Archive for the ‘mobile’ Category

No Comments

How to check the Signing Certificate on an Android app / apk.

Thursday, January 3rd, 2019

If you own a Android Phone, and you want to use Signal instead of Whatsapp or Telegram for privacy matters, and, for the same privacy matters, you don’t have a Google Account on your phone, or you don’t use Google Play but the free F-Droid, their is a solution. You can download the Signal APK from their website: https://signal.org/android/apk/

They give a warning:

Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.

What a normal circumstances these days? You can’t trust Facebook anymore, maybe you can trust Google, but you don’t wanna trust Google, because trusting Google is telling Google where you are, what you do, what you say, what and who you see and who your friends are.

It’s not a matter of trust, it’s a matter of privacy and decency that you don’t do that.

So downloading the Signal APK is probably what you should do these days. But how to be sure you download the real one?

The websites tells you to verify the signing certificate on the APK matches this SHA256 fingerprint. Unfortunately they don’t tell you how to do that.

Verify the signing certificate on the Signal APK.

This one-liner will show you the SHA256 Fingerprint that has to be checked:

unzip -p Signal-website-release-4.31.6.apk META-INF/SIGNAL_S.RSA > /tmp/tmp.cert ; keytool -printcert -file /tmp/tmp.cert

You get this output:

Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: RSA (1024)
Version: 3

As you can see the SHA256 is the same fingerprint as on the Signal download page.

It’s verified. The Signal apk is safe to use now.

No Comments

Microsoft’s acquisition of Skype is not about Skype but about user data of the Android and iPhone platform

Sunday, May 15th, 2011

With the acquisition of Skype Microsoft pays a huge amount of dollars probably not so much for the proprietary technology of Skype but for the user data of Skype users.

And user-data is the holy grail for advertisement. A lot of phone carries worry about the availability of Skype on smartphones, ¬†lowering their gains, and losing turnover, they can’t compensate that with the tariffs for mobile internet.

Phone carriers are becoming mobile internet providers, nothing more, and if they try to exploit that, they take the risk of being out of the game.

Most smartphone traffic is geo-tagged and gives valuable info about users, their location and WIFI-networks. Actually the location services work faster with analysing WIFI data then GPS. Google Streetview wasn’t only for the photo’s, the funny-looking camera-cars did something more important: collecting data about WIFI-networks. The photo’s add to the internet experience, the WIFI networks to the advertisement opportunities of Google.

Skype will give Microsoft access to this invaluable data of the Android and iPhone mobile platform. Together with the Nokia deal that’s worth something. The future will show if Microsoft can make a stronghold on the mobile markets with all these investments. Advertisement offer better gaining opportunities then selling proprietary software, especially in the cloud area.

Are we all going to heaven?