Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
Totally not how the APK teardown community works, but ok.
How does APK teardown help if Google can replace the app unnoticed?
Because there will always people running Signal from a different source, and only one of them is sufficient to notice the server has been tampered with.
(And I’m not sure if they have reproducible builds yet, but if they do, people can also verify that even the Google Play-provided APK does or doesn’t match the published source code.)
Which server?
People don’t control their phone. There is no way of knowing if the installed app is the one that is running.
The server running Signal’s server-side code.
Some do, and that’s the point: if there’s an attempt at tampering, interested security researchers can detect it.
What could a client detect? Signal is a US company and will comply with the government. The server can’t be trusted.
They can detect if a different app was installed from the store on their phone. That’s not useful for anybody to know if their own app is unaltered. Only people of interest will receive a manipulated client. So there is no security in knowing that some people received the original app.
Besides, Google runs the OS. They can change the app at runtime.