Search
Items tagged with: signal
End-to-End Encryption is good but metadata protection counts as much. Names, group descriptions and memberships, avatars, who talks to whom ...
Both #deltachat and #signal go to great length to protect all the metadata that WhatsApp grants itself gratuitously. #Matrix stores similar scales of metadata on their servers, even if you can choose which server stores it.
Everything is better than #Telegram which additionally stores message contents in all group chats/channels and most 1:1 chats.
![screenshot of artifical WhatsApp screen
courtesy of @fex@cfn.social
[Lock Icon] Your personal messages are end-to-end encrypted¹
But:
When you message someone is saved forever.
When you type is saved forever.
Your approximate location is saved forever.
Every profile picture is saved forever.
Every status update is saved forever.
Every group name is saved forever.
Every group description is saved forever.
Every community name is saved forever.
Every community description is saved forever.
Every time you join a group is saved forever.
Every time you leave a group is saved forever.
Every new contact is saved forever.
Deleting a contact is saved forever.
What you search for is saved forever.
Who you call and when is saved forever.
When you hang up is saved forever.
When you’re online is saved forever.
When you’re offline is saved forever.
Every link you open is stored forever.
Your phone model is stored forever.
Your operating system is stored forever.
Your battery level is stored forever.
Your signal strength is stored forever.
Your app version is stored forever.
Your mobile network is stored forever.
Your Wi-Fi network is stored forever.
.....
Your IP addresses are stored forever.
Your meta ID is stored forever.
Your settings are stored forever.
¹Just in case your contacts don’t back up your messages with Google or Apple](https://friendica.hellquist.eu/photo/preview/640/5502221 "screenshot of artifical WhatsApp screen
courtesy of @fex@cfn.social
[Lock Icon] Your personal messages are end-to-end encrypted¹
But:
When you message someone is saved forever.
When you type is saved forever.
Your approximate location is saved forever.
Every profile picture is saved forever.
Every status update is saved forever.
Every group name is saved forever.
Every group description is saved forever.
Every community name is saved forever.
Every community description is saved forever.
Every time you join a group is saved forever.
Every time you leave a group is saved forever.
Every new contact is saved forever.
Deleting a contact is saved forever.
What you search for is saved forever.
Who you call and when is saved forever.
When you hang up is saved forever.
When you’re online is saved forever.
When you’re offline is saved forever.
Every link you open is stored forever.
Your phone model is stored forever.
Your operating system is stored forever.
Your battery level is stored forever.
Your signal strength is stored forever.
Your app version is stored forever.
Your mobile network is stored forever.
Your Wi-Fi network is stored forever.
.....
Your IP addresses are stored forever.
Your meta ID is stored forever.
Your settings are stored forever.
¹Just in case your contacts don’t back up your messages with Google or Apple")
Delta Chat: Delta Chat, decentralized secure messenger
Delta Chat is a decentralized and secure messenger app 💬 Reliable instant messaging with multi-profile and multi-device support ⚡️ Sign up to secure and interoperable chatmail relays 🥳 Interactive ...delta.chat
Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.
Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.
But two things stood out:
1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.
2. Certificate revocation endpoints hit g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.
Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.
Soon the full analysis
#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics
