My main concern with GCM is that it's unavailable on fully open OS builds, so requiring it compromises the security of the device as a whole, rather than Signal in particular.
That's one of several things that are reasonable not to love about Signal. Criticism intended to urge Open Whisper Systems into changing their Signal policies are reasonable. A statement that someone would recommend less secure messaging solutions to investigative journalists is another --- something I find much harder to be supportive of.
There are alternatives with comparable or better security, but they tend to have other flaws. Most of the alternatives including Wire and Riot ALSO depend on GCM, otherwise they either lack push or force ridiculously bad battery life. They also have bad UX since they don't ask the user for a battery optimization exception permission, so the user would have to somehow know it's required or they'll break after a while in the background.
Conversations / OMEMO is a great Android messaging client, but it's ONLY available for Android and a desktop client (Gajim OMEMO plugin). It can use OTR (which it marks as less secure) but there isn't even a decent iOS OTR client anyway. ChatSecure iOS will probably get OMEMO and push support along with becoming a more decent client but it's going slowly. Until that happens, Conversations is problematic because there isn't a decent way to talk to iOS users.
Nobody is saying Signal has less secure cryptography than others. But being able to run it in CopperheadOS without loading microg would make the whole setup much more secure. And one cannot dissociate both things.
What confuses me about the post is that the author does not make it clear if he recommends that journalists run CopperheadOS. It sounds like he does not recommend this, but rather opposes Signal's dependency on Play on general principals.
But if his journalists are using Android or iOS anyway, there's no practical advantage in Signal not depending on GCM or the Play Store, and some real disadvantages (like less secure updates). So the whole complaint seems like rather contrived to me.
(I would contest the claim that running a massive, not-practically-auditable open source OS is actually any more secure than running iOS or Android+Play Services, but whatever.)
The point of CopperheadOS is not that it lacks Play Services... and Play does not provide more secure updates than an app store like F-Droid. In fact, Play abuses system privileges to bypass the signature system used by Android. It will happily clobber an app with another with a different signature. It moves all the security checks for that into the cloud... completely bypassing the standard trust-on-first-use signature system. Official builds of Signal could be hosted via an F-Droid repository, although there's no point when it depends on Play.
My point was that there's no real merit to the complaint that Signal requires Play Services if you're going to use an OS with Play Services installed anyway. One can reasonably argue that Signal should work on non-Play Androids, but since his target audience is non-technical users, it seems likely that they are all using (and are more secure using!) off-the-shelf iOS or Android phones, which implies a significant reliance on your vendor anyway.
Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.
> it seems likely that they are all using (and are more secure using!) off-the-shelf iOS or Android phones
In what sense are they more secure using stock Android than CopperheadOS? They wouldn't be installing it themselves either way. It's a product available for purchase too... have you done any research into what it is before making claims about it?
> Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.
Play contains a bunch of privileged / platform signature apps. They don't follow the regular permission rules. An unprivileged app not signed with the platform key cannot do automatic upgrades and counts as an unknown source. The Play Store chooses to bypass the trust-on-first-use signature checks of the package manager too. Upgrading apps via F-Droid or manually will perform the signature checks, but the Play Store does not. Try installing an app from F-Droid on a phone with Play, and note how Play will happily clobber it with an update signed with a different key. On the other hand, F-Droid won't do that even if you sign it with the platform key as CopperheadOS does to mark it as a unknown party source.
