I’ll cut straight to the chase: updating the Signal app annoys me and I’d like to know your best practices.

As far as I know, there are three ways of updating Signal:

  1. From the Play Store. This works quite reliably, yet comes at the cost of trusting and connecting to Google’s servers.
  2. Via the app’s built-in auto-updater that will, after a while, suggest an update through a notification. However, the frequency of these updates is really lackluster and thus unreliable, and there’s no way to trigger an update check manually.
  3. Via the APK on Signal’s website. In order for this to work, you need to have done the initial installation of the app from an APK already. Also, as far as I know, this version will not use GCM / Push notifications, but rather deliver notifications through a web socket, which is a huge drain on battery. Also, you’ll have to constantly check for updates yourself or rely on the (unreliable) self-updating mechanism (see 2).
  4. //Edit a fourth way might be to just update via Obtainium and pulling APKs off their Github. I’m not sure what that does to GCM/Websocket usage, see 3.

Let me know how you do it, and if there’s something I’ve overlooked.

    • _Nemo_@lemmy.mlOP
      link
      fedilink
      arrow-up
      10
      ·
      4 days ago

      I’ll reply to you since you first brought it up, but it’s a question to anyone here recommending Molly: what makes you cofident that Molly is secure (i.e. they’re not fucking up Signal’s cryptography by accident) and maintained by trustworthy people. Signal does get audits from time to time, Molly doesn’t.

      Mind you, I’m not trying to shit all over Molly; Unified Push looks great. I’m trying to approach this with due caution though.

      • Handles@leminal.space
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        6
        ·
        4 days ago

        What makes you confident Signal is secure? It’s a centralised service, so there’s a single point of failure 🤷

        • _Nemo_@lemmy.mlOP
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          3 days ago

          Ignore the downvotes. That’s a fair question to ask, but one that does have answers. Signal is FOSS, has E2EE and was audited several times, so we know that

          • it did not contain any backdoors at the time of the audit
          • it will not for the foreseeable future (they’d be visible in the client code)
          • I need not trust the server code since messages are E2EE

          Thus, while mistakes do happen and can open up severe vulnerabilities, cf. Heartbleed, there’s reason to assume that Signal is relatively secure. Signal’s centralisation of server infrastructure is a valid concern, but not for security, but rather for

          • privacy (they might capture metadata, although it appears they don’t; nation-state actors trying to subpoena user data have so far only gotten “date of registration” and “last online”, which appears to be all they’re storing; that’s as close to “zero knowledge” as you get)
          • availability (as the recent AWS outage has shown, which took out Signal as well)
    • rnercle@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      4 days ago

      at some point Molly started customising Signal’s appearance or rather imposing a coloured theme. Some of us wrote back and we were ignored.

      I went back to Signal with black backgrounds.

    1. Molly (with or without Unifed-Push) from F-Droid.

    For a couple of years, I had Signal installed via apk from their site. Messages were sometimes delayed, sometimes not, but the updates seemed to work just fine.

    I’ve switched to an install from Google Play by way of Aurora. Messages are arriving much quicker now.

  • MidnightMarauder@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    11
    ·
    4 days ago

    Aurora store, google play store client that let’s you download from te google repository without signing in. Its on f-droid I think. Signal still uses google services for notifications tough. I recommend Molly if you also want to skip that.

    • _Nemo_@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      4 days ago

      Aurora is all I use. We’re still trusting Google not to inject anything malicious into the app, which they’ll do in a heartbeat if the feds come knocking.

      • MonaySimpson@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        4 days ago

        If you listen to Graphine aurora is also unsafe as it just pishes the APK without signature check.

        Obtanium can pull APKs from a website so you could use it to install the non GitHub version of signal.

  • rando@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    4 days ago

    In my case I find signal updates (through notification) way too often. I’ve actually added “Guardian project” repo to F droid specifically for signal auto updates. It comes with few other good apps. (This is generally a day slower than notification update, I just ignore notification for a day)

    • _Nemo_@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      3 days ago

      Follow-up: I added the Guardian project repo to FDroid. Turn out: once FDroid has the repo, it can “take over” and do updates, even if Signal was originally installed from the Play Store / Aurora. That pretty much solved my primary issue here. (I’ll look into Molly at a later point anyway, just for the sake of curiosity.)

      Thank you, once again!

    • _Nemo_@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      4 days ago

      Now that’s a smart solution that might just work for me. I completely forgot that they were packaging Signal for their repos too! For anyone interested: Here’s the link to their repo.

  • Hund@feddit.nu
    link
    fedilink
    arrow-up
    1
    arrow-down
    6
    ·
    edit-2
    3 days ago

    Don’t use Signal if you care about privacy.

    Edit: Cool. This is just like Reddit! You get downvoted for stating facts. :D

    • _Nemo_@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      1 day ago
      1. Blurt out an opinion without the slightest effort to support it with evidence.
      2. Whine you’re getting downvotes for ir.
      3. Claim your baseless opinion is “just stating the facts”. Again, refuse even the tiniest amount of reasoning.
      4. Profit?
      • Hund@feddit.nu
        link
        fedilink
        arrow-up
        1
        ·
        1 day ago

        You’re forced to use a phone number and a phone from Google or Apple. Do I have to say more? This is not a claim. It’s a fact. Well. Unless something has changed?

        I have never whined, but I can see how you wish that would be true. ;)

        And, my apologies, if I have somehow hurt your feelings. It was never my intention to do so.

        • _Nemo_@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          6 hours ago

          Thanks for providing some evidence at last. You’re not wrong on many of those points, but not entirely right either.

          Phone numbers are an issue, true, though you can get around that using a burner SIM or even a virtual phone number. Also, contact discovery has been working without exposing your phone number for over a year now.

          a phone from Google or Apple

          The phone can be made by anyone. The OS needs to be Android or iOS at some point, which is unfortunate; pure (desktop) Linux usage isn’t possible. That said, deGoogled Android has been around for more than a decade, allowing you to use Android in a privacy-friendly way. So if you want, you absolutely can avoid being tied to Google and use Signal.

          As you can see, there’s a lot more nuance here than “Signal isn’t private”; privacy, after all, isn’t binary, but rather a gradient. For what it’s worth, Signal is more private than many messengers out there by a long shot, and it allows you to use it in more privacy-friendly ways if you so desire. While there are messengers out there that go even further in terms of security, privacy and decentralisation, a lot of them come with usability and convenience drawbacks. The way I see it, Signal sits in a Goldilocks Zone of “private enough” (for most threat models) and “convenient enough” for mainstream adoption. You can have the most secure and air-tight messenger; if there’s nobody there to talk to, it’s no more than a technically sophisticated brick. For now, Signal may be our best shot for mainstream adoption of reasonably private and secure messaging. If your threat model is higher than that of average Joe, by all means, go for Briar, SimpleX chat or any of the more hardcore options.

          • Hund@feddit.nu
            link
            fedilink
            arrow-up
            1
            ·
            5 hours ago

            Phone numbers are an issue, true, though you can get around that using a burner SIM or even a virtual phone number.

            You can’t buy any SIM here without providing ID. I believe that’s more of a rule than an exception these days, but I don’t have any actual numbers to back up my claim.

            However. I don’t think that anyone requiring extreme privacy would use any phone whatsoever.

            Also, contact discovery has been working without exposing your phone number for over a year now.

            I trust Signal when it comes to security and privacy.

            The phone can be made by anyone. The OS needs to be Android or iOS at some point, which is unfortunate

            With the Google Play Services or whatever it’s called, which is required for notifications to work.

            Remember that they have killed people based on metadata alone.

            That said, deGoogled Android has been around for more than a decade, allowing you to use Android in a privacy-friendly way.

            It’s what I’ve been using for years. :) GApps has always been optional. Back in the days vanilla Android was even perfectly useable without GApps! It feels like AOSP is basically only a kernel these days.

            So if you want, you absolutely can avoid being tied to Google and use Signal.

            Yes, but you will have to rely on third party clients, which Signal don’t like. That’s not a great experience. :/

            As you can see, there’s a lot more nuance here than “Signal isn’t private”; privacy, after all, isn’t binary, but rather a gradient.

            I guess so. I’m not much of a person of nuances though. I like living in a binary world. :D

            The way I see it, Signal sits in a Goldilocks Zone of “private enough” (for most threat models) and “convenient enough” for mainstream adoption.

            That is true. Perhaps I’m a bit hard at them, but then again, I’m a binary person. ;)

      • Hund@feddit.nu
        link
        fedilink
        arrow-up
        2
        ·
        2 days ago

        Haha! I appreciate your refreshing honesty, and I reward you with an upvote. ;)