Signal: Discussion about Google Play alternative

Lion · March 13, 2017, 9:40pm

Interesting update from the OWS forum discussion:

You can now install Signal from outside of Play:

Now how can this affect fdroid?

anarcat · March 13, 2017, 10:37pm

It means OWS has knocked down yet another blocker in the path to inclusion in F-Droid, namely a widely available GCM-free APK build that we can ship in F-Droid directly. Now we need to “make sure F-Droid can build Signal reproducibly” and then we can just using the resulting build and compare it with the build provided on signal.org (or, more accurately, updates.signal.org e.g. Signal-website-release-3.31.4.apk).

Then if we don’t want to piss off OWS, we would need to have crash reporting, stats and app scanning and we’re pretty much done. The trickiest issue is probably crash reporting, which seems to be tightly coupled with the play store still - we’d need something like ACRA to be pulled into Signal for this to work, presumably.

anon25111075 · March 14, 2017, 5:31pm

Now how can this affect fdroid?

Not at all.

It means OWS has knocked down yet another blocker in the path to
inclusion in F-Droid

Nope.

Reproducibility

Iirc they still require play-services to build, just not to run. We
wont taint our buildsystem. Best hope is Eutopia switching over to
official or reproducibile builds using upstream signature. OWS will
not provide an official F-Droid repo and iirc they have no interest in
any 3rd party doing so.

moxie0 (Moxie) 2017-03-14 06:41:56 UTC #20:

I have no plans to distribute this through f-droid, and don’t see what
the advantage of doing so would be.

Ildar · March 27, 2017, 5:09am

Related discussion:

hans · April 7, 2017, 10:12am

As I see it, the only thing preventing Signal from being included in F-Droid is the fact it still includes the proprietary Google Play Services GMS libraries for GCM, etc.

anarcat · April 19, 2017, 12:42pm

It still does? In the resulting build or the original source code? I would have thought the newer versions didn’t need GCM/GMS stuff… But my experience so far hasn’t been that positive, e.g.:

github.com/signalapp/Signal-Android

Signup Failure - prompt to update while Play Services are actually disabled

opened 01:16PM - 14 Mar 17 UTC

closed 05:00PM - 02 Jun 17 UTC

le-bug

I have: - [x] searched open and closed issues for duplicates - [x] read https:…//github.com/WhisperSystems/Signal-Android/wiki/Submitting-useful-bug-reports ---------------------------------------- ### Bug description I was eager to try out the new non gcm functionality, got an android phone and promptly disabled the Google Play Apps (precise lising below). Trying to sign up for Signal resulted in a failure, as the App requires me for some reason to update the Play Services before continuing. This locks me out. [I dont think this is wanted behavior. Looking into src/org/thoughtcrime/securesms/RegistrationActivity.java, it looks like ConnectionResult.SERVICE_DISABLED is supposed to be treated as MISSING but that doesn't seem to work.] ### Steps to reproduce - Disable all 3 Google Play "Core Apps" (listed below) - Open a freshly installed Signal - Type in Country and Phone Number and press Register **Actual result:** A pop up appears: Update Google Play Services Signal won't run unless you update Google Play Services. This is impossible as they are intentionally disabled and unwanted as we want to use Websocket push. **Expected result:** The registration happens and Signal sets up so that gcmdisabled true is set. Signal can be used. (Treat this as if the Google Play service components were just MISSING) ### Device info **Android version:** 6.0.1 **Signal version:** 3.31.4 Stock Rom. Newly of the shelf bought phone. disabled apps: com.google.android.gms com.android.vending com.google.android.gsf ### Debug log not available as signup is impossible. A fix would be greatly appreaciated, as it would allow to quickly setup an android burner phone for Signal without much technical sophistication.

One thing that could help F-Droid inclusion is making it buildable with MicroG:

github.com/signalapp/Signal-Android

Please make Signal work with microG out of the box

opened 11:05AM - 19 Dec 16 UTC

closed 12:51AM - 03 Apr 18 UTC

ghost

I have an android smartphone without Google Play services. The reason for that i…s that I don't trust Google to not add NSA backdoors if asked or possibly snoop around my data in other intrusive ways, and while I'm aware Android also has a rather spotty security track record and might contain backdoors directly, at least it provides a reasonable possibility for external code reviews to discover such issues. This tweet made me look into the open-source microG to run Signal: https://twitter.com/whispersystems/status/783817903120318465 (as per the rationale given above, I'm somewhat ok with additional open-source components on my phone and not very happy about more closed-source components) However, even with microG installed, I'm getting the popup "Google Play Services - Signal relies on google Play Services, which is not supported by your device. Contact the manufacturer for assistance". I would assume this is because I don't have spoofing enabled, which allows microG to seamlessly replace the google services transparently for any installed apps. https://github.com/microg/android_packages_apps_GmsCore/wiki/Signature-Spoofing makes it very clear that 99% of custom ROM builds can be expected to *not* have this spoofing enabled, and therefore I would need to either custom build my Android (which is way beyond my capabilities) or install the Xposed Framework, which seems to be a very intrusive component that is also not, at least not in any way obvious to me, offered open-source, which is a very dangerous combination. Since spoofing is rarely patched in, this situation will be similar for most other people without Google Play services. Therefore, is it technically possible to maybe add support for microG as an alternative directly into Signal without the need to do this intrusive and technically non-trivial to add signature spoofing? As I'm understanding the API should be exactly the same, just the name is different. It would be very helpful to anyone trying to use Signal with microG on phones free of closed-source Google components.

… but microg would first need to enter f-droid.

hans · April 19, 2017, 2:37pm

These are all proprietary libraries:

    compile 'com.google.android.gms:play-services-gcm:9.6.1'
    compile 'com.google.android.gms:play-services-maps:9.6.1'
    compile 'com.google.android.gms:play-services-places:9.6.1'

github.com

signalapp/Signal-Android/blob/v4.3.1/build.gradle#L56


      
          compile 'com.android.support:support-v13:25.1.0'
          compile 'com.android.support:cardview-v7:25.1.0'
          compile ('com.android.support:support-v4-preferencefragment:1.0.0@aar'){
              exclude module: 'support-v4'
          }
          compile ('com.android.support:gridlayout-v7:25.1.0') {
              exclude module: 'support-v4'
          }
          compile 'com.android.support:multidex:1.0.1'
          
          compile 'com.google.android.gms:play-services-gcm:9.6.1'
          compile 'com.google.android.gms:play-services-maps:9.6.1'
          compile 'com.google.android.gms:play-services-places:9.6.1'
          
          compile 'com.google.android.exoplayer:exoplayer:r2.3.1'
          
          compile 'org.whispersystems:jobmanager:1.0.2'
          compile 'org.whispersystems:libpastelog:1.0.7'
          compile 'org.whispersystems:signal-service-android:2.5.5'
          compile 'org.whispersystems:webrtc-android:M57-S2'

hans · April 19, 2017, 2:38pm

You should move this discussion to the Signal forum. Just keep asking about free software. They know the Google libraries are not free software.

anarcat · April 19, 2017, 3:29pm

Honestly, i’m a bit tired of playing referee in this ping-pong game. I’ve opened a thread out there already:

It’s got positive feedback, and the Signal people made an APK publicly available in response. It was a huge step. The next step is to open some forum post specifically about F-Droid.

But at this point, I’m a little tired of being pushed around by both sides. I know the issues, and I have zero control over either side. So I’ll let other brave souls submit themselves to this over at OWS. At this point, I scratched my own itch: there’s a non-Google-Play version available that can self-update freely. I’m using it, it works. Apparently, it’s supposed to work without GCM, but that’s not really working yet in my experiments, so I’ve given up on that for now, but I was hoping someone else would push this again.

Hopefully someone will pick up the flame.

anarcat · April 19, 2017, 3:32pm

One thing F-Droid folks could do would be to help OWS provide a build that can work without proprietary google stuff. That could be in the form of comments on that Microg issue I already mentioned, or other suggestions. I don’t know how gradle works and I barely know the Android ecosystem. I’m just a user here. You guys have a ton of experience, being the free software clearinghouse of Android, and that knowledge is valuable, especially if you share it with upstreams.

I understand it can be frustrating working with OWS, but my experience shows that they actually listen. It just takes time, and patches are worth more than any complaining, which is why I’m hesitant in reopening the discussion there.

NicoAlt · April 24, 2017, 8:15am

I opened an issue about adding a FOSS gradle build flavor to Signal: FOSS gradle build flavor · Issue #6568 · signalapp/Signal-Android · GitHub

epinez · April 24, 2017, 5:12pm

That was fast, already closed by Moxie. Because we can already use it without play services and they don’t want to distribute through F-Droid.

NicoAlt · April 24, 2017, 5:51pm

Closing an issue is one thing. But locking it for no reason is another one. I already wanted to write a reply saying he may understood me wrong because this wasn’t about F-Droid but about the build when I saw it got locked.

At least I can now understand krt, mvdan and the others

epinez · April 24, 2017, 6:09pm

Moxie did the same in the past so I’m not wondering about that. This behaviour is very sad in my opinion and stands in contrast to the idea of Free Software.

olga · July 2, 2017, 5:26pm

One crow doesn’t pick the eye of another crow… OWS partners with Google. https://signal.org/blog/allo/ Moxies behaviour can only mean one thing: He is “selling” the metadata to Google. For Google data is like money. Moxie insisting on staying with Google can only mean he wants them to have the metadata. He won’t get actual money from Google but profit from the cooperation.

hotlittlewhitedog · July 2, 2017, 5:59pm

It’s really difficult to follow your story, can someone makes a summary on 2 lines?
What is the goal of the topic?

olga · July 2, 2017, 6:24pm

I meant, while the text itself is encrypted, the metadata (which phone has signal installed, which phone is texting which other phone at what time, how often do they text, etc.) is available. If they use Google infrastructure these metadata are “sold” to Google whose main business is data/metadata.

Moxie also declared that the apk on their own website, is updated with the least priority, so the Google Play Store has their actual versions earlier. Even if you used the apk from the signal website directly this results in messages from the Play Store (which is often not uninstallable) to upgrade Signal although the internal upgrade says it is actual (as the real actual version did not arrive there yet). This draws Users back to the Google Play Store and enables them to harvest more metadata of users.

Additionally Moxie asked why people complain about Play store while using Googles OS which reveals a thinking of loyalty. That exactly fits to his odd behaviour regarding F-Droid (or any other places than Google Play Store).

Summary in two lines:

Signal is a sham which doesn’t understand the spirit of FLOSS.
As long as it is not rebuildable without relying on FLOSS only it is not FLOSS.

hotlittlewhitedog · July 2, 2017, 6:34pm

But FLOSS doesn’t mean FREE FOR ALL.
With GPL, you can make money!
No problem with the support… but I don’t agree if someone takes my code, builds it and sells it !

olga · July 2, 2017, 6:47pm

Of course you can make money - as long as you are honest about it.

Usually they make money selling the installation, service, hosting or selling it in a double license with different graphics. There is no problem with that.
Selling Metadata of users of an encrypted communication software without telling them while advertising it as exeptionally safe because of FLOSS is at least morally questionable
And last not least the main point: they claim Signal to be FLOSS but it is not rebuildable as it relies on non-free parts. So lastly it is only claiming to be FLOSS.
Saying: “This is FLOSS so use it” and in the same time making it only buildable with proprietary blobs + and talk bad about Forks which try to build it without these non-free blobs + closing the servers to these Forks + forcing/“encouraging” users to use Google Play is not upright.

Don’t understand me wrong - I am sure Signal is a well written beautiful piece of work. And as a user I would love to see it in F-Droid. BUT I don’t want to be sold on the way. There is something like a human right on data protection. Unluckily this is not treated very well these days. And that I even have to think about it regarding the use of FLOSS Software makes me really sad.

anarcat · July 2, 2017, 8:50pm

i don’t quite see where you are coming from here. there are people using a given communication software (signal), and they want to see it more broadly available. they have made numerous efforts, with f-droid and upstream to push for freeing more and more bits of the software. now there is a version of Signal that can work only with free software, including the server side of things. what is the problem exactly here?

Regarding specific points you made:

as far as I know, OWS is not making money by selling users’ metadata. Google may be doing that, but they claim they do not use the GCM profiles for that purpose
Signal is buildable with only free software, in fact that is what the LibreSignal folks are doing. the current official builds link against proprietary Google libraries, but this is something that can be fixed

And regarding the metadata from Signal that is available to Google, I would suggest you review your information on this or provides quotes to back up those claims. As far as I know, while GCM can build a profile of users, they do not have access to actual phone numbers or contact information out of the box. And as a user of the non-google-play APK, I can tell you I can install and upgrade the APK fine without going through the play store. I do not need a Google account to use Signal.

Now I understand people are tired of negotiating with OWS people and there are unnecessary hurdles. But at least get your facts straight here. Furthermore, I think directing towards OWS our frustrations regarding the Android ecosystem as being dominated by Google is not very productive. Fight for a libre Android instead of attacking people that try to make usable crypto work on it. That includes helping F-Droid, but also liberating AOSP itself.