Introduction
Since I started seriously working in programming I have been fascinated by open source software. It holds a promise of human goodness, of people working together without egotistical motives. But I have also found that such ideals are never seen in its purest form. One way to study this phenomena is the messaging application Signal. They seem to take an approach that is in direct opposition to Whatsapp. Funded by donations they try to provide an alternative that ensures privacy. With Signal you should be sure that your data is not sold and that your conversations are yours.
In this article I try to explore what open source means for an application like Signal. Is it just a way to make the app more popular and make it stand out against other apps? Or does is actually mean that Signal is inherently more trustworthy than other messaging application?
First I’d like to say a few words about Whatsapp. It’s a great application! The fact that they’ve been able to accumulate 2 billion active users [1] shows that within the apparent simplicity is something people really like. I’d even go a bit further and say that the communication they provide has become very important for a lot of people. But there’s the problem, such a vital part of peoples lives should be treated with care, and can we trust an organisation like Facebook to fulfill carry such a responsibility. For me the answer is very simple: NO! Unless they become very much more transparent about how they make money, what they do with our data and what their long-term plans are, I think another service is needed to fulfill this new messaging need.
Now Signal seems to be the answer to this need. We’ve seen other apps (like Telegram) but this seems to be the most mature one yet. It’s crowdfunded, so no big corporations, and it’s open source, so anyone can check how it works and how data is used. Today I will focus on the open source aspect of Signal. In other words:
Does open source mean that Signal is safe?
Open source
Open source is actually more than a buzz word. In it’s basic form it means that the code of an application is open for anyone to view. But it means a bit more than that. Open source is a culture and a way of working. In it’s purest form it’s working together on making a great thing. In theory anyone can contribute to open source code to suggest enhancements or fixes. For this article I’ve chosen to look at how Signal is working on three levels:
- How open is the code?
- Does openness mean people check and audit the code?
- Can anyone contribute to the code?
How open is the code?
The starting point of my journey was of course the code repository (a repository is a place on the internet where code for an application is kept) of Signal. It was easy to find through their website and indeed there are actually 5 repositories that make up Signal. I checked the code and quickly remembered that my coding skills are somewhat lacking and closed the code before I got too confused. But the code is there for anyone to see.
Now the question is, is this the actual code used in the Signal app and is there a way to verify that the code from the server repositories, are actually used on the Signal servers. The short answer is “we don’t know”. There is no way for me to tell if the server code matches, as for the apps. It seems very hard to compare an iOS app to the original code, there are some discussions in the actual repository [2]. For the Android app it seems to be possible to compare the repository to the app in the app store[3]. So in the last case it does seem the open source code is actually used.
One note is that there seemed to be some news on the internet about Signal being less forward with the code that goes on the server. It seems new code wasn’t added exposed to the public for over a year [3], but now it seems the code is open again.
So it seems that for the “passive” part, we can be reasonably sure Signal it’s trying it’s hardest to advocate open source.
Does openness mean people check and audit the code?
It’s great that people can see the code but do people actually take the time to go through the code to check it for back-doors, security issues and bugs. Does the company that made Signal encourage this? And is the code updated if people find issues?
First of all there are the repositories, in the Android app I would actually be able to raise an issue with the code. In fact at the moment there are over a thousand open issues and over 7000 closed issues. Strangely enough I was unable to find an issues page for the server code.
What was even more interesting was a page from signalusers.org. This site shows a list of, what seems to me, thorough research in the safety of the Signal app. I do not think this site is linked to the Signal Foundation but it does show people are committed to investing time (and money) to scrutinize a service like Signal. Some of the results were actually quite shocking to me, for example this article about contact discovery.
The important part is: people are actually checking and contributing problems to the code. Though the server code again seems to be an exception. There seems to be an active community that is concerned with the quality of Signal. In my opinion a great starting point for a safe application.
Can anyone help build the code?
This is an important part of open source, the ability for anyone to suggest code changes and actually these code changes actually becoming part of the application is a way to create great software. A quick look around the repository showed me that there is indeed the possiblity for outside developers to work together with the Signal developers on the code.
Not only was there the possibity, I clicked through a few of the closed collaborations [4] and found the code actually became part of the main application. I also noticed very grateful and friendly reactions from the Signal developers towards the helpful “outsiders”.
Conclusion
Let me start by saying that there’s always risks in software, and people or companies with wrong intentions can always find a way to misuse data. Even if it’s open source.
I must say I’m pleasantly surprised by what I’ve seen. It seems that Signal has really embraced the open source philosophy and I hope they keep it up. Apart from the server code, they have done their best to open their code for scrutiny and suggestions. While this is better in the long term, I do not believe this could have been easy. It takes time for developers to check code from the community and keep up the quality.
But what’s more amazing is that so many people are working hard to make Signal better by checking the code and actually contributing to it. They have managed to create what must be a community of enthusiastic outside developers. Open source continues to amaze me.
In conclusion, from an open source standpoint, I would really encourage everyone to switch to Signal. Compared to Whatsapp, this is really much more reliable. Your privacy is not guaranteed but by sticking to open source principles, Signal should stand a better chance of protecting your privacy in the future.
For more info about Signal:
The community:
https://community.signalusers.org/
The repository:
[2] https://github.com/signalapp/Signal-iOS/issues/641
[4] https://github.com/signalapp/Signal-Android/pulls?q=is%3Apr+is%3Aclosed+
Cover image: Photo by Mika Baumeister on Unsplash