tl;dr: this is stupid.<p>People seem to love analyzing security of tiny corners of systems while ignoring the rest of the system, and entirely avoiding figuring out a scope for the security.<p>The post complains about Signal using a Google service, that Google could utilize (either now or through an update) for malicious activity. A Google service that without a fair share of poking around is only available on <i>Google</i> versions of Android. I mean, <i>what</i>.<p>While this is a more serious problem than the usual whine about GCM (Yes, notifications can give a lot of info, but in case of Signal, the info given is "You received something from some Signal user while you were offline"), it is still amazing how blind the analysis seem to the environment. If you cannot trust Google to provide a "non-evil" Google play services, why the flying fuck do you think the Google-provided (or manufacturer-under-tight-google-control-provided) OS is fine? They could backdoor the process isolation and poke around at Signal memory if they felt like it.<p>Now, if you are security conscious and willing to let go of the conveniences of selling your soul to Google, you would be running a non-Google'd version of Android without Google services. Your only valid complaint in this case, is that Signal depends on Google services to operate, which makes you unable to use it (without hacking Google back into your Android version, but if you do that you might just as well stick to a Google version).<p>Oh, and what about the black box binary drivers you are using on your super-secure handset? Baseband? CPU (ME anyone?)? SIM card?<p>Before you talk about security, figure out what you are trying to protect against, and start from the top. You look like an idiot if you complain about breakable windows but do not notice that the door is open.