Any reason Signal isn't available through F-Droid? It may be unjustified but I'm not a big fan of installing privacy conscious apps through Play.
Edit: Wait, haven't installed anything yet, but I read the getting started guide. I have to sign up using a phone number? That throws all expectation of anonymity and thus privacy out the window.
You can get a phone number from https://jmp.chat/ if you like. The signup process can be done entirely over Tor.
If you don't use it beyond the trial, it's like the public payphone option mentioned by another commenter - someone could take your number. But if you choose to get a paid account (which, among other methods, can be acquired using Bitcoin, Bitcoin Cash, or a prepaid gift card purchased with cash), then the number will be yours. JMP is probably the most anonymous way of getting a phone number.
I'm not sure of your assumption that lack of total anonymity implies no privacy. They are independently important concepts. You can have privacy (no knowledge of information shared) without anonymity.
The phone network can do that just by correlating traffic to devices, it doesn't need any help from the software running on those devices.
If the target use case was people that could reasonably do the job of limiting the information just the use of their devices leaked, it might matter. But the target use case is replacing SMS and the like, so it really doesn't matter (except that people want to pretend that the use case is something other than replacing SMS).
Of course there is. That's why one of the cleverest parts of signal is the engineering to invalidate number 2. Moxie and signal are the world leaders in trying to make it impossible for the service to know who you communicate with... Even to the point of using the Intel secure enclave to audit the server software and validate that it doesn't peek.
That's not the point. Why doesn't Signal provide the option of using a pseudonym? The model is broken from the perspective of people who care about privacy.
The funny part is that Signal and F-Droid both have their own reproducible build system, but they’re incompatible (part of that is that Signal requires proprietary code in its binary)
Theoretically, but when you throw in things like build systems often not being deterministic, minor versions of dependencies changing, different OS or slightly different OS version with different libraries; there's a multitude of places to throw the final binary off by a few bytes or more and end up with a different checksum.
Signal wants to distribute a binary with a checksum. Once the checksum is different all bets are off, that's why it's not in F-Droid
As if reproducible builds hadn't been done before. If Debian can get to building 80% of their packages reproducibly[1], the
communities around Android can get there too. Luckily, it's being worked on.[2]
Now the question is: (when) will this be supported by F-Droid?
Yeah, figured. They seem very inconsistent in applying their trust. At times they'll do strange things like build app on Chrome Apps platform / mandatory phone ID and on other times they'll make user-hostile decisions like hijacking SMS messages and refusing to publish to F-Droid due to "security".
The end result is an app that keeps shooting itself in the foot and being beaten by Messenger and WhatsApp.
The reasons why have been given by others, but you might also like to know that you can download the APK yourself and that it includes its own updater: https://signal.org/android/apk/
You can signup using the number of a public payphone if it makes you feel safer, with landline verification. (Of course, you expose yourself to having the account hijacked by anyone who figures it out and has acces to the payphone).
But it won't improve your anonymity significantly, unless you also use it over TOR.
You need a phone number that can receive texts for the initial setup, but once you're set up people can add you by @username and never need your number. Stuff like https://www.textnow.com/downloads works just fine for the initial text. Once you have a single device set up, it messages your existing devices rather than sending SMS when you try to connect another device.
One of the main people behind Signal actually tried to spread a bunch of FUD about Telegram years ago, saying the crypto was weak, but it's really not. No working POC code was provided to decrypt anything, just FUD.
Telegram isn't remotely similar to Signal. Telegram communications aren't encrypted by default, and Telegram group chat messages aren't encrypted at all.
To say there's no encryption AT ALL when it's fully encrypted over the wire is still false. Not having E2E encryption is different than not having encryption AT ALL.
All crypto is weak until proven otherwise. Telegram never received a good review from cryptographers. The fact that no POC was provided may just as well mean no cryptographer cares enough to find a bug.
No, he said the crypto was weird (which it is. Who the eff uses IGE mode?) and that their competition to find vulnerabilities was bullshit and would be secure even using crypto primitives that are known to be weak.
Edit: Wait, haven't installed anything yet, but I read the getting started guide. I have to sign up using a phone number? That throws all expectation of anonymity and thus privacy out the window.