Signal is widely regarded as one of the most secure messaging apps. It’s probably the most secure messaging app that is cross-platform, has most features people want, and is somewhat popular.

For the purposes of this article, let’s assume that Signal is the most secure messaging app. However, there’s still a small problem in the way that Signal is distributed.

Backdoor in plain sight

Signal is distributed through the Google Play Store and Apple App Store. Like many other apps, Signal signs the app and then hands the signed executables to the app store which distributes the app to people’s devices.

There are a few problems with this distribution mechanism. First, it implicitly trusts that Signal will provide the correct executable to the app store without modification. It also trusts that Signal won’t sign a malicious version of their app which could be used in a targeted attack on certain devices. Moreover, it relies on the app store to distribute security updates to people’s devices in a timely manner without withholding them in a targeted way.

This problem affects more than just Signal. However, it’s still worth pointing out especially since Signal seems to be increasing in popularity and thus deserves more scrutiny.

Reproducible builds are an interesting way to solve this problem. Signal’s Android app actually is built reproducibly, which is nice. However, as far as I can tell this protection doesn’t extend to Signal’s apps for other platforms. Also, this doesn’t protect against a targeted attack in which the target doesn’t verify that their version of Signal is built reproducibly.

The network effect

Another unrelated problem with Signal is that it is a walled garden. Signal users can only message other Signal users, and Signal messages are routed through Signal’s centralized servers. This is only a problem because of the significant amount of effort required to get people to switch messaging platforms. If Signal were to go rogue at some point, it would be difficult to convince everyone to switch to a different app. Also, if Signal were to have a long-lasting outage, it would be difficult to recover from it.

There are some benefits to having a single app. For example, you can reasonably trust that any Signal user you message is using Signal’s official app instead of a possibly insecure third-party app. However, it also comes with the downside of giving one company too much control over our communications.

This problem doesn’t have an easy solution. At the end of the day, this is a social problem that must be solved with governance, not technology.