IronJumbo68 @ IronJumbo @lemmy.world Posts 3Comments 5Joined 11 mo. ago
Thanks Evgeny for your explanation and time (I'm sure we all appreciate it). But you didn't say directly and specifically - does the app make these connections to Google servers?
I hope @epoberezkin@lemmy.ml will dispel our doubts or a member of the Simplex.chat team :(
It's not about whether the application communicates with these addresses or not. It's about the fundamental question: why are these addresses even encoded in the code of a VERY privacy-sensitive application?
My friend, in every answer you push F-Droid as a cure for all evil. There is no perfect store, F-Droid also has its problems (I wrote about it above). I am not an enemy of F-Droid (I also use it sometimes), but I will repeat: F-Droid control is insufficient (it's security theater - it's not a full audit of the source code).
When installing from Github you only trust the developer and their signed certificate key.
When installing from F-Droid you additionally also have to trust the F-Droid developer's signature.
Besides that F-droid has its own problems:
https://privsec.dev/posts/android/f-droid-security-issues/
I don't use F-Droid. I use Obtainium and additionally check signatures in AppVerifier.
From official Github https://github.com/simplex-chat/simplex-chat/releases
