Heimdal
article featured image

Contents:

Everyone from Elon Musk to Edward Snowden has been talking about Signal these days. Friends, family, and followers received recommendations to create accounts left and right, leaving us to wonder: what is Signal? And even more importantly, is Signal secure? Before diving into the technical details, I’ll have a brief look at the app’s history that spans over a decade. Then, I’ll go over the app’s encryption protocol and privacy policy to help answer the most pressing question at hand: is Signal secure? Stay tuned until the end to find out, and don’t forget to check out this article’s section on actionable tips that will help you boost your cybersecurity while using Signal.

What is Signal? A Brief History

2010

The origins of the Signal messaging app can be traced back to May 25, 2010, when a now-defunct company by the name of Whisper Systems launched beta versions of RedPhone and TextSecure. The former was an encrypted voice calling app, while the latter consisted of an encrypted texting program. Whisper Systems was an enterprise mobile security startup founded by Stuart Anderson, a roboticist, and Moxie Marlinspike (real name Matthew Rosenfeld, a security researcher. You might recognize Moxie’s name as a co-founder of the present-day Signal Foundation which administers the Signal messaging app. But more on that later.

2011

Famed social media platform Twitter acquired Whisper Systems in November 2011. Shortly thereafter, RedPhone was made unavailable, which drew heavy criticism from the public due to the app’s relevance in the field of humanitarian aid. One month later, on December 20th, 2011, TextSecure was released as a free and open-source piece of software under the GPLv3 license.

2012

On the 18th of July, 2012, RedPhone was released as free and open-source as well under the same GPLv3 license.

2013

Moxie Marlinspike leaves Twitter in January 2013 to found Open Whisper Systems (OWS), a collaborative open-source project focused on the further evolution of the TextSecure and RedPhone apps.

2014

In February 2014, OWS integrates instant messaging and end-to-end encrypted group chat functions into TextSecure. This represented the second version of their TextSecure Protocol, now known as the Signal Protocol. Towards the end of July 2014, OWS first released Signal as the iOS version of RedPhone. During this time, Moxie Marlinspike also announced the company’s intentions to merge RedPhone and TextSecure into a single app that will take on the Signal name and brand.

2015

On the 6th of March, 2015, creator Moxie Marlinspike posted an announcement on the company’s blog stating that support for encrypted SMS/MMS messaging function in TextSecure had been suspended. From there on out, only sending and receiving encrypted messages via the data channel was supported by the Android application. Simultaneously to this, the encrypted instant messages feature was added to the Signal app on iOS. Come November 2015, RedPhone and TextSecure merge on Android and the resulting mobile application is renamed with the Signal brand. By December 2015, Signal had become a Google Chrome App available on desktop devices as well.

2016

Open Whisper Systems founder Moxie Marlinspike announced on September 26, 2016, that Signal Desktop could then be connected with Signal’s iOS version as well. On October 4, 2016, a series of documents were released disclosing that Open Whisper Systems had been issued a subpoena asking them to provide information related to two phone numbers involved in a federal grand jury investigation conducted in the first half of 2016. The exposé was carried out in collaboration with the American Civil Liberties Union (ACLU), which OWS approached to get help in lifting the gag order placed on the company that prevented them from publicly discussing the subpoena.

2017

The video call feature was added to Signal in beta testing in March 2017 by transitioning from its proprietary RedPhone system to the open-source WebRTC project. Subsequently the same year, Open Whisper Systems announced the deprecation of its Google Chrome App on October 31, 2017, just in time for Halloween.

2018

On the 21st of February, 2018, Moxie Marlinspike announced the formation of the Signal Foundation together with WhatsApp co-founder Brian Acton. With an initial investment of $50 million from Acton, the Signal Foundation has been and is continuing to be run as a nonprofit organization. This allowed Signal to run entirely on donations by 2020.

2019

Signal started adding new features starting with November 2019, all through February 2020. Its updated roster included videos, stickers, reactions, view-once images, and support for iPads.

2020

Signal gained momentum in the United States of America during the Black Lives Matter protests that followed George Floyd’s death. Twitter CEO Jack Dorsey recommended the app in the wake of increased police surveillance on the movement. This increased downloads five times. What is more, a new feature allowing for face blurring in photos was introduced by the app as a response to federal monitoring efforts.

2021

On January 7, 2021, Tesla plus SpaceX CEO and richest man in the world title holder Elon Musk tweeted a two-word statement encouraging his followers to “use Signal”. And use Signal they did, with the app registering more than 100,000 new accounts between the 7th and 8th of January. This temporarily ceased the delivery of account verification messages.

Signal encountered a new surge in registrants on January 12, when the company reported quintupled downloads in the span of just one day. This resulted in another temporary disruption of services as reported by Bleeping Computer. Famed American whistleblower and Signal enthusiast Edward Snowden tweeted that the unexpected increase was most likely caused by “WhatsApp’s decision to sell out its users to Facebook”.

Is Signal Secure? Of Protocol and Privacy

Signal Protocol

Formerly known as the TextSecure Protocol, the Signal Protocol was developed in 2013, the same year that Moxie Marlinspike founded Open Whisper Systems. It is a non-federated cryptographic protocol designed to provide end-to-end encryption to various channels of communication, namely instant messages, voice calls, and video calls. Its main usage is within the eponymous Signal app. Several other closed-source messaging applications claim to have implemented the Signal Protocol to support their novel secret chat functions. The most widely known examples include:

  • WhatsApp
  • Facebook Messenger
  • Skype

The Signal message encryption protocol is based on two different algorithms and a key agreement protocol, as listed on the Technical Information page on the app’s official website:

  • Sesame message encryption algorithm
  • Double Ratchet key management algorithm
  • Elliptic-curve Diffie-Hellman key agreement protocol

Diffie-Hellman Protocol

Elliptic-curve Diffie-Hellman (ECDH) is a key agreement protocol that allows two parties to create a shared secret over an insecure channel by granting each an elliptic-curve public-private key pair. A shared secret is a term pertaining to cryptography that refers to a piece of data that is known only by the participants involved in a communication. It can either be used directly as a key or to derive another key. As per the Technical Information page on the Signal website, the app makes use of the Diffie-Hellman key agreement protocol in two ways, each detailed in their documents. Through public and private key formats initially defined for the X25519 and X448 elliptic-curve Diffie-Hellman functions, the service creates and verifies EdDSA-compatible signatures known as XEdDSA. The same section also describes VXEdDSA, or the process of extending XEdDSA signatures and transforming them into verifiable random functions, or VRF for short. A separate document details how the Signal app uses the X3DH key agreement protocol, which stands for Extended Triple Diffie-Hellman. Through means of establishing a shared secret key between the sender and receiver who mutually verify each other via public keys, X3DH delivers cryptographic deniability and forward secrecy to the chat.

Double Ratchet Algorithm

Previously known as the Axolotl Ratchet, the Double Ratchet key management algorithm was developed by Moxie Marlinspike in collaboration with crypto engineer Trevor Perrin in 2013. Its main function is providing end-to-end encryption to instant messaging as part of a cryptographic protocol. According to the algorithm’s technical sheet, Double Ratchet:

is used by two parties to exchange encrypted messages based on a shared secret key. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones. The parties also send Diffie-Hellman public values attached to their messages. The results of Diffie-Hellman calculations are mixed into the derived keys so that later keys cannot be calculated from earlier ones. These properties give some protection to earlier or later encrypted messages in case of a compromise of a party’s keys.

Sesame Algorithm

Sesame is an algorithm that manages message encryption sessions in a multi-device and asynchronous setting. It was designed to be used in tandem with Double Ratchet end-to-end encrypted chat sessions that are created via the aforementioned X3DH key agreement protocol. For the more technically inclined, I recommend reading all the four documents that I have previously linked, as they explain in much greater detail how Signal app communications are secured.

Signal Privacy Policy

The instant messaging app’s encryption protocol is undoubtedly solid and influential, but is Signal secure when it comes to confidentiality as well? What personal data does it store and how much does it share with third parties or law enforcement? Let’s have a look at the app’s Privacy Policy as outlined on the official Signal website and find out.

What Personal Information Does Signal Collect?

A valid phone number is required when creating a Signal account. Filling in other bits of personal profile information, such as name or picture, is optional. If you choose to add these details, they will be end-to-end encrypted just like any other communications on the platform. As another optional feature, you can choose to sync the contacts in your address book with Signal to discover if any of them are signed up for the app. This information is cryptographically hashed when communicated to the server. The messages you send over Signal cannot be decrypted or accessed in any other way, neither by company employees nor connected third parties. Servers store only messages that awaiting delivery to temporarily offline devices. Your personal message history is stored solely on the device on which the app is installed. Randomly generated authentication tokens, push tokens, keys, and other materials required for message and call transmission are stored on Signal servers. However, the app limits these resources to the minimum required for its services to operate properly. Finally, Signal User Support stores and uses any personal data you might share to better research your problem and contact you afterward with a solution.

How Much Does Signal Share with Third Parties?

In its Privacy Policy, Signal discloses that the app works with some third parties to deliver services such as delivering verification codes upon authentication. What is more, the app can be used in tandem with other third parties such as YouTube, Spotify, Giphy, and more. In such cases, the Privacy Policy of the respective third-party governs how data is stored and shared. Signal also reserves the right to share your data with relevant legal authorities when formally requested to do so. In addition to this, the service is dedicated to protecting its assets and those of its users from harm, which further allows it to use some of your details. What is more, it is possible for the app to divulge some information if necessary in the investigation of a Terms and Conditions breach, as well as to detect or prevent fraud and other security issues.

5 Signal Security Tips to Consider

Instant messaging has become a staple of the modern office, but is Signal secure enough for companies? The app’s official FAQ section clearly states that Signal can also be used for work without having to go through a different signup process or purchasing add-ons. Therefore, your business communications can benefit from its end-to-end encrypted chats and employees can share essential information safely. Nevertheless, boosting digital defenses should be a priority when working with sensitive data or disclosing personal details online. Here are five Signal security tips to consider regardless of whether you are using the instant messaging app for personal interactions or business.

#1 Lock Your Mobile Device

As previously mentioned several times in this article, Signal chats are end-to-end encrypted. This means that neither Signal employees nor mobile service providers can intercept or read messages sent across the app. However, this doesn’t prevent malicious third parties from simply picking up phones and opening the app to read through private conversations. Therefore, locking your phone is essential to the security of your Signal chats and personal info in general. Depending on the make and model of your mobile device, you can choose to either draw a pattern, choose a password, type a numeric PIN, or even authenticate with biometric data such as fingerprint or facial recognition. You can also choose combinations of these verification methods depending on what features are supported by the operating system. For example, I have both a strong password and biometric recognition set up on my Android device. Do you want to take your mobile cybersecurity one step further? Encrypt your Android device and lock selected apps such as Signal. You can find these features under the Security tab of your device’s Settings. As for iOS users, keep in mind that iPhones and iPads generally encrypt all data automatically.

#2 Hide Lock Screen Messages

Signal displays unread messages as lock screen notifications by default. While this might come in handy when you’re on the go, it can also be detrimental to your information security. You never know who’s nearby and manages to sneak a peek at your private conversations. Thus, disabling lock screen notifications for the Signal app is another way you can boost your digital defenses. Hiding lock screen messages together with setting up a strong authentication method for mobile devices is worth practicing within a company as well. Include these specifications in your corporate BYOD policy to ensure that all personal devices brought within the office are secure.

#3 Verify the Identity of Your Contacts

Like many other digital channels of communication, Signal can also be targeted by man-in-the-middle attacks. For this reason, you must confirm the identity of the people you are talking to. Fortunately, doing this is simple enough, as the app assigns each contact a unique verification key. To ensure that your contacts are who they claim to be, you can:

  • either scan their QR code,
  • or cross-check their unique 66-character sequence.

What is more, the Signal instant messaging app will always display a notification when the verification key of a contact has changed. This can happen for two reasons:

  • either you are being targeted by a man-in-the-middle attack,
  • or your contact has changed their mobile device.

This is why verifying the identity of your contacts is essential for the security of your conversations, whether they are work-related or not. This is another point that should be included in the company BYOD policy if Signal is used on the job.

#4 Delete Sensitive Messages

After you send or receive a message in a Signal conversation with one of your contacts, copies are stored in two locations only: your and your contact’s respective mobile devices. This happens because, unlike other instant messaging apps, Signal doesn’t store copies of your messages in the cloud except for the aforementioned reason of one party being offline during the exchange. This means that the chances of malicious actors coming across your digital interactions in the online world are slim to none. However, we’ve already discussed how someone can simply pick your phone up or look over your shoulder at incoming notifications. The best way to prevent others from snooping around is by deleting sensitive messages. This is simple enough to achieve. To delete an individual message, simply long-touch it and choose the Delete option from the pop-up menu. As for deleting an entire conversation, the process is similar on Android, while on iOS it involves swiping the selected interaction to the left.

#5 Filter Mobile DNS Traffic

Filtering your mobile traffic at the level of the DNS is crucial to a safe instant messaging experience. DNS filtering adds an extra step between your query and the Internet, checking each request that you make. This what our Heimdal™ Threat Prevention cybersecurity solution does in a nutshell, protecting your mobile device from malicious domains that can compromise its security.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Heimdal™ Threat Prevention’s proprietary DarkLayer Guard™ technology knows which websites to block almost instinctively by maintaining an ever-evolving blacklist of malicious domains. It works together with VectorN Detection™, an AI-based traffic pattern recognition engine that is constantly learning everything there is to know about the darkest corners of the digital world.

In Conclusion…Is Signal Secure or Not?

Compared to other instant messaging apps out there, Signal does indeed seem to offer a more secure alternative for digital interactions. It is an ideal mix between a sound encryption protocol that adds cryptographic deniability and forward secrecy to all chats and a privacy policy that highlights minimal storage of data by the service and associated third parties. However, please keep in mind that Signal can still share the information it does collect about you with the authorities that request it. Like many other services of its kind, it is bound by law to do its due diligence when criminal investigations are at hand.

Are you a fan of the Signal instant message app? Do you think Signal is secure? As always, feel free to leave any thoughts, questions, or concerns in the comment section below. I’d love to read all about them!

Author Profile

Alina Georgiana Petcu

Product Marketing Manager

linkedin icon

Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE