Yes, supposedly the client scrapes it using the website. They have a number of third party integrations they do this for. It's actually a point of contention for them to add more third parties within the community. (People wanted LinkedIn and various other services) Going forward they want it to be the other way around and have third parties to start integrating with Keybase. (https://keybase.io/docs/proof_integration_guide)
I ran the test. What I did was run `tcpdump -i wlan0 -w /tmp/pcap` on my phone as root. I deliberately waited searching your username in the Keybase app until after starting the packet capture, so it couldn't have fetched your keys already. I also didn't add anyone else for at least a few weeks. After starting the capture, I searched your username, hit connect, and stopped the capture only once it was done connecting and it proudly claimed that this chat is end to end encrypted (this took a few seconds).
I looked at two things: DNS results in case there is a quick win (like a lookup for Twitter) using `tshark -e dns.qry.name -Tfields -r /tmp/pcap | sort -u`, and when there was no Twitter lookup to be found, I looked into IP traffic using `tshark -r /tmp/pcap -e ip.dst -e ip.src -Tfields | tr \\t \\n | sort -u`.
None of the IP addresses belong to Twitter in terms of reverse lookup or whois info. Since api.twitter.com (like *.twitter.com, as far as I can find) is hosted in its own IP range, that pretty much concludes the test already, but I dug into each IP address just in case they use some endpoint I don't know about.
The only IP which it talked to in the right time window and I couldn't attribute to a particular app was 52.216.100.45, which (SNI tells me) is AWS S3. Does Twitter uses AWS S3 and does Keybase connect to that directly without going through api.twitter.com? Seems strange.
The other IP addresses my phone talked to in the right time window are either pre-established connections (it would have to keep a permanent connection open to Twitter, and since I didn't add anyone for a while, that would mean it keeps a connection to Twitter open whenever I open the app... I would say we can rule that out) or attributable to other apps like Spotify (I am indeed playing music).
TL;DR it doesn't seem to check your Twitter proof.
It looks like Keybase is using mobile.twitter.com. I just ran `sudo tcpdump -x host mobile.twitter.com` while browsing to ahnick's profile in the Keybase app on my Mac, and got a flurry of activity. It doesn't seem to do that if I just start a chat, however—it only happens if I pull up his profile (i.e. the screen that lists his Twitter account).
I confirmed that the keybase desktop client also seems to be using mobile.twitter.com when I was scanning with wireshark. I know it is executing when going to the profile and it may be executing certain times a chat is initiated, but I'm unable to locate in the code base where this is occurring for chat. For the profile the code location for the client desktop appears to be here -> https://github.com/keybase/client/blob/master/shared/actions...
I guess it's good to know that it checks it in response to random actions, even if not when establishing a self-proclaimed end to end encrypted chat :P
Btw mobile.twitter.com is also hosted in their own range (104.244.40.0/21), so I would have spotted that if it had been contacted when I tested it.
Yeah, feel free to message me to test it out. My proof on twitter is here -> https://twitter.com/xan_nick/status/860495425920524290. You should also see it verify my HN and github, which I also have connected. (https://keybase.io/ahnick) Definitely interested in your results.