[off-topic] Signal and app attestation concerns

[stevie553]

Sorry if this sort of discussion is not welcome here, if so, please feel free to remove this :)

Just noticed the following commit for Signal-Server signalapp/Signal-Server@2c16335

I'm still not entirely sure what they're trying to achieve with it in relation to the upcoming cloud backup feature, but I did look up the API they're using for Apple devices called "DeviceCheck" which, if I'm not mistaken, has similar capabilities to Google's Play Integrity (or SafetyNet) which does app attestation and all that stuff.

While I don't fully understand their server side commit, I'm still concerned about the possibility of doing app attenuation on both Apple/Android in the future. Wouldn't that just deliver a huge blow to the whole community? Many people use non-standard Android OS with no Play Services installed at all, many people use this very project which would also be killed if they head into that direction.

I understand that things may be different in Apple's land of the "walled garden" and that might be the reason for that commit (or we'll just a Play Integrity commit soon).

Over the past few years, I've been having many question marks/concerns for Signal's direction, and this just adds to them.

What do you think?

[BarbossHack]

This doesn't seem worrying at all, they are doing this only for the beta available on TestFlight (which is the "beta app store" on iOS). Indeed, Signal will introduce a paid subscription in 2025 to allow cloud encrypted backups ($2,9 per month), but apps on TestFlight can't make in-app purchase, so they have to add a check, to avoid abuse of there backup system as it will be "free" in TestFlight during the beta rollout

According to comments in the commit :

Device attestations allow clients that can prove that they are running a signed signal build on valid Apple hardware.

Currently, this is only used to allow beta builds to access backup functionality, since in-app purchases are not available iOS TestFlight builds.

[stevie553]

I really hope that cloud backups beta testing will be the end of it. I wouldn't want Signal to go through the app attestation route. Although the bigger they get, the more well funded they become, enshittification is bound to happen one day.