[Y-bar]

Lot's of people have requested justification in related Github issues there, but Signal has not given a clear answer. If there was a security problem with the encryption process I believe a CVE or similar would have been in order because it would affect millions of users.

[palata]

I was not talking about a security flaw.

I was saying that maybe, Signal did not want to push their users to trust the Apple backup by default.

Signal is a nonprofit foundation, it's not like they are trying to squeeze their users with their own secure backup.

[Y-bar]

We are unfortunately rehashing the same arguments from Github, nothing prevents Signal from distrusting Apple by default.

But there is also nothing (except for some secret reason they refuse to elaborate) that prevents them from allowing users to actively chose to trust Apple. Except for their own internal reasons, that is.

It's the user's data after all. The user should be able to control and access it. Sensible defaults makes sense, but the outright refusal to explain why they prevent it is very odd. I have a decent "IT hygiene", I keep my operating system updated with patches, I don't download pirated/cracked software, I have hardware-enabled encryption on my storage devices, I have a good password for my local account, I encrypt my local iPhone backups.

Why should I not be allowed to include my Signal chats in those local backups? Signal has never answered that question, which is very strange.

[palata]

> Why should I not be allowed to

Same as I said above: you are asking for a new feature. Their default is those 20 lines that "protect" the files. If they want to offer you a way to still enable it, someone has to do it. Someone has to work on the UX of it, maybe there is a need to explain to the users why it is less secure when this feature is enabled, and then there is work to do with the criticisms that will come next time someone shoots themselves in the foot because of this feature (because "Signal shouldn't have allowed that in the first place").

I know, you will say "it's not much". But everybody asks for their "small feature", and projects generally can't do everything that everybody asks them to do (and usually for free).

I find it totally valid if they choose that they won't offer features to lower their security, and instead they will work on features having sufficiently good security. Which in this case is the secure backup.

[Y-bar]

> you are asking for a new feature

I think we have vastly different definitions of what is a "new" feature. This is not about adding a new feature, but removing an old bug.

> If they want to offer you a way to still enable it, someone has to do it.

They can just use the iOS system settings to allow users to enable/disable backups. This would be zero code needed. Zero maintainability problems. Zero UX. Zero unexpected data loss for customers. The settings for this is for all sane apps at Manage Storage > Backups > [Device Name] > [App Name].

> I know, you will say "it's not much". But everybody asks for their "small feature"

It's less than anything, it's removing a "feature", which should make things easier to maintain.

Signal _added_ the "feature" to disable the default iOS behaviour that user data can be backed up securely. This caused, in many users life, a bug of unexpected data loss. Signal caused that bug and that data loss by introducing this "feature".

Again, fixing this bug would not require a new feature to be added, but rather an unwanted bug to be removed by removing code needed to maintain it.

> I find it totally valid if they choose that they won't offer features to lower their security, and instead they will work on features having sufficiently good security. Which in this case is the secure backup.

Not a single argument has been given why this would be more secure than the locally encrypted backup you can do yourself in iOS. In fact, it would be sane to suggest that any newly introduced claimed secure system is insecure until tested.

--

Edit: It's also worth noting that their disable-backups feature is a bit hack:y (see https://blog.eidinger.info/prevent-your-apps-files-from-bein...)

[palata]

I understand that you are frustrated. And I understand that if you were to write Signal, you would do it differently.

Still, those 20 lines don't look like a bug to me. And Signal does not benefit from pissing you off. I was just trying to say that maybe, just maybe, there is a valid reason behind this.

[Y-bar]

The bug is not in the detailed implementation of the code logic per se, the bug is that it causes unexpected data loss because iOS users expect all their data to be backed up when they back up all their important data.

As an example, a piece of code sending authentication credentials in plain text across the internet might in isolation be considered free of bugs. But it should never do that to begin with, it should have been designed/architected quite a bit differently.

You are free to carry water for Signal while they repeatedly refuse to even explain why they consider this a valid approach to handle the users data.

[AnonC]

> I was saying that maybe, Signal did not want to push their users to trust the Apple backup by default.

The gap in understanding here is that Signal already trusts iOS by providing an app. It trusts it even more by providing notifications (with sender and content) that go through Apple’s systems. It integrates with CallKit to work with the Phone app. Putting iCloud alone in a separate bucket doesn’t make sense. They could’ve done this same backup with a 64 character recovery key and stored the data in iCloud. Signal made an intentional choice not to allow backups on iOS.

One can only hope that the point about supporting other backup endpoints/storage gets implemented sooner rather than having to wait several more years.

[palata]

> They could’ve done this same backup with a 64 character recovery key and

Again: they could have, but it would have taken time and resources. The complaint here is not that Signal doesn't want to allow backups: they are just announcing a secure backup feature.

The complaint is that Signal did not do it earlier, and instead decided to prevent what they considered an insufficient solution.

> Putting iCloud alone in a separate bucket doesn’t make sense.

Of course it makes sense. What you say is akin to saying "end to end encryption makes no sense, because if you have to trust iOS anyway, you may as well trust the server".

Because I trust Android and run Signal there does not mean that I want it to auto-upload my messages to Google Drive. I don't see what makes it so hard to understand.

> One can only hope that the point about supporting other backup endpoints/storage gets implemented sooner rather than having to wait several more years.

Yes, I hope that too. On top of hoping, one could donate, to slightly contribute to paying the developers that work on it.