Comment on Lawsuit Alleges That WhatsApp Has No End-to-End Encryption
Zak@lemmy.world 5 days agoSignal uses reproducible builds for its Android client, and I think for desktop as well. That means it’s possible to verify that a particular Signal package is built from the open source Signal codebase. I don’t have to trust Signal because I can check.
If I don’t have extreme security needs, I don’t even have to check. Signal has a high enough profile that I can be confident other people have checked, likely many other people who are more skilled at auditing cryptographic code than I am.
Trusting the server isn’t necessary because the encryption is applied by the sender’s client and removed by the recipient’s client.
pressanykeynow@lemmy.world 5 days ago
Maybe but that doesn’t mean you have the same app they do, Google may have different apks for people who could check it and for those who won’t.
Zak@lemmy.world 4 days ago
There is a risk Google could tamper with the app for specific users if they’re installing it from Google Play. I think it’s likely security researchers would discover that if it was widespread, but there’s a chance Google could do it undetected if they targeted it selectively enough.
People who are concerned about this can download the APK directly from Signal and check its signature before installation.