This is a year-old paper but now there is an easy-to-use implementation of the attack: https://github.com/gommzystudio/device-activity-tracker
Signal developers’ verdict is WONTFIX: https://github.com/signalapp/Signal-Android/pull/14463
This is a year-old paper but now there is an easy-to-use implementation of the attack: https://github.com/gommzystudio/device-activity-tracker
Signal developers’ verdict is WONTFIX: https://github.com/signalapp/Signal-Android/pull/14463
The setting to mitigate this attack (so that only people who know your username can do it, instead of anybody who knows your number) is called Who Can Find Me By Number. According to the docs, setting it to nobody requires also setting Who Can See My Number to nobody. Those two settings are both entirely unrelated to Signal’s “sealed sender” thing, which incidentally is itself cryptography theater, btw.