Alright I'm gonna put a bigger effort to switch to Signal this time around and get a few friends roped in. I installed the APK just recently. I have some questions and am hoping some of y'all fedibrains would have an answer.
1. Is there any privacy difference between Signal from the Google Play store vs installing the APK from Github?
2. Given how locked down iPhones are, could that make Signal inherently less private?
3. Are calls also e2e encrypted?
4. Is it safe to put my Signal username on my bio? Or should that only ever be shared in private?
5. Can anyone with my Signal username also see what name I set as my first name?
Some of these questions might be dumb because I'm still learning the ropes. Thanks in advance!
@lenkotarski Some answers:
1. It shouldn't be a different app in terms of code, but I'd recommend installing straight from GitHub if you don't trust the Play Store's integrity (i.e. you assume Google may be compromised by the government at some point and inject malicious code into the app)
2. The only lack of privacy using an iPhone is likely to grant with Signal is if Apple were to allow themselves or a government a backdoor to view your data, same as Google doing so for Android.
3. Yes.
@lenkotarski 4. Your username doesn't function the same way normal ones do. (e.g. you change your username from ABC to XYZ, all people you've chatted with see your name change to XYZ) In Signal, they are simply to establish contact. Changing your username won't make the new name visible to old contacts. Think of it more like a code to connect with you than a permanent name. Of course, you can always change/cycle it when needed.
@lenkotarski You can ensure the privacy of your real number by making sure the settings to let anybody see your number are all set to Nobody.
https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames#see_me
5. Yes, if you contact somebody on Signal, they can see the profile information you've set. I'd recommend using an alias/emojis/random characters to keep your identity private. People you communicate with can always set a nickname for their chats with you if they already know your identity or handle from a social media site.
@boltx you're awesome! thanks a lot!! will dig into the links you provided. i will stick with the APK.
@lenkotarski If you've already set up your username to be connected to your phone number, I wouldn't publicize your username, and that's all people can see.
So far the Signal folk have committed to publishing the same code in all the places, save the platform it has to run on. It works the same, and is equally private E2EE.
What's hard is that they need to make their documentation easy enough for wide consumption. there are deeper dives than this https://support.signal.org/hc/en-us/categories/360000674811-Security
@janisf the other kind user shared that you can turn off a setting that lets people see your phone number. when you say you wouldnt publicize the username, is this out of preference or is there implications that it can be easily bypassed? Personally, I'll stick with the APK but I guess that reassures that the experience wont differ for my friends who probably don't even know what an APK is
@lenkotarski Honestly, right now I'm not remembering how tying your Signal username to your phone number can tie your Signal account to what's possibly searchable outside Signal. I watched a Youtube video? it just made sense to me that a ph# could be a pivot table of sorts, and that's all I bothered remembering.
I've never sideloaded an apk and then tried to check to see if the GPlay link in settings works. I only sideload, now, when the dev doesn't publish for my OS update.
@lenkotarski That seems like something that might be on XDA (xdaforums.com). I haven't been keeping up on the mechanics of apk vs. Play installs. (The long of it: once all the hardware didn't need hacking and Google stopped allowing root access, and moved primarily to Kotlin after I spent $10K learning Java, I stopped digging around and decided I better just teach my kid to code. )
@janisf That's fair. There's a lot of info to keep track of so I guess I'll only share my username in private.
@topher@infosec.space@lenkotarski This is truly a spectacular set of questions and I'm looking forward to following this thread for answers to several that I'm not 100% certain myself.
The APK is most notably for de-Googled phones that don't even have a play store whatsoever (as many of us here use), but there was a whole to-do a while back over push notifications going through Apple and Google being vulnerable to metadata spying by those respective platforms. I'm very keen as to whether installing the APK directly (on a non-de-googled phone) functions differently in that regard.
@topher Thanks!
That actually gives me quite a bit to think about. Maybe I should set the notifications to where the message preview doesn't come up. I think I saw something like that when poking through the settings earlier.
I have a Samsung Galaxy S22U so I'm not so sure if it can be de-googled in any meaningful way.
@topher@infosec.space@lenkotarski
I do that on mine in the interest of avoiding both malware and tracking (e.g. tracking URLs being automatically previewed and thus elements on that page being loaded and those beacons being sent)
In fact in iMessage it's even been a vector for malware and spyware installation. It was how Pegasus was ending up installed on iPhones during one of the waves within the past couple years.
@topher That sounds serious. Better not to take any chances then!
@topher@infosec.space@lenkotarski Good motto. Happens to be mine :)
@lenkotarski
My thoughts based on my few years of using signal.
1. Is there any privacy difference between Signal from the Google Play store vs installing the APK from Github?The apk should work on de-googled phones, by using websockets instead of fcm.
2. Given how locked down iPhones are, could that make Signal inherently less private?I don't think that is the case. Possibly it helps with better security, as the chances of compromising iPhone is probably low. However if the os is compromised, by things like Pegasus, then it can impact signals privacy too.
3. Are calls also e2e encrypted?Yes
4. Is it safe to put my Signal username on my bio? Or should that only ever be shared in private?Depend on how comfortable you are putting the username in public. It should be relatively safe, since even someone is trying to spam you using the username, you have the ability to ignore or block those folks.
Also you can change your username anytime.
5. Can anyone with my Signal username also see what name I set as my first name?No..unless you have messaged them or accepted a message from them or you both are members of a common group.
Hth..
@gopal This helps! I am glad to hear that usernames can be changed. Neat! Thanks 
@ValerieSonh@masto.ai@lenkotarski To answer your first question, I side-load as much as possible from Github and F-Droid because I don't trust Google with anything beyond its built-in apps. The downside is you'd have to check the Github page for updates periodically, because side-loaded apps don't update automatically.
@ValerieSonh Oof. No auto updates. Good point. But I guess its a small price to pay to distance from google.
@noodlejetski@masto.ai@lenkotarski @ValerieSonh I use Obtainium to keep track of apps published on Github, you just add an URL of the Github page and it'll periodically check for updates and notify you
@ValerieSonh@masto.ai@noodlejetski @lenkotarski Thanks for the info! I hadn't heard of this before.
@lenkotarski @ValerieSonh You can use Obtainium to automatically fetch releases from GitHub or others websites.
@yoxu @ValerieSonh Luckily I found this out maybe like an hour or two after! Sweet deal!
@lenkotarski
3: Everything is end2end encrypted.
But for calls one thing to keep in mind is that calls may establish a direct connection, so the person you're calling might see your IP.
However, there is an "indirect call" setting that enforces that all calls go over Signals servers so only Signal knows your IP (this can make call quality worse, as it will have higher latency and maybe less bandwidth)
(I'm not sure about the other questions)
@Doomed_Daniel This is good to know! I guess I can just limit calls to trusted contacts only. Thanks!
@lenkotarski
or you enable the indirection if needed - I have never tried it, but maybe it's good enough.
I don't know if the IP already potentially leaks (without indirection) if someone tries to call you, or only if you accept the call
@lenkotarski As a tangential consideration for #2 - The OS of the device should be considered in your threat model, as should any components with more privileged or direct access such as accessibility-related permissions, or more bluntly, your soft-keyboard. On android, this is an especially important consideration due to the prevalence of gboard and swiftkey.
Also in regards to the prior statement about updates - https://community.signalusers.org/t/signal-android-app-on-f-droid-store-f-droid-status/28581 claims that the sideloadable APK can self-update.
@katana I have the FUTO keyboard installed but I have a Samsung Galaxy S22U so my privacy options are bottlenecked by that I'm guessing.
I recently installed obtainium and manually added Signal's Github so I hope that suffices lol.
@lenkotarski Probably the best you can do considering the circumstances then. Act with appropriate caution the best you can.
@noodlejetski@masto.ai@lenkotarski
3. yes. and so are video calls, and the stories, and everything else.
4-5. the username is like a fancy phone number. once someone connects with you, they'll be to see your account's information (but not your actual phone number, if you don't change the default privacy settings)
@lenkotarski as far as I know the versions on the play store and github are the same however they both contain some Google dependencies. I don't think these dependencies compromise the privacy of the app itself too much however there is a fork called molly which uses the same network as signal but fixes some of its issues. It also gets updates via f-droid so its easier to keep maintained if you don't have google play.
@bugmenot You and one other user suggested Molly so I decided to install and look around. It seems like it would be pretty good, my only concern being having to rely on Molly's team to have active development. And I'd like to have the same experience as my normie friends I'm trying to onboard. Ultimately I will go with Signal but may change my mind at a later time 
@lenkotarski iPhones COULD be compromised by Apple themselves because it is proprietary. I don't care what Apple kids will tell me, it's simply the truth. If you tell me otherwise, you don't know what auditing code means.
It's funny how people will build "the best" encryption or E2EE just to run it on closed source OS like Win or iOS
Another disadvantage of Signal is that it's centralised. SimpleX aims to fix that but in my opinion, the protocol isn't as secure as Signal. Keep an eye on it.
@f I had a hunch, it made sense for it to be that way since its not like iOS source code is open 
to be fair though sometimes to connect with people you just gotta be willing to meet with them in the middle... in more ways than one. Sad to say I feel like its up to people like us to bridge that gap little by little.
SimpleX looks neat. Love the idea of having no ID's 
If you could elaborate on the protocol issue in a dumbed down way I'd appreciate it.
@lenkotarski I think the fact that iOS is present in people's life is a big problem because it actually creates real human, social issues in places where we don't want to argue about tech. It has become normalized but it is not the way to go forward.
SimpleX is really really cool:
- Decentralised relay servers (unlike the fediverse, which STORES data)
- Forward secrecy
- Very resilient against censorship
- No dependence on DNS
@lenkotarski On point 3, the locked-down nature of iOS tends to make it harder, not easier, to violate your privacy. But even if you don’t trust Apple to ensure that is true, then as long as Signal is end-to-end encrypted then no other party, including Apple, can feasibly decrypt anything in transit.
@kalong I sure hope so. Mixed feelings, for one its not like I intend to do anything harmful with Signal, I just feel more comfortable with minimizing how much data I share. But at the same time there's no knowing what's going on in Appleland.
@kalong @lenkotarski "No other party, including Apple"
What if the keyboard is compromised? What if the OS sends regular reports of what is happening? This is completely false. E2EE is no use if your OS is backdoored (by an attacker or Apple themselves)