Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Endpoint integrity is also critical. If Apple or Google were compromised, they could silently push an update that replaces the real Signal app with a modified version that forwards everything to an adversary.

Any system where the government doesn't have total control over software deployment will never be viable for handling claasified information.



Signal on Android is reproducible https://github.com/signalapp/Signal-Android/tree/main/reprod..., so _theoretically_ the play store version could be monitored to detect tampering by Google (or whoever).

That is, if the reproducible build didn't constantly break https://github.com/signalapp/Signal-Android/issues/13565.

It also ignores the fact that the vendor could send updates targeted to specific devices.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: