1. downloading the binary

2. jailbreaking the phone to extract the binary (pretty sure this is necessary on iOS)

3. check the version of the binary, then compile the original sources of the version

4. ??? compare the two binaries, this is likely the most difficult part, they won't be identical because of things like codesigning (and build flags, timestamps, ...)

I know noone that does this.