
Signal can now be used without Google Play Services - marco1
https://github.com/WhisperSystems/Signal-Android/commit/1669731329bcc32c84e33035a67a2fc22444c24b
======
bubblethink
This is great news. Is there sufficient interest in making a secure dumb phone
? If it's cheap enough, I think some people may be interested. The rough
design for the phone can be something like this: It should not be a real
phone. i.e., No baseband or actual cellular connection. It should work only
over wifi (ath9k maybe?), and have provisions for always-on TOR/VPN. The rest
of the hardware and software can be derived as some combination of Neo900,
Replicant and copperheadOS

~~~
unicornporn
Next problem: Signal will not work without a phone number...

I'd vote for [https://riot.im/](https://riot.im/) instead.

~~~
chc4
Does matrix even support end-to-end encryption? Last I checked it didn't have
/any/, except maybe server-to-server and even that wasn't enabled.

I also seem to remember going over their homebrewed cryptographic rachet and
it didn't properly HMAC.

EDIT: Apparently riot.im supports E2E, but it's not a part of the Matrix
protocol and it's not encrypted by default. The Olm rachet was also audited by
NCC, so that's nice.

~~~
jdkfree
They have e2e on all devices now.

~~~
feld
But still no way to enforce or enable as default.

------
kestrelhawk
I've recently been attempting to gradually liberate my data from reliance on
Google's services, not just for being more privacy conscious but by a means of
exploring new services offered by other companies/developers and to
decentralise my data. I've started this process by installing Lineage OS on my
OPX device and selected the bare-minimum of Google Services - Google Play
Store/Services.

From what I've done so far I imagine it's quite difficult to remove dependency
on Google Play Services and I've been wondering, which alternatives exist and
what's the rationale behind completely removing dependence on Google Play
Services? With Lineage OS I've been able to restrict most permissions besides
storage so is there any need to remove it?

~~~
mverwijs
There is no need for any Google software. Just install lineageOS, then install
f-droid and from f-droid install Yalp Store. From Yalp you can install any app
from Google Play, should you want to.

~~~
omash
More people should know about Yalp! Awesome.

~~~
voltagex_
Just note that Yalp is storing the username and password you give it server
side.

~~~
Cyphase
They have an experimental option to login without giving your credentials; I
just tried it minutes ago.

------
yagni3
I still like Matrix' federated first approach to the server over Signal's, but
this is a welcome change. Now we just need an F-droid build (official repo or
built by the F-droid team).

~~~
ycmbntrthrwaway
The problem with federated approach is that it leaks metadata. When you take
centralized system apart and expose internal communications to the Internet,
you reduce anonymity. Extreme case is when everyone uses his own homeserver
and information on who calls who and when is completely exposed.

It is not enough to make the system distributed, you need to exploit the fact
that different parts of the network are controlled by different parties to
build self-enforcing protocols that ensure anonymity.

For comparison, see how bitcoin is just distributed and zerocoin is anonymous.
Gnutella is just distributed and FreeNet is anonymous.

~~~
tptacek
That's not the only problem, or the most important problem. The most important
problem of federation is that it generates lowest-common-denominator security.
For instance:

[https://whispersystems.org/blog/giphy-
experiment/](https://whispersystems.org/blog/giphy-experiment/)

This is how Signal provides Giphy search (spoiler: they tunnel a TLS
connection through their own server, with TLS negotiated end-to-end from the
Signal app to the Giphy server, so that Giphy can't tell what client is
searching for what GIF while at the same time Signal's server's can't see what
people are searching for).

Does anyone believe that in a world where 90% of Signal-network client
installs weren't Signal.app, that this is how features like this would work?
It's not an unknowable question. All you have to do is look and see how
Signal's competitors, like Wire, tackle this problem.

It's true that in a federated Signal-network, you might get clients that have
security features Signal itself lacks. But because it's far easier to produce
an insecure client than a secure one, insecurity will dominate, and be a boat
anchor around any efforts to improve security down the road.

Call it "the libpurple problem".

~~~
comex
All true, but I think the situation looks a little worse for centralization if
instead of 'security features', you think in terms of 'vulnerabilities'
(almost but not quite an antonym). Signal probably has a lower vulnerability
rate than competing software, but if someone finds an implementation bug, it
can be used against every user on the network. Compare to, say, IRC, where
there are a lot of really poorly written clients, but the sheer number of
clients in use would limit the fallout of any one exploit.

Likewise, Open Whisper Systems is pretty trustworthy, but if someone gets
access to their servers, either by hacking or by coercion, and starts, say,
logging metadata (who's chatting with who), all Signal users are compromised.
When I chat on a private (and SSL-only) IRC server, the security guarantees
are awful compared to Signal - and I'm not saying that's not a problem - but
at least I know that my conversations will only be compromised if someone
really has it out for my group in particular; they won't show up in some
massive leak and/or government database.

This also applies to binary distribution. When software is compiled by N
different distros or package managers or by users directly, that does make it
hard to get security updates out in a timely manner. But with a centralized
system like Signal's, if the binaries are compromised, everyone is pwned. Yes,
measures like reproducible builds can reduce the risk, but they're far from
perfect. Is there even anyone who verifies Signal builds on a regular
basis/automatically?

------
ticoombs
What does this mean for an official Fdroid option?

~~~
Cyphase
Requiring Google Play Services is not the main reason Signal hasn't been on
F-Droid; you can read Moxie's thoughts on the subject in these comments (and
in other places):

[https://github.com/WhisperSystems/Signal-
Android/issues/127#...](https://github.com/WhisperSystems/Signal-
Android/issues/127#issuecomment-13335689)

[https://github.com/WhisperSystems/Signal-
Android/issues/281#...](https://github.com/WhisperSystems/Signal-
Android/issues/281#issuecomment-21762482)

~~~
boondaburrah
While google play certainly helps with these issues, I currently have both
whatsapp and firefox installed from their respective websites by downloading
the APK directly. WhatsApp is happy to notify me when there's an update, and
it's one click to download and install. Firefox downloads the update
automatically, and again, it's one tap to start the install. Mozilla crash
reporter runs when it needs to, etc.

So while google play gives you these features "for free," it's not impossible
at all to have them without. Only unattended upgrades requires special access,
and to be honest personally I never want things modifying what's installed
without asking.

~~~
zer0t3ch
The thing is, you know what you're doing. He makes a fair point in that his
target audience is people who don't know what they're doing, which is
inevitably going to lead to people downloading "brand new updates" that are
full of malware, or worse, backdoored.

------
interfixus
Taking this long to shake officially somewhat free of the the Play Store
horror is one thing which tells me to stay clear of Signal.

Not that it matters. The phone number thing was a dealbreaker from the
beginning.

------
psynapse
Very welcome news.

I discovered after doing a clean flash recently that the ability to have
Google Play Services on the phone but disabled, became unavailable. I used to
use it exclusively for Signal - it meant no push notifications, but I could
still foreground the app for it to check for messages.

I was disappointed that I could not install Signal again, even though my phone
number was registered, without Google Play.

I was preparing to walk the microG services (or similar) path, but now I don't
have to.

------
JustSomeNobody
I don't feel like wading through a diff to find out so could someone explain
what they changed? How are they handling notifications and what impact might
this have on battery life?

------
7ewis
Won't this just drain the battery _very_ quickly?

~~~
invisiblevoid
Sure it will. But there isn't so much they can do about it. Google could.

Still, people asked for an option to use Signal without Play Services, and
here it is. Even if it will drain their battery a lot faster. Moxie actually
said this beforehand:

> I expect it to have high battery consumption and an unreliable user
> experience

source:
[https://news.ycombinator.com/item?id=12883410](https://news.ycombinator.com/item?id=12883410)

~~~
i2shar
> I expect it to have high battery consumption and an unreliable user
> experience, but would be fine with it if it comes with a warning and only
> runs in the absence of play services.

So for those who are still running on devices with Play Services, it will
still use GCM, and hence won't be a drain on the battery?

~~~
smichel17
> So for those who are still running on devices with Play Services, it will
> still use GCM, and hence won't be a drain on the battery?

Correct

------
shp0ngle
Finally, all the 10 people who were waiting for this can use Signal.

~~~
catwell
Few people use phones without Google Play Services.

Because of that, it doesn't make sense for application developers to support
the use case.

Because of that, lots of applications don't work without Google Play Services.

Because of that, few people use phones without Google Play Services.

(And then people complain about the lack of open Android alternatives, or that
other OSs such as Sailfish do not take off despite doing crazy things to
support Android applications.)

~~~
Nition
You can actually install Google Play Services on Sailfish and it's easy to do,
but not officially supported obviously.

~~~
catwell
The actual Google Play Services or microG? Last time I checked the solution
was microG but it requires you to root your phone, which on Sailfish basically
means you don't care about security at all.

~~~
Nition
The actual Google Play Services:
[https://together.jolla.com/question/30926/howto-install-
goog...](https://together.jolla.com/question/30926/howto-install-google-play-
on-original-jolla-phone-sbj/)

It's basically just installing the APK, although there are a few more steps
than I thought I remembered.

------
rorykoehler
I don't get notifications on Signal. Android 6.0. Anyone else experience this?

~~~
farless
No, notifications work for me. Android 7.1.1. Check out their support page for
some ideas to fix this: [https://support.whispersystems.org/hc/en-
us/articles/2181125...](https://support.whispersystems.org/hc/en-
us/articles/218112597-Where-are-my-notifications-)

~~~
rorykoehler
Yes, I have ensured all my settings are correct. I get notifications when
someone "new" joins signal but not when a message comes through. Same issue
with Telegram. I suspect it's an issue with Android notifications.

------
romanovcode
I wish every app would be possible to use without Google Spy Services.

------
simplehuman
Has anyone tried Signal's voice calling? The overall voice quality is very
poor and the voice volume is extremely low. And call me stupid, but I could
not even find the video call button in signal (on android).

I had to sadly switch back to whats app because voice and video quality are
stellar.

~~~
bubblethink
Voice is getting better. It's in beta right now. Both parties need to enable
it in the settings right now. I tried it recently, and it worked quite well
for the most part. They'll presumably iron out the issues before a general
release.

~~~
simplehuman
Are you talking about Video and not Voice? I didn't have to enable anything
for Signal Voice calls.

~~~
bubblethink
Yes, it's the same setting for both video and voice, which uses the newer
webrtc stuff. The old voice support is being phased out, which is probably
what you've used in the past.

