Caria Giovanni - Harpocrates1d ago

Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.

Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.

But two things stood out:

1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.

2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.

Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.

Soon the full analysis

#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics

Show threadCat 🐈🥗 (D.Burch) 1d ago

@Harpocrates @stroz There is an unofficial patch that removes Google Play Services from the APK, which you might be interested in analyzing. It takes care of the Firebase issue.

https://langis.cloudfrancois.fr/
 Repo: patched-apps

As for the second issue, using Signal (or Langis) over a Tor service, like Tor VPN Beta, InviZible Pro, or Orbot, will decouple your real IP with Certificate revocation queries.

• https://f-droid.org/packages/org.torproject.vpn
• https://apt.izzysoft.de/packages/pan.alexander.tordnscrypt
• https://github.com/guardianproject/orbot-android

Signal Without GCM/FCM

A version of Signal without Google/Firebase Cloud Messaging dependency

Show threadCreatures   
@catsalad afaik molly.im (android only) should be fine too, atleast the foss version, for issue 1
@Harpocrates @stroz
Mar 16 at 12:28pmWeb