> Signal uses E2E encryption, so your attack vector doesn't work.
End-to-end encryption is just that. That Firebase library is running on the client phone (aka, an end), if Google put code into the library allowing it to download updates it would also be running in Signal's context which would allow it to trivially dump and exfiltrate messages, memory, etc from the Signal process.
Now, we have no reason to believe such a mechanism is used here to my knowledge, but if they really wanted to, it would defeat end-to-end encryption.
In that case, Signal can run the integration in another process. It's extra work, but it also gets around the GPL issue for the main application, so if Google doesn't solve that itself, it's easy for someone else to and share the solution with everybody.
It would also be easy to spot if Google put an updater inside the library because the requested permissions for using the library would change.
If this is your angle, then they wouldn't need you to load any library for them to be able to do this attack. They have root, so they could do the attack regardless of firebase being open source.
End-to-end encryption is just that. That Firebase library is running on the client phone (aka, an end), if Google put code into the library allowing it to download updates it would also be running in Signal's context which would allow it to trivially dump and exfiltrate messages, memory, etc from the Signal process.
Now, we have no reason to believe such a mechanism is used here to my knowledge, but if they really wanted to, it would defeat end-to-end encryption.