It is executed to test the presence of the Google Play Services on the phone when the app is launched.
Then, it's probably not risky, but it is still proprietary code that you can't inspect and verify. You can't easily know if the library will not silently do something. If you are seeking to avoid running any proprietary code, then it's something you want to avoid.
Right, but you were talking about "even if you don't have the Play Services on your phone", which is what I'm worried about - but OK, if it's just because there's a chance it might be running, then I'm not too afraid of that.
At the risk of laboring the point, I'm talking about the piece of code embedded in the Signal application, that tries to talk to the Play Services. Not the Play Services themselves. This piece of code is definitely running whenever Signal is launched, "even if you don't have the Play Services on your phone". It probably does nothing significant when the Play Services are not present but still, it's there and (a small) part of it runs.
Now you have several options:
- you trust Google and trust this code not to do anything when the Play Services are not running
- you don't trust Google on this, but you don't care neither
- you don't trust Google and care, but you are willing to take the risk
- you don't trust Google and care, and are worried, or are not willing to run any proprietary code out of principle: you need to adapt Signal's code or dish the app entirely
> It probably does nothing significant when the Play Services are not present
Right, that's the part I care about. I think there are two possible situations:
- Signal's own open source code can detect the absence of Play Services and not call out to Google's proprietary code in the first place. Great, no problem there.
- Google's proprietary code attempts to use Play Services and doesn't do anything when it's not present. In that case I do indeed trust Google enough that I wouldn't expect it to actually do anything else, i.e. the first option you mention.
