this post was submitted on 23 Feb 2025

23 points (100.0% liked)

Privacy

34127 readers

661 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Anyone had their signal app want to auto update from itself rather than an app store? (lemmy.ml)

submitted 9 hours ago* (last edited 9 hours ago) by OhVenus_Baby@lemmy.ml to c/privacy@lemmy.ml

25 comments fedilink hide all child comments

My signal app a week ago had 2 seperate, a few days apart, app updates from the app itself. Asking to check install from unknown sources to be checked inside the settings. Giving prompts from the notification drop down. Such as app update available. Click it, asked for setting to be checked, I checked it, it said it updated, all seems well and fine.

But doing this outside of both stores which usually update the app from say F droid or Aurora. I've never seen this happen ever. It wasn't a user confirmation. It was a total app update.

Seems odd that the signal app itself asked to update itself from a notification from the drop down menu. How can I make sure it has not been compromised? Anyone else experienced something of the sort?

Android phone. Pixel. Gos.

top 25 comments

sorted by: hot top controversial new old

[–] 3aqn5k6ryk@lemmy.world 4 points 2 hours ago

Signal is not distributed outside Play store and signal own website. If you downloaded from F-droid, its probably from Guardian repo.

If you download it from play store, signal will update through play store. If you download it from signal, it will update through itself. If you download it Guardian repo, it's basically the same downloading from signal website, it will update it self.

The thing you can do is just basically turn off the update notification and just update it from guardian repo. Or just disable the guardian repo and let the signal update itself.

[–] ZeDoTelhado@lemmy.world 2 points 5 hours ago

My signal app tries to update itself. Installed from obtanium. It is a very irritating process, the thing tries to update, there is sometimes weird response times from clicking it (you click the notification and simply do not know if something is happening) and then without notice the thing restarts and then usually it works. But sometimes, the update notification still comes back. Because of that, I just update via obtanium

[–] JoeKrogan@lemmy.world 6 points 8 hours ago* (last edited 8 hours ago)

If you trust the initial install then unless there is a warning about the signing key you are good. Only signal devs can sign the builds so if you installed the play store version then updated with their standalone apk or fdroid version then it should just work as the signing key is the same.

Guardian project are just publishing signals apk files as the signature matches.

[–] nutbutter@discuss.tchncs.de 1 points 7 hours ago (1 children)

You should consider using Molly, a fork of Signal with Unified Push.

[–] hddsx@lemmy.ca 5 points 7 hours ago (1 children)

Why

[–] nutbutter@discuss.tchncs.de -3 points 7 hours ago

Because, you won't have to guess where to download the app. And you can get a completely FOSS version. And if not using google services, unified Push can help you with notifications.

[–] novacomets@lemmy.myserv.one 2 points 9 hours ago (1 children)

Not native Signal but it happens with Signal forks that I install after adding repository to F-Droid, I have had a notification of a Signal update, even though I'm not using native Signal.

I disable that notification in the phone app settings and wait for an F-Droid notification of an update to install.

[–] OhVenus_Baby@lemmy.ml 2 points 9 hours ago (1 children)

So you don't think it's something to be concerned about? I turned off install from unknown sources. App store F-Droid says it's up to date.

[–] novacomets@lemmy.myserv.one 3 points 9 hours ago

I'm completely open to hearing why the Signal update notification is a concern. I don't worry about it but you may know something that I am not seeing.

[–] zdhzm2pgp@lemmy.ml 2 points 9 hours ago (1 children)

Not clear on where you installed it from...?

[–] OhVenus_Baby@lemmy.ml 4 points 9 hours ago (1 children)

F droid store originally.

[–] zdhzm2pgp@lemmy.ml 3 points 9 hours ago* (last edited 9 hours ago)

Signal isn't on F-Droid out of the box, I don't think, but it is in the Guardian repo and probably in a few others as well. I downloaded the Signal apk directly from their website, and that version does auto update and has for quite some time.

EDIT: if you're worried about it, I suppose you could uninstall it and then download it from them directly (be sure to verify the certificate), after which it will prompt you to update it periodically from the app itself.

Even better, you could think about switching to Matrix.

[–] floofloof@lemmy.ca 2 points 9 hours ago* (last edited 9 hours ago) (1 children)

I have the one installed from the Play Store, and it hasn't done that. It sounds potentially suspect.

[–] OhVenus_Baby@lemmy.ml 2 points 9 hours ago* (last edited 9 hours ago) (1 children)

Does seem odd doesn't it. How could I verify the app is authentic and no malware or anything has accessed my phone?

[–] floofloof@lemmy.ca 3 points 8 hours ago

There are virus scanners for Android - I have Bitdefender on mine - but I don't know how effective they are. Back in the day they were a bit of a gimmick; I don't know whether they're better now.

I have seen other apps from F-Droid do this. NewPipe, I think, used to prompt me for updates even though I had installed it from F-Droid. But I was always a bit unsure so I tended to just go back to F-Droid to install newer versions. Maybe it's a thing some apps do but I don't know why they should need to and I don't entirely trust it.

[–] kn33@lemmy.world 2 points 9 hours ago (1 children)

I have not had this happen. I just have the Play Store one.

[–] OhVenus_Baby@lemmy.ml 4 points 9 hours ago

It seems odd. Given recent news about various signal things. I'd rather ask than not.

[–] furrowsofar@beehaw.org 1 points 9 hours ago (1 children)

My Signal auto updates via Obtainium. That is outside of a store. I think I remember the two updates your talking about.

[–] OhVenus_Baby@lemmy.ml 1 points 8 hours ago (2 children)

It was 10 days ago for the last update, then the first one was a few days prior to that. Those two were the only two ever to have that happen.

[–] thanksforallthefish@literature.cafe 1 points 6 hours ago

I had the same at the same time. I ignored the app request and updated from app store

[–] furrowsofar@beehaw.org 1 points 7 hours ago

Yes. I remember seeing the notifications. I then went to Obtainium and updated. What I do not know is if these were signal or obtainium notifications. It did seem odd at the time.

[–] madame_gaymes@programming.dev -4 points 8 hours ago (3 children)

I have one device where I installed the APK straight from Signal themselves. That is the only device where it has updated itself.

My other devices all use the Play version through Aurora Store, and always updates through that.

Maybe there's a config/setting somewhere?

But also, maybe don't use F-Droid for apps regarding privacy.

https://privsec.dev/posts/android/f-droid-security-issues/

[–] Limonene@lemmy.world 12 points 8 hours ago

This article seems like a lot of FUD written from an anti-FOSS perspective. In their second point, they say that F-droid's inclusion policy is "ridiculous" for requiring programs exclude proprietary software. I think the author is ridiculous for asking for this. This is what F-droid is for. I don't want any proprietary apps or libraries on my phone. If developers only want to work on their proprietary software, they don't get into F-droid. If they make a modified FOSS version and put it in F-droid, and let it bitrot and go unpatched when vulnerabilities are discovered, and F-droid issues a security advisory for that program, that's not F-droid's fault.

[–] autonomoususer@lemmy.world 5 points 7 hours ago* (last edited 7 hours ago)

open-source

development model

whatever software

🚩🚩🚩

A blatant scam to backdoor our devices with software which fails to include a libre software license text file, software we do not control, anti-libre software.

[–] OhVenus_Baby@lemmy.ml 2 points 8 hours ago

I think about F droid and this aspect from time to time.