Discussion:
[whispersystems] several identities
"Matej Kovacic" (via whispersystems Mailing List)
2016-12-11 20:34:15 UTC
Permalink
Hi,

I am thinking that it would be nice to have the ability to have support
for several identities in Signal. You can have a mobile phone with two
SIM cards or you can change your SIM card after you registered to
Signal... so I think it might be a useful feature.

What is your opinion about that?

Regards,

M.
--
PGP Fingerprint: 3B74 637D 8409 53F9 A704 F27C BEA5 286D A9CF 4A88
PGP Key:
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xBEA5286DA9CF4A88
Personal blog: https://pravokator.si
"Matej Kovacic" (via whispersystems Mailing List)
2016-12-12 21:54:32 UTC
Permalink
Hi,

I tried to play around with "multiple" signal identities on the same phone.

I tested two approaches and found some very weird behaviour of Signal,
especially in second case. Please, see below.

APPROACH 1
==========
First, I tried to add another user under Settings. Under that user I
registered Google Play and installed Signal. In Signal I registered my
other telephone number.

Now I can send messages between my main user and this new user, but the
other user is not getting notifications until it is logged into his account.

Herw I have noticed quite strange behavior of Signal. In second user
account I did not have Signal lock enabled, but on my main account I
have encrypted storage and Signal lock, however password should be
cached for quite long time.

After I installed Signal on the other user account and switched back to
my main identity, and password was immediately expired. I needed to
enter it each time I switched identities... It seems a possible bug to
me, because profiles should be completely separated.

Anyway, this approach is not a good solution for me, because you cannot
get notifications for both accounts at the same time.

However, then I tried something else and found some other possible bugs...


APPROACH 2
==========
I tried to use Test DPC:
https://play.google.com/store/apps/details?id=com.afwsamples.testdpc

It is a testing device policy controller for Android for Work. It
creates a "work profile", but you can have work apps on your main screen
(the icons are the same, except they contain a small briefcase), GCM
works normally and notifications also work normally (i.e. you do not
need to be logged into another profile to get notification).

I installed it and under it's settings enabled Play Store (Enable System
apps - Google Play Store).

I registered new Google account and installed Signal.

In Signal I registered my other telephone number.

For that I needed to add 3 custom firewall rules to AFWall:

iptables -A afwall -m owner --uid-owner 1110079 -j ACCEPT
iptables -A afwall -m owner --uid-owner 1110014 -j ACCEPT
iptables -A afwall -m owner --uid-owner 1110013 -j ACCEPT

I am stressing this, because AFWall (and DroidWall also) cannot see
these apps and these UIDs... but you can figure them out through log
file. The first UID is Signal's, the second for Google Play and the
third Google account verification.

BTW: I reinstalled Test DPC, and after reinstall, the applications got
new UID's (1210079, 1210014, 1210013)... Weird, but not really important
here.

BTW, you can remove Test DPC under Settings, Accounts and from Play
Store - if you want to remove it completely...

Anyway.

Then I tried to send a Signal message to my new Signal number, and it
actually works. Well, sort of...

I can get notification about new message, I can also see the
notification, but when I want to see the actual message inside Signal,
it just crash.

It also crash when I try to add a new number to start conversation
with... So it is not really working. It is also not working if I disable
firewall completely...

Also, Orbot can see only one instance of a Signal in that case (in case
you want to "torrify" Signal communications)... I suspect this is the
same problem as with AFWall.


Anyway, this also seems as a possible bug. Test DPC is intended to test
how the application will behave in a managed context. It seems Signal
behaves strange. Maybe this need some attention if you want Signal to be
compatible with Android for Work...

Regards,
M.
--
PGP Fingerprint: 3B74 637D 8409 53F9 A704 F27C BEA5 286D A9CF 4A88
PGP Key:
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xBEA5286DA9CF4A88
Personal blog: https://pravokator.si
Noir
2016-12-13 13:21:03 UTC
Permalink
Hi Matej,

regarding #1: The fact that you don't get notifications for other users sounds pretty much like intended behavior. Thats the whole purpose of a multi user system. If a user could see any private data of other users, the system would be broken.

Over all, your attemps are workarounds for a broken architecture. Theres no reason why a user must be identified by its telephone number and that a user only can has one identifier. It's just for convenience. I really hope that OWS will fix this insteat of mitigating these issues you found.

Cheers
Noir
Post by "Matej Kovacic" (via whispersystems Mailing List)
Hi,
I tried to play around with "multiple" signal identities on the same phone.
I tested two approaches and found some very weird behaviour of Signal,
especially in second case. Please, see below.
APPROACH 1
==========
First, I tried to add another user under Settings. Under that user I
registered Google Play and installed Signal. In Signal I registered my
other telephone number.
Now I can send messages between my main user and this new user, but the
other user is not getting notifications until it is logged into his account.
Herw I have noticed quite strange behavior of Signal. In second user
account I did not have Signal lock enabled, but on my main account I
have encrypted storage and Signal lock, however password should be
cached for quite long time.
After I installed Signal on the other user account and switched back to
my main identity, and password was immediately expired. I needed to
enter it each time I switched identities... It seems a possible bug to
me, because profiles should be completely separated.
Anyway, this approach is not a good solution for me, because you cannot
get notifications for both accounts at the same time.
However, then I tried something else and found some other possible bugs...
APPROACH 2
==========
https://play.google.com/store/apps/details?id=com.afwsamples.testdpc
It is a testing device policy controller for Android for Work. It
creates a "work profile", but you can have work apps on your main screen
(the icons are the same, except they contain a small briefcase), GCM
works normally and notifications also work normally (i.e. you do not
need to be logged into another profile to get notification).
I installed it and under it's settings enabled Play Store (Enable System
apps - Google Play Store).
I registered new Google account and installed Signal.
In Signal I registered my other telephone number.
iptables -A afwall -m owner --uid-owner 1110079 -j ACCEPT
iptables -A afwall -m owner --uid-owner 1110014 -j ACCEPT
iptables -A afwall -m owner --uid-owner 1110013 -j ACCEPT
I am stressing this, because AFWall (and DroidWall also) cannot see
these apps and these UIDs... but you can figure them out through log
file. The first UID is Signal's, the second for Google Play and the
third Google account verification.
BTW: I reinstalled Test DPC, and after reinstall, the applications got
new UID's (1210079, 1210014, 1210013)... Weird, but not really
important
here.
BTW, you can remove Test DPC under Settings, Accounts and from Play
Store - if you want to remove it completely...
Anyway.
Then I tried to send a Signal message to my new Signal number, and it
actually works. Well, sort of...
I can get notification about new message, I can also see the
notification, but when I want to see the actual message inside Signal,
it just crash.
It also crash when I try to add a new number to start conversation
with... So it is not really working. It is also not working if I disable
firewall completely...
Also, Orbot can see only one instance of a Signal in that case (in case
you want to "torrify" Signal communications)... I suspect this is the
same problem as with AFWall.
Anyway, this also seems as a possible bug. Test DPC is intended to test
how the application will behave in a managed context. It seems Signal
behaves strange. Maybe this need some attention if you want Signal to be
compatible with Android for Work...
Regards,
M.
Loading...