Testing Signal without Google account

2017.03.23 by Matthias Kirschner in #tech #fsfe #fya

Open Whisper Systems is now offering its Signal secure messenger outside the Google play store. This is an important step to make Signal available for Free Software users. Unfortunately, while you do not need the the proprietary Google Play Services installed on your phone anymore, Signal still contains at least three proprietary libraries.

But if Signal is the only reason for you to have the proprietary Google Play installed, there is a way for you to get rid of that. Below I documented the steps required for installation without a Google account or Google Play.

Signal Danger Zone

First you need to download the Signal Android apk on their website and install it. As I have F-Droid installed as a system app, by default I disabled the installation of apps from unknown sources for security reasons. So I first had to enable Security -> Unknown sources.

As I did not find an easy way to check the SHA256 fingerprint before installation on the phone (if you know one, please let me know, else there are some tools on the desktop) for testing I first installed the Signal Android apk. Afterwards, in case you have F-Droid as a system app like myself, you should again disable installation of apps from unknown sources.

Before you proceed you should check the SHA256 fingerprint. The easiest way for that is to install Checkey from F-Droid (thanks to Torsten Grote for pointing that out). Now open Checkey, and search for "Signal". Compare the SHA256 checksum with the one mentioned on the Signal download page. If the fingerprints are the same, you can proceed to setup Signal on your phone. If they do not, do not do so as you might have a manipulated version of Signal.

Today I saw that the Android Signal apk is using its own updater, so you will get a notification if there is an update available. In that case, you should again first enable installation of apps from unknown sources, do the update, and then disable it again.

Hopefully there will be a solution in future to use Signal without a Google account which does not require to enable/disable installation of apps from unknown sources. A dedicated F-Droid repository for Signal could be such a solution.

Most importantly I hope in the future we will have fully reproducible Signal builds (the Java part is already reproducable), which are completely Free Software.

If you are interested in discussions about Free Software on Android, join FSFE's android mailing list.