Signal vs Wire — binary analysis of both APKs (apktool, strings, ELF inspection).
The gap is larger than most people think:
Signal: Rust core (libsignal_jni.so), Kyber-1024 post-quantum hybrid ratchet, SQLCipher for at-rest encryption, SVR with Intel SGX attestation, IME_FLAG_NO_PERSONALIZED_LEARNING (keyboard can't index your messages), zero third-party trackers.
Wire: Kotlin/Ktor, no hardened native core (more accessible to Frida), no SQLCipher (messages extractable in plaintext on rooted devices), no post-quantum, Segment SDK for behavioural telemetry.
But the finding that surprised me most:
Wire APKs from unofficial stores (Uptodown et al.) contain additional tracking workers and ACCESS_SUPERUSER permission requests not present in the official build. Supply chain integrity is not a footnote — it's the threat model.
Conclusion: Signal is the only one of the two suitable for threat models involving physical or administrative device compromise.
soon the full paper
#infosec #AndroidSecurity #Signal #Wire #ReverseEngineering #mobileforensics #supplychain #MASA
Releasing #GAMA — Greyware Analysis and Mitigation Approach.
Not a malware scanner. Not a clean-room tool. Built specifically for the grey area: apps that aren't malicious but collect, exfiltrate, and evade in ways users never agreed to.
4 open source tools:
• gama-intel — automated static analysis pipeline, STIX 2.1 output
• gama-framework — interactive analyst workspace, 7-phase methodology
• gama-deep — three-channel MLP anomaly scoring (static + smali + network), no CUDA required
• gama-community — shared confirmed findings DB (coming soon)
First confirmed finding: CENT-2026-001 — Mintegral MBridge SDK.
https://gama.centurialabs.pl
https://github.com/psychomad/gama
#Android #greyware #mobileforensics #infosec #malwareanalysis #threatintel #OSINT
Subscribe to #mobileforensics entries via RSS feed