TextSecure used to be on fDroid, then this happened https://f-droid.org/posts/security-notice-textsecure/. Now it's a GPlay exclusive. I don't have GAPPS so now I can't get it. I'd assume many privacy conscious people don't have GAPPS. I understand the technical hurtles, but it's too big a pill to swallow.
Conversations uses XMPP, not whatever custom stuff WhisperSystems worked up for Signal. Are you talking about OMEMO[0]? That's their implementation of Axolotl over XMPP. So same crypto, yes, but different protocol.
Thanks for this! Seems to cover most of my bases. Secure, on F-Droid and gappsless. Here's hoping for a mainstream XMPP resurgence. Not holding my breath though. I had played with Jitsi before too, have to see how these compare.
I can understand somebody deciding to focus on the users with Google Play Services, but I find very hard to trust a 'Secure' application which writes sensitive in the logs.
If the app runs in an android version < 4.1, logs are readable by any application.
Assuming that by "GAPPS" you mean the Google Play Store etc., my strategy has been as follows:
- copy all data to a computer
- wipe the phone
- set up a google account with bogus information
- install all the apps i might ever want to use
- delete the account info and remove google stuff
- copy personal data back onto the phone
This is a big hassle, so I only do it once a year or so, but it seems to work ok.
Of course I have no way of verifying that the phone actually deletes my data when I tell it to, or that it actually deletes the Google stuff when I tell it to, or really much of anything about what it is doing or who it is talking to, so I still don't trust it - but I mistrust it slightly less, I suppose, than I would if the google apps were running.
You might be interested in Racoon[1], which is a desktop client (Java) for downloading apps from the Play Store, or into BlankStore [2][3], which is an alternative mobile client.
This is a fork of TextSecure/Signal which drops the dependency on GCM and uses WebSockets instead (it seems quite up-to-date with origin as well).
For anyone wanting a pre-build copy, there is a non-official F-Droid repository hosting both the "main" Signal and the WebSocket fork here: https://fdroid.eutopia.cz/
I'm pretty sure it requires gapps, although I did see a websockets version so not 100%. Also, keeping your own builds up to date is possible, but a hassle. For anyone else doing that https://f-droid.org/repository/browse/?fdid=fr.kwiatkowski.A... is an easy way to ensure your apks are up to date without a repo store.
This event spooked me forever against Textsecure. I've seen moxie's reasoning for moving to Gapps, but I don't know if I (or the the unix world) agree with it. If I had a gun pointed at my head, this tactic (making an insane choice that boils down to "it's encrypted. what could possibly go wrong?") would be my canary of choice. I'd probably mix in some Lennart Poettering, "it's the future, get on board," to make it extra-obvious, though.
