Tell HN: iOS Signal eats your disk space
Signal on iOS will not free up any disk space when you delete chats or media. You cannot see or clear usage in the app or in iOS settings. There’s a potential security problem where your data is not actually being deleted when you delete chats.
We are having no luck getting the Signal team to acknowledge the issue. The ticket was automatically closed despite activity.
https://github.com/signalapp/Signal-iOS/issues/4916
1. Be aware that a large portion of your storage space might be stolen by Signal.
2. Be aware that this might be a significant security flaw.
3. If anyone can get Signal to pay attention rather than closing repeated tickets as stale, that would be great.
62 comments
[ 3.4 ms ] story [ 112 ms ] threadI _get_ that I don’t have any right to free maintenance, but the stale bot paints some veneer of process around a maintainer thinking “issue looks hard, doesn’t affect me, so I don’t care”. I would just so much prefer them to be honest and just say that rather than passive-aggressively send me emails every 30 days warning that my issue is becoming stale or whatever.
This sort of "ADHD-driven development" that heavily biases towards novelty and ease over quality and stability is a real problem with a lot of software today.
I respect that a developer doesn't have to fix an issue I report, but it's only fair that the time I spent on gathering information and reporting the issue is respected. It should be triaged, valid reports should be marked as such and if it's never gonna be dealt with then it should be closed.
Not some kind of software development equivalent of stringing someone along as a side b***ch.
Side blotch? Side bleach?
It's disrespectful to the reporters' time and effort to keep pestering them with an inane bot. It doesn't fix the issues reported. It just makes the bot owner feel good that they have fewer tickets open.
If you want guaranteed deletion (modulo screenshots), you should probably use timed/self-destructing messages. That’s what they’re there for.
Meanwhile it causes issues just like this, not to mention broken integration with every audio/gallery/video app on the device.
Do you not think there are other, much less violent, ways for someone to read an unencrypted database on a phone?
Just to clarify on this, I had been thinking that the user had to opt into full disk encryption on iOS, does it come enabled by default?
> (unless the app itself has to be separately unlocked each time you use it--to prevent this key from being stored on disk--which I don't think is true of Signal? or, if it is, is not how that user is clearly using it)
At least for the way I use Signal on iOS, the screen can lock and be unlocked by Face ID, but yes, no separate key I have to enter to unlock the SQLCipher database.
So yeah, maybe it doesn't add too much to the current implementation, especially if files are encrypted by default by iOS. If not, then I can see the benefit in adding the "well the device isn't encrypted but at least the Signal files are."
For my case, it was more like this:
> or putting passwords on specific files; which, of course, fits perfectly with sqlite being used as an app-specific file format, but that definitely isn't the case for here.
I built an app for micro-journaling about how I was feeling and I wanted it to be super private, so, at the time, it was local-only and stored the data in a SQLCipher database. The user had to enter a password each time to enter the app and unlock the database, AFAIK, I coded it so the password wasn't stored anywhere.
Yes, the idea was defense in depth, maybe too intense at the time and maybe even less necessary now that more phones seem to have full encryption than they did in 2012-14 when I was making this.
Anyway, I'm grateful for your insight—thank you!
Full disk encryption (called Data Protection on iOS) is enabled as long as a passcode is set. This has been the case since what, iOS 4?
The application can chose per file:
* Encrypted when locked: NSFileProtectionComplete
* Encrypted until first unlock: NSFileProtectionCompleteUntilFirstUserAuthentication
* Encrypted unless used by the applications background tasks: NSFileProtectionCompleteUnlessOpen
I think the keys used for file encryption are unique per application and then again per file, but I didn’t find information on this.
[1]: https://en.wikipedia.org/wiki/Signal_Foundation
2. If deleted data not being purged from your iOS device is a "significant security flaw" then you shouldn't be using a device from Apple or Google; your threat model is way beyond the two big players.
3. Hyperbolic comments[1] don't help issues being re-opened. Helpful comments, preferably with steps to reproduce, and a polite note that the issue is still current, will get the issue re-opened in my experience. Getting on your high horse and making silly claims would get you put to the bottom of the pile if it were my job.
[1] https://github.com/signalapp/Signal-iOS/issues/4916#issuecom...
When has it ever worked?
* I've reported NullPointerExceptions with stack traces, stale bot comes to close.
* I've reported Signal fatally corrupting its DB and losing all its data [1], stale bot comes to close.
Few things are more frustrating than investing your free time, and then finding an automated system pitted against you.
[1]: https://news.ycombinator.com/item?id=26841134, https://github.com/signalapp/Signal-Android/issues/11160#iss...
https://forum.f-droid.org/t/we-can-include-signal-in-f-droid...
When a new version is released, the Signal app notifies you.
The first issue was only closed two days ago and presumably it'll be reopened since it's effectively by design. The second issue you linked was not closed at all, and in fact looks to be been acknowledged. I don't like to nit pick but this just proves that the statement is indeed hyperbole: the Signal devs are paying attention, tickets aren't always closed and when they are closed I almost always see them re-opened.
The only reason it's not closed is because I kept replying!
Had I not succumbed to the bot, it would have likely been closed before the acknowledgement, and never been looked at again.
I disagree strongly. It’s not up to us — as designers and developers and maintainers of software — to decide how users engage with us. If they engage at all they are doing us a favor.
Tone-policing user bug reports is a nasty anti-pattern, a predictable way to make your software more user-hostile. Unless they degenerate into outright abuse, which is obviously unacceptable (and this does not), we should separate tone from content and see if the content is useful. A substantive response to the content, ignoring the tone, is usually the best practice.
[1]: https://www.independent.co.uk/news/world/europe/ukraine-mosc...
There isn’t any excuse left from that $60M in funding to fix these issues is there?
Maybe they were too busy integrating a scam private cryptocurrency over fixing these bugs.
I'm not even an active signal user, I only have a few friends on there, I can only imagine what it's like for someone who uses signal as their only chat app, it must get crazy.
Disappearing messages (4 weeks etc.) help mitigate the problem a little bit from what I've noticed but it's nowhere near a complete solution.
The fact that there’s no way to view individual files that have been sent to/from me (+ their sizes) and remove them—like there is for messages.app in macOS—makes troubleshooting even harder here.
I will admit though that I haven’t looked too far into the problem but it’s seems to be an issue that just about every signal user I know deals with.
https://news.ycombinator.com/item?id=28998374
Signal is open source, maybe somebody can go in and fix it if there is a problem. I suppose if someone’s extremely paranoid they could just simply delete the app and reinstall. Though Signal does do some strange replication of data I have never understood, because I’ve installed it on a laptop and saw it pull down a bunch of chat history that I thought I had deleted, but still couldn’t see in the app.