Many thanks for this,
Would I need to install Flatpack first and then Telegram?
I havent done anything major with my XA2 apart from flash it and add SFOS and that was me seriously pushing my limits! 
it is OT cause i wanted to ask avais101, did choose the wrong reply button it seems
“the question is more then unprecise.”
Is it?
I asked for a guide on installing either Telegram or Signal and asked if there were any other alternatives I should consider?
Why, do you want to add me? 
Hi
Just wanted to say thanks for all the helpful replies, its a great show of strength of the Jolla community!
Is it just a simple case of installing via the Android Store through my phone , the Store currently shows (Telegram V 7.3.1) and Signal (5.2.3)?
Also, where can I find Whisperfish?
For info, I’m running OS3.4 with Android App Support switched on
Thanks again all
It’s in the openrepos store. You need to install the Storeman app from
https://openrepos.net/content/osetr/storeman
and then you can search for Whisperfish.
1 Like
Cheers
I have added Storemen to my phone (cant believe how much stuff there is in there!)
Thanks again
4 Likes
As I mentioned often:
-You need (a lot of) trust in Threema, swizzerland has laws and I think they have a backdoor
-You need to trust your GSM baseband
-Authorities use screenrecording to spy via closed display drivers (Israel and ‘Bundestrojaner’)
Signal leaves metadata at AWS, google, cloudfare etc:
Sender and reciever IP-Adress
ports
Sequencynumber
Control-Flags
size of package data
time of connections
[…]
no GSM device is secure
none of at this point available consumer hardware is secure (almost: there IS very expensive open hardware available)
You could have a look at : securemessagingapps.com
Most privacy aware people flock to Signal, but there are other good options too: Wire messenger is encrypted by default, has a beautiful design, open source, yet saves a few logs. Jurisdiction in Europe. No phone number needed and available without Google.
Threema is now open source too, well encrypted, jurisdiction in EU. A problem for Jolla users is that you have to pay once for the app.
Telegram is popular and since it is in Jolla store (Fernschreiber) it is probably safer than the original app,although not encrypted by default.
Depends upon what you intend to do with it.
We use Wire and Telegram.
The German government uses Wire officially now. For business and organisations it is paid, for individuals it is free.
Does anyone know what the business model of Telegram and Signal is?
1 Like
No, if you want to use Telegram, installing Fernschreiber from Jolla store will do.
Just search in browser: securemessagingapps.com and you will find a thorough comparison of most existing chat apps.
1 Like
You can pay for Threema directly on their website, you do not need Google Play Store for that. If I remember correctly it is even possible by using bitcoin, so you can buy it without revealing your identity.
Nice, this will help some
It’s better to download from official venues if possible. As Google Play Store isn’t available, you can download apk of both apps from their official website:
Signal: https://signal.org/android/apk/
Telegram: https://telegram.org/apps
The Android store you get on Jolla is aptoide, which isn’t the safest (official apk, FDroid or Aurora Store are better).
1 Like
In this discussion, what does ‘best’ mean?
Is it ‘more convenient’ or ‘more secure’?
Whatsapp does not match any of those indeed. It is said to be secure, but we don’t know that (because it is not open). So first things first, why do we need an open client?
An OSS client is definitely more secure, because you (or somebody else) can check the encription algorithms. Telegram, Signal and other decentralized systems mentioned above check this box.
What about the server? Does it need to be open/decentralized?
An OSS decentralized server secures you even more from leaking metadata (who are you talking with). So this is desirable.
But not that practical, since you would only NOT leak metadata if you and your party use a self hosted server.
Telegram has a closed source server. They will start to add monetizing through ad-shared revenue in groups (if the group wants to run ads). By default the discussions are cloud stored, so available on multiple devices (and we have 5+ clients on Sailfish OS), but they have Secure chats for E2E encryption. Knowing the protocol is open this is enough NO NEED TO CONTROL THE SERVER to check this.
Convenience? Use it from any device for cloud chats, only from the originating device for Secure chats.
Whatsapp is out of the question, we don’t know if it’s secure and the server is closed too.
Convenience? You have to have the phone powered to decrypt messages, as its the only point of truth (in theory, since it’s not open - we don’t know).
Signal is deemed to be the the reference implementation of the protocol whatsapp uses, has open server and open client but no federation with own servers (meaning: it still leaks metadata. Plus, would any signal client connect to whatsapp? Your guess why not)
Convenience? You have to have the phone powered to decrypt messages, as its the only point of truth.
The real option: decentralized servers where you have your own one (many mentioned above).
You will not leak metadata, chats, anything if you only use your server.
Convenience? Your call.
(oh… the times where facebook messenger and google talk and even whatsapp used to be just xmpp implementations… good lord)
no, there was a funny article about facebook users shifting from whatsup to signal, thats all
That’s incorrect, you can sign up to Signal using your phone, connect it to Signal Desktop (or to (another) instance of Whisperfish soon™), throw away your phone and Signal Desktop will continue to work. Contrary to the way Whatsapp does it, Signal simply adds new devices to the list of trusted devices messages need to be encrypted to and from. This is also contrary to the way Telegram does it, because as far as I understand it’s impossible to have an encrypted conversation on Telegram with more than one device - you’d need to have a separate conversation per device, which is ridiculous in this day and age.
There was a short period when contacts import worked. I had also the desktop version and even after the change in Signal’s mobile app the desktop client worked without problems.
hach…I really like Telegram for usability. But its a trade-off between security and usability. And Signal wins.
Thanks for checking my assumptions, I was not aware of this, I just assumed it is a limitation of an E2E implementation you have to live with (Whatsapp and Telegram were clear to me how they implement this).
Do you have any info how this works? Sounds like E3E or EnE to me (multime Ends to multiple Ends encryption). What would one know how many ‘trusted devices’ would be there and prevent a third party to add one?
The encryption is indeed multi-end to multi-end, though with an artificial limit to the amount of ‘ends’ as each ‘end’ inflates the size of the encrypted content. The encryption protocol itself is far too complex for my understanding, but as a user you can link up to five secondary devices (officially, this means five instances of Signal Desktop, but unofficially and theoretically you can do whatever you want), and if you no longer trust one of those devices, you can remove them again and those devices will lose access to your messages. The only one who can add a new secondary device (or remove one) is the person in charge of the primary device. I’m not sure if that’s because it’s required by the encryption protocol, or if it’s because it’s a design choice in Signal.
The protocol Signal uses was also adapted to be used with XMPP, and dubbed ‘OMEMO’.
1 Like