I posted this comment elsewhere but it was buried deep within a thread:
I'm not sure what to think about Signal. It's got some great supporters like the EFF, but on Android, it requires about a dozen permissions, most unnecessary. It also requires your phone number to register, and uses a Twilio API at registration. WTF? What are peoples' thoughts on Silent Phone? It's written by the creator of PGP, only requests permissions when it needs them (at least on Android 6 and up), and stores encryption keys locally.
This conversation has been hashed and rehashed multiple times, here and elsewhere. If you're curious about people's thoughts on Signal, just read literally any thread about them.
As far as Silent Phone goes, their app isn't open source, so it can't be trusted. That's really as far as the discussion goes.
That depends on what you mean by 'open source'. It's not released under a permissive license (and the version on GitHub is a little behind), but the source is available.
The only thing I _really_ dislike about Signal is their CLA. If it included "... under a FSF-approved license" or something similar that would enforce a contaminative license instead of an OSI-approved license.
That's the only thing that prevented me from contributing so far, I wonder if I am the only one.
Understand how you feel about the issue, but as been pointed out to me on other posts that were about Signal, your basically hijacking the thread to cover a topic that is largely unrelated to the post that's the subject of this thread.
---
Per a HN mod:
>> sctb comment: "Please stop harping about this, especially in unrelated threads. It distracts from the thoughtful kind of discourse that this site is for.
More importantly, why on Earth is it asking all these permissions upfront ?
Android 6 has been out for quite some time, there is absolutely no excuse for this kind of app not to implement incremental permissions (and not to target the last platform version is also wrong for many other reasons).
Best other options are Matrix (mentioned below) and one of the encryption solutions on top of XMPP (OTR, mentioned below, or OMEMO, which is probably a better choice in most cases). Both of those are federated, as well, which Signal doesn't offer.
There are other countries in the MENA region that block signal as well due to te VoIP functionality; My native country of Oman comes to mind. Will the anti-censorship tech also work for users in this country? Country code is +968
Do they need google/fastlys cooperation for this, or is it possible to do by running a server in the google cloud, or via some redirect that fastly hosts?
No, anyone can set up a server on appspot and do this with Google.
The only cooperation needed from the host is apathy. They could take direct action to stop it working (Cloudflare did this a few years back by requiring that SNI matches the host header) or suspend the server running the reflector (Google did this to the meek reflector running on Appspot that Tor Browser used).
