I recently tried to install Skred Messenger (P2P), but it crashes when launched.
Especially the part at the end is funny:
Even then, lack of encryption is not reason enough to stop using it altogether. If it was, I look forward to your article calling out everyone to stop using Email altogether.
Yes, but the thing is that email isn’t a centralised “thing”, while Telegram is. They have full access to everything they want, in comparison to that you can chose to only email someone if he doesn’t use Gmail for example.
But I do also see a problem with Signal and software freedom (I discussed about several issues such as G00gle dependencies, the removal of a passphrase lock in exchange for pattern/fingerprint (which is the same that you already use to unlock your device, so it doesn’t make any sense) and why Moxie keeps insisting on not releasing Signal on F-Droid on the Signal forum a couple of years ago).
Every messaging service has it’s pros and cons:
- Telegram has bad encryption
- WhatsApp has bad privacy
- Signal has made some bad decisions with G00gle dependencies and federalisation
- XMPP messengers are often outdated, lack of essential functions and are not centralised enough, meaning that they can be incompatible to each other (different encryption and featureset and so on)
At the end, it’s up to everyone to decide which app suits one’s needs best. For me it’s Signal, although it’s far from perfect, for someone else it can be something else.
This probably sounds cheesy, but in fact, it’s not the app that should be important, but the people who you are communicating with.
Since the people are important to me I don’t force my nerdy messengers on them (anymore ) and talk to them via Whatsapp.
I’m surprised no-one mentioned f-droid. You won’t find proprietary apps of course, and it can clash with Yalp store if you use it, but it’s a start.
About WhatsApp the texts are E2E ecrypted so it’s not really a problem – only your screen name and number are shared (but maybe it’s already too much for you to be confortable with).
As for the banking apps… Yalp would be your goto, I guess
No and no. I have it running without Google Services just fine and it offers me updates on it’s own.
Nope. WhatsApp E2EE is broken, stop sponsoring it as secure, they’ve tricked all of us. Right from their FAQ:
Important notes about Google Drive:
Media and messages you back up aren’t protected by WhatsApp end-to-end encryption while in Google Drive.
Backup to Google Drive is enabled by default on Android. You may disable it, but you’re sold when it comes to convincing any other peer in the network to do so.
I disagree (but not deeply) with @Stanzi above. I’m using WhatsApp1 because I can workaround privacy issues with other technological options, but fixing life is difficult (damned network effect!). We are trapped. To be coherent when choosing WhatsApp, be cautious with what you share, talk about it, educate people when they share IDs, kid’s photos or other dangerous personal bit of information. Let people be aware, that’s the only way to overcome this shitty era of abuse and anti-humanism.
Returning to the OP question: probably not. You can use Yalp Store to download apps, but the problem doesn’t reside in the method to download, but within the payload itself. What most people don’t know is Android is not just an OS: it’s a platform. It’s processes are regulated by Gobble. Gobble dictates what to use with their “Developer documentation”, which leads to most developers including bits of Gobble-developed, home-calling software (they are called libraries) inside each and every app in the ecosystem (not exclusively, bits of Facebook and other third party surveillance-capitalists are shipped too). Developers can’t easily avoid using them, really, if they want to be competitive. It’s a new form of banality of evil, but in the 21th century and massive.
Of course, there are those other developers who care, and F-Droid and a whole lot more of pretty beautiful, human-caring stuff. Give them a shot.
1. My main messaging platform is Signal. It has its own problems (it’s another centralized network, doesn’t really like libre software, server software is not open source and you still need to trust them in some way), but it’s probably the best around for regular peeps (Briar is brilliant, but it’s not for everyone (yet?)). I’m not saying don’t ask people to migrate; I’m saying forcing them is impractical, and, in the long term, futile.
I would have written almost exactly the same as Stanzi!
(especially the part about telegram! – you should not use it (ha! – if you care about privacy, that is! ))
Maybe this can be a motivation: I just had a look at my contacts; there are some 80 people in there and I can reach more than half of them via Signal! I found that if you either properly explain the issues with Whatsapp and Telegram to them, or (b/c still, many will continue using those two ) just kindly ask them to contact you via Signal, they will. Don’t patronize, just let them know the reason why YOU will not be using those apps.
(I also agree about the issues with Signal, but at least they removed the dependency on GCM and provide the apk nowadays – I think it’s now the best compromise between privacy and ease of use that is out there. (And if you like buzz words: Edward Snowden recommends it — huhh! ) Of course something XMPP-based would be even better, but good luck convincing your contacts of going “that complicated” (personal verification per contact, …)
there’s a few that I can’t go without, such as WhatsApp and my banking apps
Out of curiosity, why do you need banking on your phone? The only scenario I could naively think of would be some time-critical stock-trading(?)
I guess you need to make a decision between your privacy needs and your flexibility regarding certain tasks you (used to) do with specific apps
Yes, I forgot, texts aren’t encrypted when in your Drive. I disabled it and never thought about it since. But once you disable backup, do you have any issue @Roboe ?
That’s a fair point.
Also agree, though from this thread I think I’ll give Signal a go.
Interesting. I just downloaded the ProtonMail app (from a site called APKmirror, couldn’t find it on Yalp) and it said that “This app needs Google Play Services to run, which aren’t installed on your phone.” Too things come to mind:
- it does appear to work despite the warning message
- ProtonMail is an opensource app developed by people at CERN (supposedly), so I don’t get how or why it uses Google Play Services.
While I could live without banking apps (and I have in the past), they make my life significantly more convenient. For example, to pay for things online in Belgium you need Bancontact which you use through the banking app, or when I lost my card I needed the app, otherwise I would have had to go to a branch to get a new pin.
Threema works nice as well. Their shop is here:
(I copied my threema apk from my old phone, so I did not use the shop yet.)
Grüße von nobi
It’s not enough, sadly. You cannot disable all your contacts backups. So Gobble has your text/media/voice and chats even when you explicitly don’t want them to. You can convince some random people to follow you; try to convince a group chat to do that… It’s broken.
That’s Gobble code (i.e. bundled libraries in the app) talking on behalf of ProtonMail.
Not integral open source. ProtonMail app includes closed-source libraries from Gobble to use Android platform commoditized features (most probably push notifications through Firebase Cloud Messaging). You’ll probably miss messages without Gobble services (and will get tired of discarding the message above each time you open the app).
Gobble doesn’t want apps to fetch new content in the background on their own, so they have engineered Android in a way that it forces developers to use their proprietary push messaging system or let them humilliate themselves telling each of their users to disable a battery-saving feature of Android to be able to fetch new content. It’s machiavellist.
Install your apps from their app-store
Following options are valid for any Android alike OS:
Install your apps from F-Droid or Yalp
Install Netguard, block all connections of apps which don’t need any connectivity and put together your own host file blocking all trackers and adware/malware URLs
Use Firefox Focus for tracker free browsing and K9 for mail
By only following these small steps, you cut almost all leaks and you don’t loose any convenience.
/e/ app-store is afaik not yet available.
@Gobs have your original questions been answered sufficiently?
If so I’s suggest we close this topic and continue the derived conversation at Living without Google 2.0 - A Google free FP2 as it turned into a general discussion about the G%§$e-free lifestyle and this topic title doesn’t cover that.
PS: I moved the whole discussion as it all fits here.
Last year, a Portuguese company won a court case against Google, allowing it, ‘Aptoide’, to provide apps free. I now use Aptoide on my Freephone OpenOS. https://uk.reuters.com/article/us-google-antitrust-aptoide/aptoide-wins-court-battle-against-google-in-landmark-case-idUKKCN1MW2CL
Very interesting discussion here. So I have a question: do apps like signal or threema store the messages encripted on the phone? I they would, also the gobble drive backup on your contacts phones would not be of use to gobble, right?
And if we are already discussing different Messengers: does anyone know about the safety of the app called wire? I do really like the app and they also say that its open source but I dont know enough to estimate their privacy friendliness.
What do you think?
Well, Signal once stored them encrypted if you locked the app with a password, but they abandonned this feature about a year ago (Signal is great, but there are some decisions made by Moxie Marlinspike which I don’t understand and in my opinion he has a little too much power over the whole thing…).
I know Wire, but I’ve never used it since I thought it wasn’t open source, which it apparently is, so I’m going to look into it. (I don’t know anything about cryptography, but I’m trying to get serious articles about Wire (essentially almost everything that’s not "THIS ist the best MESSENGER and why YOU should SWITCH TO IT NOW!))
Can you give a source for this? I thought they were still doing this,
I don’t know about Threema. It’s closed source, so it wasn’t never an option for me.
One can argue “but Gobble services have root access, so they can backup it anyway!”. That’s not true. Gobble services are privileged apps with excessive privileges, but they don’t have root permissions (in the Unix sense). You can read more about the Android security architecture in the Android Security Internals book.
It’s open source, uses the Signal protocol and I read Snowden sometime qualify it as “great but sightly less well-thought than Signal” on Twitter (can’t find the tweet ATM, sorry). But, even being open source, it relies on Gobble’s libraries (at least for push notifications and maps), and even when there was once a 100 $ bounty to make a libre build flavour for its inclusion in F-Droid, noone achieved it, :(. I don’t really have a strong opinion on Wire, though, but I don’t have a major selling point for it over Signal neither. Still a walled garden not completely libre.
Talking about alternatives, Briar seems like the best available (libre, reproducible & already on F-Droid; P2P fully decentralized; anonymized metadata through Tor; it doesn’t even need an Internet connection), but the fact that it’s targeted at activist on dangerous areas and thus contacts need to be added manually to ensure trust, doesn’t make it easy for regular people. Although a remote contact adding feature is in the works.