However, it just emerged that the nonprofit behind the Signal app hasn’t always lived up to its original open source promises. While regularly publishing the code of its applications, the German magazine Golem has found that Signal did not update the Github repository for its server for almost a year. It is necessary to clarify that today the company has released an update with a newer version with news and with your published code.
As Android Police publishes, the repository was full of complaints from the open source community asking why Signal is no longer publishing the changes in your server code. Before this most recent version, the last code published was dated April 20, 2020. Various publications such as Golem or Hacker News have said they have contacted Signal for clarification in this regard and have not received a response.
It is not a security problem, but to announce something that is not
Despite this, secure communication is guaranteed by end-to-end encryption implemented in open source client applications and the Signal protocol. In fact, in the same open discussion on Github it is clarified that privacy is not being talked about. “Using Signal is safe and even if a malicious server were used, your messages would be safe.” This discussion is not necessarily about the security / privacy that Signal offers, “but about the fact that Signal advertises its server as open source when it is not“.
A closed source server application prevents anyone from auditing the latest version of the release or building their own updated Signal servers, as Android Police recalls. For an open source project, this has consequences and is that removes the possibility of third parties creating their own platforms independent using Signal code if they are not happy with the direction this signature takes.
The main complaint from users is the lack of transparency on this matter and the delay of almost a year in the release of the server source code. With all this, Just today, Signal has started posting a newer version of the server code on Github, and version 5.4.8 is now available.
Signal announces a paid function in its update
And with all this, the new version announced by Signal (another complaint from users is that the company published its most recent version of the Signal Server code on Github, but did not notify the users of the platform) is that it offers functions payment between users and with cryptocurrencies.
At the moment this new utility is only available in the UK and allows users to send and receive money through a cryptocurrency which uses the MobileCoin payment protocol and which they call MOB.
In fact, there are those who within the open conversation on Github comment that this code could be kept closed for so long to avoid revealing the new functionality that has been announced.