If you're talking about the metadata, yes, probably. It 's the same kind of eavesdropping capability you'd have from Signal servers (i.e: not much).
Also: from what we've seen of Macron's team, they've proven that they have good-enough internal technical advisors; so it remains to be seen if they'd use a solution that can be eavesdropped.
Unless you can verify the deployed build against an open source code, whether the code is open source or not is irrelevant, you trust all the intermediaries. Which is ok for a corporate actor but probably not when you are a sovereign actor and know you are dealing with a keen NSA. How could you control that Apple or Google wouldn’t patch the app before it gets deployed or after it has been deployed?
On Android (at least); you can verify that the apk is signed with the developer's key; and Signal provides reproducible builds. Then the app is designed to not trust the server.
I think we are in agreement that Apple or Google could patch the app before it gets deployed. But AFAIK it has never been done yet, and if it ever happens, it would undermine all credibility of the platform. Of course a state actor wouldn't want to be the first to find out.
Thinking about it, Google and Apple actually don't even need to patch the app, they have access to all key strokes and screen rendering. It just needs to be a few lines of code hidden anywhere.
It's a possibility. It just wouldn't make any business sense, it's a pure self-destruct button. And there are hundreds of reverse engineers on both platforms that could have caught it by now.
> Not sure if I'm 100% right here, but knowing all my contacts and when I communicate with whom is an awful much.
Signal actually doesn't know all your contacts - you can check the source code to confirm that it doesn't know about any contacts that you don't message using Signal, for example.
Signal also doesn't store most of the metadata that it could, so it really knows incredibly little about its users. It knows (for example) the last date that it was able to talk to a particular device, but they don't store historical data for that, so if you received a message on Signal today, they don't (anymore) know that they sent you a message yesterday, or last month.
Of course, that second part all runs server-side, so you do have to trust Signal when they describe their internal architecture. But to be frank, who do you trust more with that metadata: Moxie Marlinspike, or the government that is essentially the "sixth eye" in the Five Eyes alliance[0]?
>Signal actually doesn't know all your contacts - you can check the source code to confirm that it doesn't know about any contacts that you don't message using Signal, for example.
I get a message in the app when a contact starts using Signal, so it has to know them server-side.
The other part of the comment was reffering to what the server could know (in the gov. case - will know), and that IS quite a lot (assuming Signal style service).
And I do trust Moxie nominally, but I also believe that he will obey US courts.
Also: from what we've seen of Macron's team, they've proven that they have good-enough internal technical advisors; so it remains to be seen if they'd use a solution that can be eavesdropped.