Hello,

I recently read an article on backdoors in Signal from Free Software Foundation Europe (actually got it from https://lemmy.ml/post/47901).

Apparently, Signal relies on Google binary code for the location sharing feature. They say it’s possible to update that binary code during runtime, so that the next time Signal starts, it would run this code.

The code is then executed in the Signal process, which includes access to the Signal history database and the crypto keys

Now, we could always say that something like this wouldn’t be used against common people and would most likely be targeted at people like journalists, whistleblowers & other parties of concern. But, if Signal is recommended as a tool for everyone, shouldn’t this be considered?

I haven’t read the Signal-Android source myself and would like to know if this is an actual concern and is it still relevant now?

The following is a quoted content on Google Maps integration for location sharing feature.

---
Maps Integration

After selecting to share a location, Signal shows a small map with a pin on the selected location. After the map is loaded, a screenshot of it is sent as an image to the other side, together with some string describing the location.

The relevant thing here is the displaying of the map. This is done by embedding the MapView when displaying a conversation, and showing it up when there is something to show. This means the MapView is already initialized when opening a conversation in Signal. Critical about this is that the MapView view as used by Signal is just a wrapper that loads the actual MapView, by including code from the Google Play Services binary (which means code outside of the apk file you meant to use). This code is included by calling the createPackageContext-method together with the flags CONTEXT_INCLUDE_CODE and CONTEXT_IGNORE_SECURITY. The latter is a requirement as the android system would deny loading code from untrustworthy sources otherwise (for a good reason). The code is then executed in the Signal process, which includes access to the Signal history database and the crypto keys.

The Google Play Services binary can easily be updated in background through Google Play Store, even targeted to single users, and the updated code would become active inside Signal the moment you use it next time. Can it get worse? Yes. An apk update would be detectable to the user, but Google Play Services uses a dynamic module loading system (called Chimera and/or Dynamite) that seems to be capable of replacing the Maps implementation from a file not installed to the system, as long as it’s signed by Google. If it is possible for Google to push an update only for this module and remove it later, it might be possible for them to inject code into the Signal client that uploads your complete local chat history unencrypted and afterwards removes all signs of it’s existence.

What does “seems to be able” mean? Well it’s hard to determine exactly. The relevant binary is highly obfuscated and thus hard to understand. Maybe someone wants to waste his time on this, but remember it can be changed in the next release again…
---