[Mediterraneo10]

Signal may have only supplied that metadata at the time. But what I am concerned about is that if Signal is US-based, couldn’t the state demand Signal’s app signing key via a NSL, and couldn’t that signing key then be used for targeted attacks by which someone of interest gets a Signal app upgrade that is malicious (while everyone else gets the non-malicious app)? I admit to being somewhat unfamiliar with Android distribution through the Play Store, so if this is unfeasible, help me understand why.

[bigiain]

Yes. But if you specifically are targeted by organisations capable of issuing NSLs, you're completely hosed already. (And they're just as likely, if not more so, to have done that to your OS instead of just the Signal app.)

[restingrobot]

Technically they could get the signature key, but they can't force Signal to publish it via the store. Users would have to download an .apk file and install it directly. At that point there is no reason to have the signing key at all as the phone will recognize a sideload as a third party install. As far as I know, the government cannot compel a company to do something like update an app.

[Mediterraneo10]

> but they can't force Signal to publish it via the store

Is there not a suspicion that Google, another US-based corporation, may have some agreement with American national security to supply malicious APKs to individual targets via the Play Store? Having Signal’s signing key would allow the state to present that custom-targeted APK as an ordinary Signal version update.

[vel0city]

While I'm not saying Google hasn't done something like this (I have no proof either way) there's a strong legal argument to be made that forcing a company to produce binaries is compelled speech which goes against the first amendment.

[skyzadev]

It's more about preventing companies like Facebook getting their hands on everyone's data and abusing it as well as preventing organizations like Signal themselves using / abusing this data. We won't ever truly know if Signals data makes it's way into the hands of government security agencies but I would say it more than likely does or it will if they want it to in the future.

If some government wants to get you they will get you, probably via your operating system... Signal won't help you. If that's your concern then you gotta stay off the internet to be honest!