Beware of Signal: it depends on the proprietary Google Play Services library, so even if you don't have the Play Services on your phone, the app is built with the "client-side" code which speaks with it (or with microG) and checks for its presence.
FreeSignal was a project that aimed to remove this dependency completely but was stopped by the main developer of Signal. It is possible to clone Signal's repo and do this work yourself quite easily if you know Java a bit, but it takes time and it is not convenient.
> Beware of Signal: it depends on the proprietary Google Play Services library, so even if you don't have the Play Services on your phone, the app is built with the "client-side" code which speaks with it (or with microG) and checks for its presence.
That exposes client information to Google but not content. Besides, if my understanding is right, The Signal Protocol is non-repudiable, which means there's no way for an external party to conclusively prove if the communication did indeed take place.
It probably exposes nothing at all to anyone if the Play Services are not on the phone or the relevant feature is not enabled on microG. But it is still a chunk of code that is partly run and that you don't control. It probably just does what it says (check if the service is present), but it is a black box.
It is executed to test the presence of the Google Play Services on the phone when the app is launched.
Then, it's probably not risky, but it is still proprietary code that you can't inspect and verify. You can't easily know if the library will not silently do something. If you are seeking to avoid running any proprietary code, then it's something you want to avoid.
Right, but you were talking about "even if you don't have the Play Services on your phone", which is what I'm worried about - but OK, if it's just because there's a chance it might be running, then I'm not too afraid of that.
At the risk of laboring the point, I'm talking about the piece of code embedded in the Signal application, that tries to talk to the Play Services. Not the Play Services themselves. This piece of code is definitely running whenever Signal is launched, "even if you don't have the Play Services on your phone". It probably does nothing significant when the Play Services are not present but still, it's there and (a small) part of it runs.
Now you have several options:
- you trust Google and trust this code not to do anything when the Play Services are not running
- you don't trust Google on this, but you don't care neither
- you don't trust Google and care, but you are willing to take the risk
- you don't trust Google and care, and are worried, or are not willing to run any proprietary code out of principle: you need to adapt Signal's code or dish the app entirely
> It probably does nothing significant when the Play Services are not present
Right, that's the part I care about. I think there are two possible situations:
- Signal's own open source code can detect the absence of Play Services and not call out to Google's proprietary code in the first place. Great, no problem there.
- Google's proprietary code attempts to use Play Services and doesn't do anything when it's not present. In that case I do indeed trust Google enough that I wouldn't expect it to actually do anything else, i.e. the first option you mention.
FreeSignal was a project that aimed to remove this dependency completely but was stopped by the main developer of Signal. It is possible to clone Signal's repo and do this work yourself quite easily if you know Java a bit, but it takes time and it is not convenient.