The Federal Government and the EU Commission are still making every effort to enable their secret services and police to read all the chats of the population legally and technically. One obstacle is end-to-end encrypted messenger apps. “I use Signal every day,” Edward Snowden, a whistleblower, said in a statement in November 2015. More than ten years later, the messenger service, supported by a non-profit foundation, is still popular with whistleblowers, dissidents, journalists and also political officials and military officials.

So popular that since the end of 2024 at the latest, tricksters apparently want to systematically facilitate such people around their access data to the signal user account. In order to warn users even more clearly than before about the digital grandchild tricks and to raise awareness of the dangers, the operator of Signal announced new functions for the app on Monday. If you are contacted by non-personally verified signal users, several warnings should be displayed. “Signal will never send you a message and ask for your registration code, PIN, or recovery key,” reads a note. In addition, the so-called phishing ("password fishing") or other scams is warned. Russian traces

In order to establish contact with signal users, you need the mobile phone number or the user name or the user name selected by the target person himself or. QR code. The fraudsters of the recent wave of attacks pose as a signal support team and claim that the victim must communicate security codes, as the own account may be compromised. The IT security researcher Donncha Ó Cearbhaill, who works for Amnesty International in Berlin, made such a fraud attempt on 8. May on X public. In January, he was contacted by an alleged “Signal Security Support Chat-Bot.” The message claims a “suspicious activity on your device.” The sender also claimed that attempts had been noticed to gain access to “private data in signal” – followed by the request to reveal the personal verification code.

Ó Cearbhaill was able to look behind the scenes. So he was the target number 13.730 in the database of the perpetrators. “The automated system that governs the campaign” is called “ApocalypseZ” by the operators. The source code and the user interface are written exclusively in Russian. The attackers also translated the communication with the victims into Russian.” This assignment should fit the Cold War concept into this “security authorities”.

On 6. In February, the Federal Office for Information Security (BSI), which is subordinate to the CSU-controlled Ministry of the Interior, and the Federal Office for the Protection of the Constitution responsible for counterintelligence, had published a security notice on “phishing via messenger services”. In it, there is talk of a “probably state-controlled cyber actor” who carries out attacks via apps such as Signal. "The minor technical hurdles of this campaign of attack" therefore allow the conclusion that "non-state actors, in particular of cybercriminal groups" could also be responsible. However, the official assessment ends with the verdict: “In view of the high-profile target area, in the currently known cases, a state-controlled cyber actor is likely to be assumed to be the originator.”

Within the following months, it was practically clear for high-reach media: Russia was. On the 9. In March, the Reuters news agency reported on “Russian-backed hackers.” The media house Correctiv reported on 29. April that “the digital traces of the campaign would actually lead to Russia.” More specifically: to “a group that categorizes IT security experts from Google as ‘UNC5792” – whereby the “UNC” stands for unambiguously assigned actors or attacks. Correctiv further claimed that it had “established a connection to previous phishing campaigns against targets in Ukraine and the Republic of Moldova.”

There has been particular excitement since Der Spiegel reported that the phishing attack, often incorrectly referred to as a “hack”, was not only successful for “NATO members” but also for several members of the federal government and the Bundestag. On 22. April, the newspaper had reported that Bundestag President Julia Klöckner (CDU) was one of the victims. The domestic intelligence service had even become present to the chancellor. "In virtually all political groups" there are concerned MPs. According to the SPD group, Spiegelthere were “a few” there. Likewise with the Left Group. The Union Group did not wish to provide any information. Finally, the Attorney General has begun investigations at the Federal Court of Justice on suspicion of intelligence agent activity. The magazine later reported that Education Minister Karin Prien (CDU) and Building Minister Verena Hubertz (SPD) were also said to have gone on the glue to the fraudsters. Should this be true, the perpetrators may have gained access to various Bundestag, government and party-internal chat groups.

In one on 8. Spiegel, published online in May, criticized Signal's president, Meredith Whittaker, for publicly denigrating the politicians affected by the phishing attack for their alleged incompetence. Whittaker urged better funding for the messenger service in the face of the wide spread of signal among senior officials and secrets. He lives on donations. Arms startups like Helsing would get “billions for their promises,” she criticized. “We operate with Signal an already functioning critical infrastructure and are not supported accordingly.” This is “a serious mismatch.” Those who use Signal as intensively “as apparently NATO representatives or the federal government could think about how they can contribute,” she suggested.

In any case, the victims were manipulated by so-called social engineering in order to make the mistake of revealing their security codes. This can happen in any messenger service, the Signal President explained. When asked by Vice-President Andrea Lindholz (CSU) for a signal ban, Whittaker reacted with incomprehension. “All platforms of this magnitude are vulnerable.” The problem will be followed by migrant users “on all other services, and many of them are considerably more insecure per se.” “It is completely foreign to demand the prohibition of a single secure messenger service, while others remain completely unmentioned,” criticized the Left MP Donata Vogtschmidt on 29. April in a joint communication with her group colleague Sonja Lemke. The prohibition proposal distracts “from the real problem.” Lemke referred to inattentive behavior of app users that “no one can exclude.” Commercial competition

Lindholz has also called for the complete switch to apps from the manufacturer Wire. At the end of April, “via the Bundestag” this software had already been “pushed”, the left-wing politicians said. “Currently, it is the only messenger service that can be easily installed on the devices of the Bundestag,” explained Lemke. The company behind it has been lobbying »for years at the Bundestag«. It was heard in the Digital Committee that Wire was seeking to integrate its own product into the so-called Germany app.

The portal Heise Online had on the 28th. April reports on a letter from Klöckner, in which the President of the Bundestag recommended to all deputies the use of the Wire service. The report speaks of "an urgent appeal." The BSI had also already granted the product »Wire Bund« the approval for data of the secrecy level »observed matter – only for service use« at that time. Previously, the mirror had on 24. April reports that the Union faction is said to have already campaigned to use the messenger service Wire against its deputies in February after a warning letter from the constitutional protection.

In Berlin, the software provider apparently operates the technical development of the instant messenger through its Wire Germany GmbH. For the year 2023, it recorded a profit of around 270,000 euros, according to the annual financial statements. At 298,956 euros, the profit was slightly higher in the previous year. The company is 100 percent owned by Wire Group Holdings GmbH. Its managing director Benjamin François Schilz was named 9, according to the company. February 2024 brought on board as CEO to drive the “international expansion of Wire”. Schilz is also Managing Director of Wire Swiss GmbH, based in Zug. Wire has moved there after the seat in the USA was probably problematic mainly for image reasons – US companies are legally obliged to cooperate with intelligence agencies. Wire was originally founded by former employees of Apple, Skype, Nokia and Microsoft.

Wire had on the 11th. April 2024 his “strategic partnership” with the Schwarz Group announced. The goal: to drive “secure communication and data sovereignty in Germany and Europe”. The Schwarz Group includes the retail brands Lidl and Kaufland. The digital division is bundled in the Schwarz Digits KG. Commercial register entries show that as of 21. January, among others, Schwarz New Ventures GmbH is 26.4 percent, but also Roland Berger Industries GmbH, based in Munich, with 3.3 percent stake in Wire Group Holding. Zeta Holdings Luxembourg SA holds a further 10.2 percent. Wire Germany registered before the 1. January 2025 under Zeta Project Germany.

The two Left MPs suspect that the Wire push from Union circles “is also due to further lobbying of the Schwarz Group, which wants to place its product and which markets itself as a pioneer of digital sovereignty in Europe.”

Signal has introduced new in-app confirmations and warning messages as additional safeguards against phishing and social engineering attempts that could lead to various forms of fraud.

A friend of mine uses IOS. He has a version of signal 7.72.2. The issue is that he got an alert that signal would stop working the following day. (This happened 30 April)

"This version of Signal expires tomorrow. Update to the latest version."

The thing is, he went into the apple app store, updated it to the latest version (7.72.2) and still, he seems to not be able to use the app properly.

Now he can not send texts, only receive and I simply don't understand why because he did update to the latest version within the app store.

How does one fix this? Any suggestions?

#signal #privacy #expiration
I can't believe that. There is no fonctionnality to delete messages (text, images, videos) older than, for example, 6 months, one year, two years, and so on.
Ephemeral message is not a solution: max is 4 weeks, and only for new messages, not oldest.
That's completely crazy isn't it?
When When When ?

What @aboutsignal @signalapp @signal @signalapp

Title

I know there are some ways to imeoove it by allowing the app to always run in the background, but still it's very annoying and it happens constantly to me and many others. What is the root problem? Why don't other messaging apps have this problem?

Does anyone even use this? Or does anyone here have friends who regularly post on signal Stories?

Personally I have never seen anyone use it.

cross-posted from: https://lemmy.world/post/44029008

From the official Dutch Intelligence and Security Service

---

information.

“Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information,” states Director of the MIVD, vice-admiral Peter Reesink.

Individual accounts

An interesting aspect of this Russian campaign is that it does not exploit any technical vulnerabilities of the messaging services. The attackers instead make malicious use of legitimate security features of the apps. Director-General of the AIVD Simone Smit states, “It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.”

To increase resilience against this Russian campaign, MIVD and AIVD have published a Cyber Advisory explaining how to identify and respond to attacks. The advisory also give instructions for Signal users on how to identify potentially compromised contacts.

All Signal users can personally check whether there are any potentially compromised contacts in their group chats. If you see any people who appear twice in the list of members (under the same or a slightly different name), this may be evidence of either a compromised account or a new account created by a victim.If you suspect this to be the case, report this to the information security department of your organisation. Together you can try to verify (preferably using a channel other than Signal or WhatsApp, such as an email or a telephone call) whether it is correct that the account in question appears twice in the chat group contact list. Should this not be the case, ask the group administrator to remove both accounts from the group chat, after which the legitimate account holder can request to rejoin the group. Please remain vigilant for group members who are not recognised by the rest of the group. The actor may occasionally change the display name of a compromised account to remain unnoticed in chat groups, for example to names such as 'Deleted account'. If a member’s display name changes, the group will receive a notification. When the change is the legitimate transition to 'Deleted account', no notification is sent. Actor-controlled accounts can also gain entry to the group via an obtained Group Link, of which the group always receives a notification. In all such unauthorised scenarios, ask the group administrator to remove the offending accounts from the chat.If there is any indication that the group administrator themselves may have been compromised, it is advisable to exit the group and create a new one. |

IMPORTANT: AI is used in this project, so lets get that out of the way. im not sure how to quantify it. i use different AI models on different tasks in the code as well as the documentation. i dont want to mislead or inspire undue confidence in this implementation. its open-source for transparency. not ready for general use.

its always worth mentioning this project is far from finished and i hope with feedback i can make it better. i have put efforts towards directing it towards unit-tests, audit and formal-proofs. none of that is good-enough, but i hope they can compliment each other and can act as a starting point for verifying the implementation is correct. the functionality is built around the requirements of my project. it isnt professionally audited or reviewed. use responsibly.

my motivation on this project is that im mainly working on a p2p messaging app. i hope you can understand the pushback i get when i promote my messaging app as “secure”, so this transparency with the signal protocol is nessesary. im sure people have better things to do with their time than review unstable and unfinished code. i only put it out there for you to take a look if you're interested. as a solo dev, there isnt anyone reviewing my code. if i dont share it like this, no one will come across it.

The implementation is in rust and compiles to WASM for browser-based usage.

• Github: https://github.com/positive-intentions/signal-protocol
• Demo: https://signal.positive-intentions.com/

The aim is for it to align with the official implementation (https://github.com/signalapp/libsignal). That version was not used because my use case required client side browser-based functionality and i struggled to achieve that in the official one where javascript is used but is targeting nodejs.

There are other nuances to my approach like using module federation, which led to me moving away from the official version.

This signal-protocol implementation is purpose-built for a p2p messaging app. i posted about it a couple months ago here: https://programming.dev/post/43579394

I tried to set up Signal with my MicroG setup but it just says 'Missing Google Play Services' after entering my phone number. Everything is turned on in MicroG (including cloud messaging and device registration) and other apps that use cloud messaging work. I have a bit of a niche setup (fakegapps + rooted stock rom) but I doubt that would cause problems.

Thanks in advance :)

Edit: I forgot to note, I'm doing this mostly for battery savings

Edit 2: I was able to fix it by installing under /system/app; comment thread: https://lemmy.ml/post/43156989/23961778;

Warning!! You need to have MicroG installed as an user app, already, for this to work.

Steps:

Create a folder on your pc with this structure (might not work for other devices; - means subdirectory): folder and also keep in mind you need to have these apps removed with Magisk so Android doesn't even know they exist:

-module.prop

-system

--product

---app

----GmsCore

-----GmsCore.apk

----Phonesky

-----Phonesky.apk

--system_ext

---app

----GoogleServicesFramework

-----GoogleServicesFramework.apk

module.prop should contain this (without the spaces empty lines): id=yournameforthemodule

name=yournameforthemodule

version=v1.0

versionCode=1

author=yourname

description=blabla

The apks should be this: GmsCore: core MicroG apk ( latest release as of typing: https://github.com/microg/GmsCore/releases/download/v0.3.12.250932/com.google.android.gms-250932024.apk ; or for Huawei: https://github.com/microg/GmsCore/releases/download/v0.3.12.250932/com.google.android.gms-250932024-hw.apk )

Phonesky: fakestore ( https://github.com/microg/GmsCore/releases/download/v0.3.12.250932/com.android.vending-84022624.apk ; Huawei: https://github.com/microg/GmsCore/releases/download/v0.3.12.250932/com.android.vending-84022624-hw.apk )

GoogleServicesFramework: ( updates rarely: https://github.com/microg/GsfProxy/releases/download/v0.1.0/GsfProxy.apk ; Huawei same )

After doing this zip the two folders so it looks like this:

archive:

-system

--....

-module.prop

and flash it to Magisk like any regular module.

I, also, created a Git repo. It's not the best considering I never used Git, but with this you just need to add the apk's: https://gitlab.com/zazarpro/microg-unprivileged-install

I have set up a recurring monthly donation of $5 to Signal but it shows on my credit card that the donation is going to "Mozilla Foundation". I double, triple checked and the transaction is from the same date that shows on Signal's donation history. If I do a one-time donation though, It shows up as "Signal Foundation". Anyone see this? I payed with a Robinhood Gold card.

A few days ago I tried to add a contact to Signal. The other person is already a user as none of us can find the other on the network.

On my side, I get a message that the number is still not on Signal, while on the other side the network returns an "unknown error" message when searching for my contact.

What may be causing issues, although it makes no sense for me:

• I'm an Android user, while the other phone is an iPhone
• we're from different countries, including different continents, with an ocean apart

Another person, on that same country, has already added my number to their Signal on an Android phone, as well as another number from my country.

This makes no sense whatsoever to me.

Any thoughts?

After today's update (v7.68.4), I cannot enter text in chats any longer: no matter how many times I touch the input field, the keyboard doesn't appear (but it works seamlessly in all other apps).

Is anybody else experiencing this problem? I submitted a bug report with log.

Edit: I found a temporary workaround: interact with some elements in the chat. For example:

• Start sending a voice message (touch microphone symbol), then interrupt it.
• Open the three-dot menu (upper right), then close it again.

cross-posted from: https://lemmy.ml/post/40356824

Signal only provides a script for .deb based distros on their official website. The flatpak is currently not ideal because it stores encryption keys in plaintext.

The provided link suggests an automated installation in a Ubuntu Distrobox including automated updates. Useful for every distro that does not natively support .deb packages.

Another #HowTo, this time how to use #Signal on #Android without giving it broad media permissions.

Signal does not use the 2 possible secure methods of accessint photos that Android offers, and clones #Whatsapp in that regard.

By insisting on needing access to read all your images, while being a complex app connected to the internet, and the only official versions containing proprietary #Google #blobs.

Links:
- https://community.signalusers.org/t/46828
- https://community.signalusers.org/t/55725

Other messengers like #SimpleX, #Element, #ElementX, #Fluffychat, #Conversations, #Threema and more save themselves the effort and just use the builtin options, improving security by design and unnecessary code bloat.

So, how can I use Signal without trusting it with all my images?

1. Use the "Share" Portal.

That is the obvious one, and a very nice feature on Android. It allows to share any media to an application and giving it access to only that.

This also works across the #WorkProfile or #PrivateSpace and can be used by Apps like #SaveTo to transfer files.

The workflow is often slower than just using the media chooser portal, but it works. It is what I use since years.

2. Android hacks

But this is not all. Setting a profile picture or group profile picture does not work through the share portal. So we use a Feature specific to Androids Sandbox:

- All apps can save files to various default directories like Pictures, Movies, Music, Downloads, Documents; without having read access to it.
- And all apps can access files they themself saved there.

Combining these two features, you can send a picture to Signal and use the "Save locally" button to save it from within the app.

The result is that this picture will be visible in Signals internal gallery and can be selected for profile and group pictures.

Obvious downsides are
- it is a stupid workflow
- it duplicates images that you need to delete manually afterwards
- pictures might be compressed twice, losing quality

But for this very limited purpose, it is kinda fine.

Still, @signalapp please solve this very old issue!

@signal@lemmy.ml @signal@lemmy.blahaj.zone

Seriously, @signal @signalapp, two questions:

What the fsck?
What the fucking fsck?