Caria Giovanni - Harpocrates4d ago

Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.

Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.

But two things stood out:

1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.

2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.

Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.

Soon the full analysis

#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics

Show threadzivi4d ago

@Harpocrates “we made a secure messaging app to get you away from insecure big tech”

“it doesn’t depend on google right”

Show threadzivi4d ago
@Harpocrates signal would be so good were it not penetrated by this corporate attitude of “oh we absolutely must be a centralized service that collects phone numbers and relies on fashcloud providers for everything”
Show threadCaria Giovanni - Harpocrates
@zaire I understand your point and i agree, for this im trry to understand how mitigate is the thing.
Anyway im try to specialize in greyware and is a new frotnier world .
Mar 16 at 1:21pmWeb