Side channel when using Signal on Android?

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

P

pmikep

Guest
I have removed my content
 
Last edited by a moderator:
I understand your worry, but I'd also suggest you're also being pretty paranoid. If you don't trust Google, you should not use Android. If you don't trust Microsoft you should not use Windows. Etc. Perhaps you'd like to try the PinePhone which runs your choice of OS, many of which are Linux based.
 
  • Like
Reactions: rfrazier
So I dropped WA a while ago and switched to Signal Messenger. On the assumption that Signal is secure (but they sure have a lot of updates), I wonder if the Android OS itself can leak info about what one is messaging?
In a word... YES, Absolutely! NO USE of a smartphone is actually secure and private. It's a nice illusion, but it's only that. Assuming that the encryption was implemented correctly, the encrypted channel itself cannOT be decrypted by anyone without the key. So it does robustly protect the conversation from eavesdropping by someone sniffing its traffic en-route.

But, who knows who else may have the key? And the unencrypted data going into the encrypted channel or emerging after decrypted is entirely exposed.

Security and privacy is an illusion. It's comforting. But I'm certain that all of this worry over encryption just makes the CIA and NSA chuckle.

I've said on the podcast many times that if you want to have a private conversation with someone you trust, go out into the middle of an empty field with a thick blanket. Leave your Smartphones in your cars and bring NO technology with you. Then huddle underneath the thick blanket and whisper into each other's ear.

I'm not paranoid, I don't do that. But neither do I have any need for truly secret and private conversations. But most people who use these encrypted systems are under the impression that their conversations are private. When, in fact, they are only being protected from a very specific — and not very relevant — threat actor.
 
I have removed my content
 
Last edited by a moderator:
I have removed my content
 
Last edited by a moderator:
satellite images of our house
Yes, all true, but satellite tracking is VERY expensive because it's a physical satellite with a very expensive camera and limited propellant. Accordingly, there are only a set number of them to use, and unless you are a VERY interesting target, you're not going to end up tracked in anything close to real time. The satellites that Google rents for satellite imaging for their Maps product are on a fixed schedule, and presumably take pictures all the time, and Google is able to select which pictures it wants to buy, probably months or years (to get a good price) after they were taken.
 
...and Google's satellite images aren't state-of-the-art. They can't read the text on a card you're holding, for example, or see melanoma spots on your scalp. But (the ones that can) are 'top-secret.'
 
Last edited:
I have removed my content
 
Last edited by a moderator:
@Steve mentioned that the messengers are typically secure down to either the device sending the message being compromised and/or the device receiving the message being compromised - that is where the plain text is.

There is also one other way that the chat might be compromised, perhaps? Is it possible for example for WhatsApp or any other closed source client having a silent, non-displayed participant in the chat which would then allow them to eavesdrop on the conversation?

Not that my chats are anything interesting to snoop on as I mostly chat to my wife :)
 
I have removed my content
 
Last edited by a moderator:
deleted files aren't really deleted?
Flash memory has spares. It will never be possible to blank all the spares without a tool from the manufactured to accomplish this specific goal. In theory the contents of the flash is encrypted by modern Android OS versions. That sounds better than it is because if they "capture" the phone powered on after ever having the password input once, it remains in memory and can be captured. (It HAS to be this way without specific hardware in the phone to store the password for the flash and manage it, and as we well know Android targets highest capability for the lowest cost, and not security that doesn't fit within the budget.) The long and short of it is that government has enough money if they want to read that memory, they would find a way. (And also they get to lock you in jail until you provide the password/access, and few people are that principled to resist such pressure, unless the contents of the phone would already result in them being locked in jail for life.)
 
I have removed my content
 
Last edited by a moderator:
The metadata is often more useful than the actual message content. You will be tracked, if a person of interest, either in real time, or via stored info from cellular providers after the fact, and thus your meetings will be all tracked. No need to get the keys to the conversations, it is easier for the three letter agencies to just ask for the information. not many people will still be quiet after a few minutes of the rubber hose method, or the more intense versions, and you will get a free, all expenses paid, trip to a sunny tropical island, with a room, full board and water provided, at no cost to you.