Is it still viable to use Signal for privacy in 2026? It’s centralized, and has had many suspicious occurrences in the past.(Unopen source server code, careless whisper exploit which is still active as far as I know, and the whole mobile coin situation.)
Thoughts?
The stories I’ve heard where Signal messages have been extracted or otherwise accessed was from beyond either end. Someone invited a journalist to a private group chat. Someone handed someone else an unlocked device. The most alarming one is apparently Apple uploads every push notification your device gets to their servers. So if you are concerned about privacy there’s a feature in Signal to set push notifications to only say “you got a message” and not include the sender or message contents in the notification.
I haven’t heard of Signal itself leaking messages.
IIRC Android has the same issue with push notifications, if you really care about privacy you should disable showing any content from any messaging app in your notifications unless you want Google or Apple to collect it
That’s why I use UnifiedPush
This is not true for Signal. Other apps may send the notification content but signal uses FCM to push a simple notification to wake the device and tell signal to fetch the actual notification. You can use the full text / info notification and know that Google does not see it.
https://discuss.grapheneos.org/d/1279-sandboxed-google-play-for-push-notifications-breaks-privacy/9
That is true for Signal, the FBI extracted Signal message content from Apple’s push notification system: https://www.404media.co/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2/
The only thing to learn is everything is bullshit and nothing has ever been okay.
We are both right 😆
It is true for Signal on Apple devices.
It is not true for Signal on Android devices*
*Well I’m using grapheneOS so I feel more comfortable in my case but a regular Android device with full access Google Play Services? That I’m not so sure about. It’s conceivable that Google has a way to read the final notification (FCM push -> Signal fetches and displays message -> Google can read all notifications on the device, FCM or otherwise) 😬
Can you trust what a Pixel is doing with its 5G modem?
I’m not an expert or even close to that, so no, not really I suppose. Can you really trust any device when it comes down to the hardware level? I wouldn’t trust an iPhone or any other phone more. Again, while I’m not an expert, I’d trust grapheneOS for software over any other mobile OS. Probably trust to that effect would be grapheneOS >>>> iOS >> everything else. But full trust in any hardware? Who really knows