Has anyone had their signal app want to auto update outside of an app store?
-
I have one device where I installed the APK straight from Signal themselves. That is the only device where it has updated itself.
My other devices all use the Play version through Aurora Store, and always updates through that.
Maybe there's a config/setting somewhere?
But also, maybe don't use F-Droid for apps regarding privacy.
This article seems like a lot of FUD written from an anti-FOSS perspective. In their second point, they say that F-droid's inclusion policy is "ridiculous" for requiring programs exclude proprietary software. I think the author is ridiculous for asking for this. This is what F-droid is for. I don't want any proprietary apps or libraries on my phone. If developers only want to work on their proprietary software, they don't get into F-droid. If they make a modified FOSS version and put it in F-droid, and let it bitrot and go unpatched when vulnerabilities are discovered, and F-droid issues a security advisory for that program, that's not F-droid's fault.
-
My signal app the other day had 2 seperate, a few days apart, updates from the app itself. Asking for install from unknown sources to check in the settings. Outside of both stores which usually update the app from F droid and Aurora stores.
Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?
If you trust the initial install then unless there is a warning about the signing key you are good. Only signal devs can sign the builds so if you installed the play store version then then updated with their apk or fdroid then it should just work as the signing key is the same.
-
My signal app the other day had 2 seperate, a few days apart, updates from the app itself. Asking for install from unknown sources to check in the settings. Outside of both stores which usually update the app from F droid and Aurora stores.
Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?
You should consider using Molly, a fork of Signal with Unified Push.
-
It was 10 days ago for the last update, then the first one was a few days prior to that. Those two were the only two ever to have that happen.
Yes. I remember seeing the notifications. I then went to Obtainium and updated. What I do not know is if these were signal or obtainium notifications. It did seem odd at the time.
-
I have one device where I installed the APK straight from Signal themselves. That is the only device where it has updated itself.
My other devices all use the Play version through Aurora Store, and always updates through that.
Maybe there's a config/setting somewhere?
But also, maybe don't use F-Droid for apps regarding privacy.
open-source
whatever software
development modelA blatant scam to backdoor our devices with software which fails to include a libre software license text file, to steal our control and privacy with anti-libre software.
-
It was 10 days ago for the last update, then the first one was a few days prior to that. Those two were the only two ever to have that happen.
I had the same at the same time. I ignored the app request and updated from app store
-
My signal app the other day had 2 seperate, a few days apart, updates from the app itself. Asking for install from unknown sources to check in the settings. Outside of both stores which usually update the app from F droid and Aurora stores.
Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?
My signal app tries to update itself. Installed from obtanium. It is a very irritating process, the thing tries to update, there is sometimes weird response times from clicking it (you click the notification and simply do not know if something is happening) and then without notice the thing restarts and then usually it works. But sometimes, the update notification still comes back. Because of that, I just update via obtanium
-
My signal app the other day had 2 seperate, a few days apart, updates from the app itself. Asking for install from unknown sources to check in the settings. Outside of both stores which usually update the app from F droid and Aurora stores.
Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?
Signal is not distributed outside Play store and signal own website. If you downloaded from F-droid, its probably from Guardian repo.
If you download it from play store, signal will update through play store. If you download it from signal, it will update through itself. If you download it Guardian repo, it's basically the same downloading from signal website, it will update it self.
The thing you can do is just basically turn off the update notification and just update it from guardian repo. Or just disable the guardian repo and let the signal update itself.
-
My signal app tries to update itself. Installed from obtanium. It is a very irritating process, the thing tries to update, there is sometimes weird response times from clicking it (you click the notification and simply do not know if something is happening) and then without notice the thing restarts and then usually it works. But sometimes, the update notification still comes back. Because of that, I just update via obtanium
I had this happen. I clicked the notification many times nothing happened. Then eventually it did. It was odd. I just wanted to make sure everything was still intact.
-
Signal is not distributed outside Play store and signal own website. If you downloaded from F-droid, its probably from Guardian repo.
If you download it from play store, signal will update through play store. If you download it from signal, it will update through itself. If you download it Guardian repo, it's basically the same downloading from signal website, it will update it self.
The thing you can do is just basically turn off the update notification and just update it from guardian repo. Or just disable the guardian repo and let the signal update itself.
This sounds like the answer. The app updates from guardian repo. I will change the update path. Say the app had well something malicious injected would a new update flush the old app and in with the brand new?
-
I had the same at the same time. I ignored the app request and updated from app store
Phew. OK. Thanks. I'd rather post and ask then be ignorant. Still unsettling.
-
You should consider using Molly, a fork of Signal with Unified Push.
I've heard of Molly and read the repo. But I'm unsure how it would be more official and secure than the actual official app.
-
Phew. OK. Thanks. I'd rather post and ask then be ignorant. Still unsettling.
I had the same "that's weird" reaction too. So not just you, would be good to know if it was kosher or a malware. I might have a dig now
-
My signal app the other day had 2 seperate, a few days apart, updates from the app itself. Asking for install from unknown sources to check in the settings. Outside of both stores which usually update the app from F droid and Aurora stores.
Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?
Signal is trying to make its APK auto updating. This way they don’t have to wait for approval from Google to apply patches that might affect security.
-
You should consider using Molly, a fork of Signal with Unified Push.
Love it in theory but when I tried it out a few weeks ago calls weren't working with it. I could still receive calls on desktop but it would never ring on my mobile. So tread carefully.
-
Signal is trying to make its APK auto updating. This way they don’t have to wait for approval from Google to apply patches that might affect security.
Cool. Didn't know this.
-
I had the same "that's weird" reaction too. So not just you, would be good to know if it was kosher or a malware. I might have a dig now
Let me know if you find anything. Follow up. I'll check too.
-
This sounds like the answer. The app updates from guardian repo. I will change the update path. Say the app had well something malicious injected would a new update flush the old app and in with the brand new?
Im not really sure about the update part but Moxie itself is hesitant to release it outside of play store and signal website. Even GOS dev isnt really a fan of fdroid from what i read at GOS forum.
It really depends on youe threadt model. What im trying to say is, if youre really want to make sure. Download from signal website and let the app update it self next time. No middle man.
-
Let me know if you find anything. Follow up. I'll check too.
Ok. So I found on announcements at https://community.signalusers.org/ that Signal added obtainium to the download options (due to google delays on releasing through play store). I also got another update notification from Signal app this morning, which went away once I upgraded to the latest version. Could be related ?
-
Ok. So I found on announcements at https://community.signalusers.org/ that Signal added obtainium to the download options (due to google delays on releasing through play store). I also got another update notification from Signal app this morning, which went away once I upgraded to the latest version. Could be related ?
I wonder too. It has to be them pushing the update through the app itself. I got another update notif. Last night. I checked both stores and no updates there. This must be it! Just seemed super odd at first.
-
System shared this topic
