Thousands of Users Unknowingly Joined Signal Because of a 12-Year-Old's App (vice.com) 41
"At least 10,000 Signal users can be attributed to a 12-year-old kid in India who created a somewhat popular clone of the encrypted chat app," reports Motherboard:
Dev Sharma, a Signal user from Melbourne, Australia, found the Signal clone when he encountered an unusual thing: Signal displayed a pop-up showing that their friend had just joined the app. Sharma messaged their friend, but the friend had never even heard of Signal, despite apparently using the app. The friend had downloaded a different app called "Calls Chat," according to a tweet from Dev. It turned out, Calls Chat is actually a clone of Signal and lets users communicate with people on the legitimate Signal app.
The app may have been harmless in this instance, but its existence and thousands of downloads shows how it can be relatively easy for someone to take the open source code of Signal and repurpose it for their own means, potentially misleading users about what they're actually downloading in the process. "I didn't know I was creating a clone of Signal, in fact I didn't even know such an app existed," Dheeraj, the boy who made the clone, told Motherboard in a phone call...
The Google Play Store bars developers from impersonating other apps or making others that are deceptive, however. Google told Motherboard on Wednesday that the chat app is no longer available on the Play Store.
The app may have been harmless in this instance, but its existence and thousands of downloads shows how it can be relatively easy for someone to take the open source code of Signal and repurpose it for their own means, potentially misleading users about what they're actually downloading in the process. "I didn't know I was creating a clone of Signal, in fact I didn't even know such an app existed," Dheeraj, the boy who made the clone, told Motherboard in a phone call...
The Google Play Store bars developers from impersonating other apps or making others that are deceptive, however. Google told Motherboard on Wednesday that the chat app is no longer available on the Play Store.
Frightening (Score:1, Funny)
it can be relatively easy for someone to take the open source code of Signal and repurpose it for their own means, potentially misleading users about what they're actually downloading in the process.
This "open source code" sounds like a scary thing. We should start a petition against it.
Re: (Score:1)
12 year old idiot? (Score:2)
Re: (Score:3)
12 year old idiot?
Yes, provided that you're 12 (seems likely).
Maybe he just went all Picasso "great artist steal"?
Re:12 year old idiot? (Score:4, Informative)
12 year old idiot?
Yes, provided that you're 12 (seems likely). Maybe he just went all Picasso "great artist steal"?
I'm pretty sure he was lying. I remember when I was 12 and getting in trouble for things. Playing dumb actually worked quite a bit of the time.
Re: 12 year old idiot? (Score:5, Insightful)
Why do you call him an idiot?
Of course he's afraid and sayig defensive things when clueless editors approach him as if it was some kind of bad thing to fork a freaking open source projec that is pen source for this precise reason.
The kid's got more of a clue that that moron of a writer, who apparently never has even heard of back when messengers were merely clients for certain networks and protocols ... before the Ferengi introduced lock-in.
Hell, WhatsApp itself is likely a clone of a bog standard open source XMPP client, but made closed source, ... where only push messaging via Google and pathetic trivially decryptable encryption (that only existed to keep other clients out) were the new "features".
Re: (Score:1)
Hell, WhatsApp itself is likely a clone of a bog standard open source XMPP client, but made closed source.
Not that unlikely. For us that're old enough to remember the good ol' days can probably recollect that both Facebook Messenger and Google Talk used XMPP. Facebook doesn't use it anymore though (guess they didnt' really like the idea that anyone could use any client outside of their control), not sure about Google Talk, if it still exists at all.
It is a nice protocol and cloning an already existing client lessens the development time so less moral companies might use that as a shortcut to release their own c
Re:12 year old idiot? (Score:4, Informative)
This 12 year old obviously got the source code, didn't even look it over, and repackaged it under a different name.
No, the 12yo did not do any coding. He is not even a script kiddie. I believe he used https://appsgeyser.com/ [appsgeyser.com] , which advertises:
Make Android Apps in 5 minutes with free App Creator
— Without any coding and fees
"Create an app in 3 simple steps and you’ll be ready to monetise it in no time"
Re: 12 year old idiot? (Score:2)
Yeah, I pointed this and the clock on the board scandals out and got a mod down on that.
The clock scandal created some racial controversy when it happened, and it seems pointing out the fact that it was just a store bought clock whose innards were gutted and mounted on a board must mean I'm a racist. :-\
This is the danger of "woke". It creates an illusion that the people it favors can do no wrong, and anybody who does point out any wrongdoing must be a raging bigot.
Re: (Score:2)
The clock scandal created some racial controversy when it happened,
Ahmed Mohamed. Wasn't that more religion than race? Supposedly a "Muslim has clock, it must be a bomb" thing?
But yes, it is unfortunate when people bring race, class or religion into everything for no real reason.
To me, that was just a story about a crazy over-reaction from school authorities, and being too stubborn to back down.
Race/religion was irrelevant until the media got involved, and used that to make a bigger story.
That was Texas, and he was Sudanese, so African as well as Muslim, which makes thing
Trusted (Score:3)
"I didn't know I cloned the Signal repo".
OK, little dude.
Not bad for a 12-yr-old, though!
What's the problem? (Score:3, Insightful)
Re: (Score:3, Insightful)
While nothing malicious was done, it very easily *could* have been malicious. It would have been pretty trivial to slightly modify the source code to shunt all decrypted communications off to a private server somewhere.
Perhaps more worryingly, 10,000 people trusted a random chat app on the Play store without knowing a thing about the code or the author.
Sure, on the grand scale of *things in the universe to worry about*, it ranks pretty low. But it's something to keep in the back of your mind, at least for
Re: (Score:2)
because people don't make illegal modified versions of closed sourced code and put them in app stores, or even sell whole modified closed source office suites?
Nothing to do with access to source code, all your imagined evil stuff can and has been done with or without it, in Apple store and Google store and with bogus disks for sale of major products
Re: (Score:2)
Re: What's the problem? (Score:2)
"Perhaps more worryingly, 10,000 people trusted a random chat app on the Play store without knowing a thing about the code or the author"
Heh, in an ideal world it would only be 10,000.
I've lost track of the number of Windows machines I had to fix, that were loaded down with popups of scantly/no-clad ladies and useless toolbars, and taking 20 minutes to boot up because of all of the malware competing (and winning) against the OS for resources.
Re: (Score:2)
Another 'genius' kid scandal (Score:1)
A 12 year old learned how to operate a compiler, changed a few strings and graphics assets, and suddenly he made an app clone, as if it was coded from scratch as a workalike.
Still not as bad as a few years back when another kid took the workings out of a store bought clock, stuck them on a board, and claimed it was something he designed and built himself.
This is a feature of OSS. (Score:2)
Being able to use their code base and customize it while also keeping interoperability is great. When I first checked Signal out I actually thought about redeploying the code as my own application so that I could then run the server myself. It would provide more control over meta-data stuff.
I ultimately decided to just use the official Signal application itself but it's still tempting to want to run your own server for routing Signal communications.
What's wrong? (Score:3)
Why does Signal network allow foreign apps to impersonate signal?
Since Signal is GPL, where can I find the source code of the chat app derived from it?
Re: What's wrong? (Score:4, Insightful)
Impersonate?
It's like you kids cannot even comprehend the concept of a *protocol* and *network* with more than one client anymore.
I wrote my own clone too, to fix a few small things that do not touch on its security. (Color selection, media file download chunk retry behavior, and a few things that are now in standard Signal too.)
Re: (Score:1)
Re: What's wrong? (Score:2)
Does IRC let you know what clients users are using?
Re: (Score:2)
Does IRC let you know what clients users are using?
Yes. *** CTCP VERSION reply from SomeRandomDude: mIRC v7.63
Re: (Score:1)
Re: (Score:2)
Since Signal is GPL, where can I find the source code of the chat app derived from it?
Except you kinda have no rights to the source until you download the app and accept its use under the terms of the GPL... until then, you are just an interested 3rd party looky-loo. Fortunately, the barrier to entry is really low... Of course, that also assumes the vendor of that chat app is following the terms of the GPL that he/she also agreed to.
Re: (Score:2)
If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it. If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later.
GPL FAQ [gnu.org]
Got it? Apologize and get lost.
Re: (Score:2)
Re: (Score:2)
Re:What's wrong? (Score:4, Insightful)
Except you kinda have no rights to the source until you download the app and accept its use under the terms of the GPL...
The license takes effect when you distribute the software or a derivative work. Clicking "Okay" is probably irrelevant. The license becomes active because said distribution would be unlawful if not through the provisions of the license. If you distribute without following the license, you violate its copyright.
Yes, Signal is open source. (Score:2)
And the servers even support federation.
No guarantees can be made when the clone's code is in an unknown state.
You should be able to diff the code with the original version it's baed on though, and quickly see what few changes were made.
I suspect for this app, this is managable for anyone who frequents Slashdot.
Re: (Score:1)
And the servers even support federation.
No, it does not. Or rather the central server, which everyone uses, is not federated. The server code supports federation, or it used to (not sure it’s still in there), but it is effectively useless since you can’t federate with the one server with the userbase. If you want federation (and you should), use Matrix.
Nothing compared to the 'investor' stupidity. (Score:3)
His initial cause is noble (Score:4, Interesting)
"Initially, my plan was to make an Indian made version of TikTok so people wouldn't have to use the Chinese version"
Should have stuck to his original mission. That would be socially much more valuable than a Signal clone.
Two lessons (Score:1)
So? (Score:2)
Billions of people somehow 'joined' FB-Servers, because somebody who uses Whatsapp had them in their contacts.
SOP for open source Android apps (Score:2)
Basically every open source Andriod app has dozens of clones on google play. Someone takes the source, changes the name, maybe puts in adverts, and sticks it on google play. Maybe they even sell it and try to use SOE and fake reviews to get it to show up before the original free version and get a few people to buy it. Or just get ad money or cryptocoin mining or something.
This is only different than most because there was a service that the app was able to use, so someone other than the original user could
Re: SOP for open source Android apps (Score:2)
And this is why we can't have nice things. :-\
Just because somebody flunked the lessons taught in kindergarten, namely respect other people's property, does not mean they don't know how to program.
The reason for Signal's Success? (Score:2)
I knew it! Those 50 million members couldn't be legit!