My signal app a week ago had 2 seperate, a few days apart, app updates from the app itself. Asking to check install from unknown sources to be checked inside the settings. Giving prompts from the notification drop down. Such as app update available. Click it, asked for setting to be checked, I checked it, it said it updated, all seems well and fine.
But doing this outside of both stores which usually update the app from say F droid or Aurora. I’ve never seen this happen ever. It wasn’t a user confirmation. It was a total app update.
Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?
Android phone. Pixel. Gos.
Signal is not distributed outside Play store and signal own website. If you downloaded from F-droid, its probably from Guardian repo.
If you download it from play store, signal will update through play store. If you download it from signal, it will update through itself. If you download it Guardian repo, it’s basically the same downloading from signal website, it will update it self.
The thing you can do is just basically turn off the update notification and just update it from guardian repo. Or just disable the guardian repo and let the signal update itself.
This sounds like the answer. The app updates from guardian repo. I will change the update path. Say the app had well something malicious injected would a new update flush the old app and in with the brand new?
Im not really sure about the update part but Moxie himself is hesitant to release it outside of play store and signal website. Even GOS dev isnt really a fan of fdroid from what i read at GOS forum.
It really depends on youe threat model. What im trying to say is, if youre really want to make sure. Download from signal website and let the app update it self next time. No middle man.
If you trust the initial install then unless there is a warning about the signing key you are good. Only signal devs can sign the builds so if you installed the play store version then updated with their standalone apk or fdroid version then it should just work as the signing key is the same.
Guardian project are just publishing signals apk files as the signature matches.
My signal app tries to update itself. Installed from obtanium. It is a very irritating process, the thing tries to update, there is sometimes weird response times from clicking it (you click the notification and simply do not know if something is happening) and then without notice the thing restarts and then usually it works. But sometimes, the update notification still comes back. Because of that, I just update via obtanium
I had this happen. I clicked the notification many times nothing happened. Then eventually it did. It was odd. I just wanted to make sure everything was still intact.
Not clear on where you installed it from…?
F droid store originally.
Signal isn’t on F-Droid out of the box, I don’t think, but it is in the Guardian repo and probably in a few others as well. I downloaded the Signal apk directly from their website, and that version does auto update and has for quite some time.
EDIT: if you’re worried about it, I suppose you could uninstall it and then download it from them directly (be sure to verify the certificate), after which it will prompt you to update it periodically from the app itself.
Even better, you could think about switching to Matrix.
EDIT EDIT: Although basically I’m just passing on dessalines’s recommendation to you, I don’t really understand Matrix too well, especially the bridges.
I have not had this happen. I just have the Play Store one.
It seems odd. Given recent news about various signal things. I’d rather ask than not.
