Caria Giovanni - Harpocrates2d ago

Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.

Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR ā€” MREnclave verification means even a compromised Signal server can't extract your PIN hash.

But two things stood out:

1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.

2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs ā€” without touching message content.

Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.

Soon the full analysis

#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics

Show threadJames Just James

@Harpocrates Great work! If you have the reach (signal org has ignored my questions) please get them to release all of their infra automation code!

They've build a substantial amount of infrastructure and that should be open source so that someone could replicate the network easily if for some reason we were forced to!

Mar 17 at 4:18amWeb
Show threadCaria Giovanni - Harpocrates1d ago
@purpleidea Thnx!
Agreed. Infra transparency is the missing link. I'm currently pivoting from standard code analysis to a Code Intelligence approach.
Most tools look for bugs; Iā€™m mapping behavioral patterns that standard scanners miss by design. If the infra is a black box, the code behavior is the only source of truth we have left. Verifying the stack is the only way forward.
Show threadJames Just James1d ago

@Harpocrates I can't agree more. I work in the infra space, so I've always been keen to dig into that side of things.

Please spread the word. There's zero reason they should keep that secret and proprietary.

Thanks!