Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Social Networks

Thousands of Users Unknowingly Joined Signal Because of a 12-Year-Old's App (vice.com) 41

"At least 10,000 Signal users can be attributed to a 12-year-old kid in India who created a somewhat popular clone of the encrypted chat app," reports Motherboard: Dev Sharma, a Signal user from Melbourne, Australia, found the Signal clone when he encountered an unusual thing: Signal displayed a pop-up showing that their friend had just joined the app. Sharma messaged their friend, but the friend had never even heard of Signal, despite apparently using the app. The friend had downloaded a different app called "Calls Chat," according to a tweet from Dev. It turned out, Calls Chat is actually a clone of Signal and lets users communicate with people on the legitimate Signal app.

The app may have been harmless in this instance, but its existence and thousands of downloads shows how it can be relatively easy for someone to take the open source code of Signal and repurpose it for their own means, potentially misleading users about what they're actually downloading in the process. "I didn't know I was creating a clone of Signal, in fact I didn't even know such an app existed," Dheeraj, the boy who made the clone, told Motherboard in a phone call...

The Google Play Store bars developers from impersonating other apps or making others that are deceptive, however. Google told Motherboard on Wednesday that the chat app is no longer available on the Play Store.

This discussion has been archived. No new comments can be posted.

Thousands of Users Unknowingly Joined Signal Because of a 12-Year-Old's App

Comments Filter:
  • Frightening (Score:1, Funny)

    by Anonymous Coward

    it can be relatively easy for someone to take the open source code of Signal and repurpose it for their own means, potentially misleading users about what they're actually downloading in the process.

    This "open source code" sounds like a scary thing. We should start a petition against it.

  • So Signal is open source, which is good. This 12 year old obviously got the source code, didn't even look it over, and repackaged it under a different name. Then he claims he didn't know he was making a clone?
    • 12 year old idiot?

      Yes, provided that you're 12 (seems likely).
      Maybe he just went all Picasso "great artist steal"?

    • by BAReFO0t ( 6240524 ) on Saturday January 16, 2021 @04:35PM (#60952848)

      Why do you call him an idiot?
      Of course he's afraid and sayig defensive things when clueless editors approach him as if it was some kind of bad thing to fork a freaking open source projec that is pen source for this precise reason.

      The kid's got more of a clue that that moron of a writer, who apparently never has even heard of back when messengers were merely clients for certain networks and protocols ... before the Ferengi introduced lock-in.

      Hell, WhatsApp itself is likely a clone of a bog standard open source XMPP client, but made closed source, ... where only push messaging via Google and pathetic trivially decryptable encryption (that only existed to keep other clients out) were the new "features".

      • by Kejiro ( 2803123 )

        Hell, WhatsApp itself is likely a clone of a bog standard open source XMPP client, but made closed source.

        Not that unlikely. For us that're old enough to remember the good ol' days can probably recollect that both Facebook Messenger and Google Talk used XMPP. Facebook doesn't use it anymore though (guess they didnt' really like the idea that anyone could use any client outside of their control), not sure about Google Talk, if it still exists at all.

        It is a nice protocol and cloning an already existing client lessens the development time so less moral companies might use that as a shortcut to release their own c

    • by quenda ( 644621 ) on Saturday January 16, 2021 @08:09PM (#60953420)

      This 12 year old obviously got the source code, didn't even look it over, and repackaged it under a different name.

      No, the 12yo did not do any coding. He is not even a script kiddie. I believe he used https://appsgeyser.com/ [appsgeyser.com] , which advertises:

      Make Android Apps in 5 minutes with free App Creator
      — Without any coding and fees

      "Create an app in 3 simple steps and you’ll be ready to monetise it in no time"

      • Yeah, I pointed this and the clock on the board scandals out and got a mod down on that.

        The clock scandal created some racial controversy when it happened, and it seems pointing out the fact that it was just a store bought clock whose innards were gutted and mounted on a board must mean I'm a racist. :-\

        This is the danger of "woke". It creates an illusion that the people it favors can do no wrong, and anybody who does point out any wrongdoing must be a raging bigot.

        • by quenda ( 644621 )

          The clock scandal created some racial controversy when it happened,

          Ahmed Mohamed. Wasn't that more religion than race? Supposedly a "Muslim has clock, it must be a bomb" thing?
          But yes, it is unfortunate when people bring race, class or religion into everything for no real reason.
          To me, that was just a story about a crazy over-reaction from school authorities, and being too stubborn to back down.
          Race/religion was irrelevant until the media got involved, and used that to make a bigger story.
          That was Texas, and he was Sudanese, so African as well as Muslim, which makes thing

  • by bill_mcgonigle ( 4333 ) * on Saturday January 16, 2021 @03:50PM (#60952714) Homepage Journal

    "I didn't know I cloned the Signal repo".

    OK, little dude.

    Not bad for a 12-yr-old, though!

  • by Knacklappen ( 526643 ) <knacklappen@gmx.net> on Saturday January 16, 2021 @03:50PM (#60952720) Journal
    I don't get it: the code is apparently Open Source. Someone forked it and compiled it into another app with a different name without referring to the source, which is bad but also not what the commotion is about. Come on, "potentially misleading users about what they're actually downloading in the process"?? You mean, like selling "Microsoft Lync" as "Microsoft Skype for Business"? Evil... (not).
    • Re: (Score:3, Insightful)

      by Dutch Gun ( 899105 )

      While nothing malicious was done, it very easily *could* have been malicious. It would have been pretty trivial to slightly modify the source code to shunt all decrypted communications off to a private server somewhere.

      Perhaps more worryingly, 10,000 people trusted a random chat app on the Play store without knowing a thing about the code or the author.

      Sure, on the grand scale of *things in the universe to worry about*, it ranks pretty low. But it's something to keep in the back of your mind, at least for

      • because people don't make illegal modified versions of closed sourced code and put them in app stores, or even sell whole modified closed source office suites?

        Nothing to do with access to source code, all your imagined evil stuff can and has been done with or without it, in Apple store and Google store and with bogus disks for sale of major products

      • by Luthair ( 847766 )
        Any application can be malicious, as this application was not trading on the name Signal this is a non-story.
      • "Perhaps more worryingly, 10,000 people trusted a random chat app on the Play store without knowing a thing about the code or the author"

        Heh, in an ideal world it would only be 10,000.

        I've lost track of the number of Windows machines I had to fix, that were loaded down with popups of scantly/no-clad ladies and useless toolbars, and taking 20 minutes to boot up because of all of the malware competing (and winning) against the OS for resources.

    • by idji ( 984038 )
      "Microsoft Lync"? isn't that the application whose executable is called communicator.exe in 2007 and didn't change it's name when they rebranded to Lync in 2010?
  • A 12 year old learned how to operate a compiler, changed a few strings and graphics assets, and suddenly he made an app clone, as if it was coded from scratch as a workalike.

    Still not as bad as a few years back when another kid took the workings out of a store bought clock, stuck them on a board, and claimed it was something he designed and built himself.

  • Being able to use their code base and customize it while also keeping interoperability is great. When I first checked Signal out I actually thought about redeploying the code as my own application so that I could then run the server myself. It would provide more control over meta-data stuff.

    I ultimately decided to just use the official Signal application itself but it's still tempting to want to run your own server for routing Signal communications.

  • by Forty Two Tenfold ( 1134125 ) on Saturday January 16, 2021 @04:12PM (#60952792)
    What's unsafe about unknowingly joining an encrypted network?
    Why does Signal network allow foreign apps to impersonate signal?
    Since Signal is GPL, where can I find the source code of the chat app derived from it?
    • Re: What's wrong? (Score:4, Insightful)

      by BAReFO0t ( 6240524 ) on Saturday January 16, 2021 @04:25PM (#60952820)

      Impersonate?

      It's like you kids cannot even comprehend the concept of a *protocol* and *network* with more than one client anymore.

      I wrote my own clone too, to fix a few small things that do not touch on its security. (Color selection, media file download chunk retry behavior, and a few things that are now in standard Signal too.)

    • Nothing except free or paid, theres no guarantee in what you get, and it shows app stores add little if any quality to the process.
    • Since Signal is GPL, where can I find the source code of the chat app derived from it?

      Except you kinda have no rights to the source until you download the app and accept its use under the terms of the GPL... until then, you are just an interested 3rd party looky-loo. Fortunately, the barrier to entry is really low... Of course, that also assumes the vendor of that chat app is following the terms of the GPL that he/she also agreed to.

      • If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it. If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later.

        GPL FAQ [gnu.org]

        Got it? Apologize and get lost.

      • Re:What's wrong? (Score:4, Insightful)

        by piojo ( 995934 ) on Saturday January 16, 2021 @10:12PM (#60953714)

        Except you kinda have no rights to the source until you download the app and accept its use under the terms of the GPL...

        The license takes effect when you distribute the software or a derivative work. Clicking "Okay" is probably irrelevant. The license becomes active because said distribution would be unlawful if not through the provisions of the license. If you distribute without following the license, you violate its copyright.

  • And the servers even support federation.

    No guarantees can be made when the clone's code is in an unknown state.
    You should be able to diff the code with the original version it's baed on though, and quickly see what few changes were made.
    I suspect for this app, this is managable for anyone who frequents Slashdot.

    • And the servers even support federation.

      No, it does not. Or rather the central server, which everyone uses, is not federated. The server code supports federation, or it used to (not sure it’s still in there), but it is effectively useless since you can’t federate with the one server with the userbase. If you want federation (and you should), use Matrix.

  • by Fly Swatter ( 30498 ) on Saturday January 16, 2021 @04:26PM (#60952824) Homepage
    I am of course speaking of 'investors' that bought the wrong stock after a single tweet by a car company representative. Robinhood for the luls.
  • by Wolfier ( 94144 ) on Saturday January 16, 2021 @04:32PM (#60952836)

    "Initially, my plan was to make an Indian made version of TikTok so people wouldn't have to use the Chinese version"

    Should have stuck to his original mission. That would be socially much more valuable than a Signal clone.

  • There are a lot of idiots out there, confirmed, theres little if any protection or security or warning about what exactly you get when you grab anything from any of the app stores.
  • Billions of people somehow 'joined' FB-Servers, because somebody who uses Whatsapp had them in their contacts.

  • Basically every open source Andriod app has dozens of clones on google play. Someone takes the source, changes the name, maybe puts in adverts, and sticks it on google play. Maybe they even sell it and try to use SOE and fake reviews to get it to show up before the original free version and get a few people to buy it. Or just get ad money or cryptocoin mining or something.

    This is only different than most because there was a service that the app was able to use, so someone other than the original user could

  • These are all plausible explanations, but at least 10,000 Signal users can be attributed to a 12-year-old kid in India who created a somewhat popular clone of the encrypted chat app.

    I knew it! Those 50 million members couldn't be legit!

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...