Silence encrypted SMS app not updated since March, 2018

I recently installed the Silence encrypted SMS app using F-Droid. Today, I noticed that there hasn’t been a new version released, nor any commits to their GH repo, for a year. If they have moved development to another code forge, they haven’t updated their homepage at silence.im to reflect this. Even more worrying, the warrant canary on their homepage hasn’t been updated for a year either. I just filed an issue on their GH issues tracker about this.

Encrypted messaging apps that are unmaintained, and potentially compromised by law enforcement, could be putting users at risk. At minimum, the facts noted above ought to be added to the Silence entry in F-Droid as anti-features. But I would suggest removing Silence from F-Droid unless and until someone trustworthy takes over the project, updates the code, and releases a new version.

Does F-Droid have any policy on how to handle such situations?

1 Like

They didn’t.

How can “they” compromise it by NOT updating it?

What anti-feature “app has not seen an update in a while”, what does that even entail? Did the app break for you?

Remove? Maybe half the repo should be removed too since apps don’t get updated? Who decides “who” is trustworty? Why do you need an update? What feature should the new version have “new”?

Yeah, it the app works…keep it. And this app works fine… even on Pie.

@strypey Also, that canary has been updated to 5/5/19, so I believe all’s well, after all.

I read such a situation as the maintainers see the app as currently feature-complete & no outstanding security issues re: which they’re concerned.

If you’re concerned, you can always run a code audit of https://github.com/SilenceIM/Silence & fork from wherever you see fit. I’m sure F-Droid would include your variation, also. :bowing_man:t5:‍♂

1 Like

@TPS

that canary has been updated to 5/5/19

Yes, but only after I pointed out in that GH issue how long it had been since it had been updated. It will be interesting to see if it’s updated again on time the next time it expires.

I read such a situation as the maintainers see the app as currently feature-complete & no outstanding security issues

That’s a dangerous assumption to make about an encrypted communications app, given that even when I asked directly in that issue, the maintainer said nothing to the effect that they are actively monitoring security bugs in their code.

@Licaon_Kter

How can “they” compromise it by NOT updating it?

Assuming they are not rolling their own crypto (which is usually a bad idea), there’s a good chance that one or more of their upstream dependencies have updated their code in the last year, to fix bugs discovered in that time. If that’s the case, Silence would now contain out-of-date code that could contain unpatched vulnerabilities.

Notice I said “could be putting users at risk”. Perhaps nothing has changed in the last year, in any of the software that Silence interacts with, and no bugs or vulnerabilities have been discovered in that time that affects Silence. Perhaps. But I wouldn’t trust an unmaintained encryption app with any communications I wouldn’t trust to a non-encrypted app.

Maybe half the repo should be removed too since apps don’t get updated?

Maybe. But it’s especially worth considering for apps that claim to secure user communications using encryption, for the reasons given above. A false sense of security is worse than no security. I initially trusted the encryption claims made by Silence because it was in F-Droid, with no warning that it appears to be unmaintained.

Who decides “who” is trustworty?

I’m not claiming the maintainer isn’t trustworthy. I’m saying they are entirely absent, except when prodded by a public issue to update their warrant canary.

What feature should the new version have “new”?

It’s not about features, it’s about maintaining the security of the existing features.

this app works fine

How do you know? Have you tried to break the encryption?

I’ll give you this, yes.

A quick update on this: according to a comment on another GH issue, made on May 20, 2019, the reason for the lack of activity on the GH project is that Silence devs are in the process of moving from GH to a self-hosted GitLab instance. I just asked for an update on that in the issue.

Mastodon