Dr. Hax on Nostr: Oh I have looked at the source code myself. It seems legit at protecting the content ...

Oh I have looked at the source code myself. It seems legit at protecting the content of messages and I have no reason to believe that has changed since I reviewed it. But I didn't check the source vs the APK.

When I reviewed it the app also uploaded a hash of every phone number in your address book to their server and they'd look to see if they had a public key for that phone number.

Experimental testing after they rolled out username support indicates they aren't doing this anymore (or at least, I haven't been able to trigger it) because I do NOT see the phone number of the person I'm chatting with, even though they are in my address book. This also goes against how Signal claimed the username feature would work. They said the phone number would only appear if it was already in your pgone book. That is a lie.

I'm glad that's a lie, but I'm a bit nervous because it could be something else that is causing my app to not behave as expected. I also saw that the code to rip through all contacts is still in there, so I worry that I might just not have figured out how to trigger it.

I'm not particularly motivated to keep spending my free time on that though. I've moved on to decentralized e2ee apps for everyone except the "I am ONLY on Signal" people, and there's no way Signal is getting permission to my contacts on my main phone. So I don't super care if it's lax on privacy.

I'd rather use my time building the hardware password manager that I maintain, running servers and helping other people do the same, and helping people kick Facebook, Twitter, Google and all the rest of the megacorps to the curb.