Signal is an Instant Messaging App with a Longstanding History. But Is Signal Secure? Let’s Find Out.
What is Signal? A Brief History
The origins of the Signal messaging app can be traced back to May 25, 2010, when a now-defunct company by the name of Whisper Systems launched beta versions of RedPhone and TextSecure. The former was an encrypted voice calling app, while the latter consisted of an encrypted texting program. Whisper Systems was an enterprise mobile security startup founded by Stuart Anderson, a roboticist, and Moxie Marlinspike (real name Matthew Rosenfeld, a security researcher. You might recognize Moxie’s name as a co-founder of the present-day Signal Foundation which administers the Signal messaging app. But more on that later.
Famed social media platform Twitter acquired Whisper Systems in November 2011. Shortly thereafter, RedPhone was made unavailable, which drew heavy criticism from the public due to the app’s relevance in the field of humanitarian aid. One month later, on December 20th, 2011, TextSecure was released as a free and open-source piece of software under the GPLv3 license.
On the 18th of July, 2012, RedPhone was released as free and open-source as well under the same GPLv3 license.
Moxie Marlinspike leaves Twitter in January 2013 to found Open Whisper Systems (OWS), a collaborative open-source project focused on the further evolution of the TextSecure and RedPhone apps.
In February 2014, OWS integrates instant messaging and end-to-end encrypted group chat functions into TextSecure. This represented the second version of their TextSecure Protocol, now known as the Signal Protocol. Towards the end of July 2014, OWS first released Signal as the iOS version of RedPhone. During this time, Moxie Marlinspike also announced the company’s intentions to merge RedPhone and TextSecure into a single app that will take on the Signal name and brand.
On the 6th of March, 2015, creator Moxie Marlinspike posted an announcement on the company’s blog stating that support for encrypted SMS/MMS messaging function in TextSecure had been suspended. From there on out, only sending and receiving encrypted messages via the data channel was supported by the Android application. Simultaneously to this, the encrypted instant messages feature was added to the Signal app on iOS. Come November 2015, RedPhone and TextSecure merge on Android and the resulting mobile application is renamed with the Signal brand. By December 2015, Signal had become a Google Chrome App available on desktop devices as well.
Open Whisper Systems founder Moxie Marlinspike announced on September 26, 2016, that Signal Desktop could then be connected with Signal’s iOS version as well. On October 4, 2016, a series of documents were released disclosing that Open Whisper Systems had been issued a subpoena asking them to provide information related to two phone numbers involved in a federal grand jury investigation conducted in the first half of 2016. The exposé was carried out in collaboration with the American Civil Liberties Union (ACLU), which OWS approached to get help in lifting the gag order placed on the company that prevented them from publicly discussing the subpoena.
The video call feature was added to Signal in beta testing in March 2017 by transitioning from its proprietary RedPhone system to the open-source WebRTC project. Subsequently the same year, Open Whisper Systems announced the deprecation of its Google Chrome App on October 31, 2017, just in time for Halloween.
On the 21st of February, 2018, Moxie Marlinspike announced the formation of the Signal Foundation together with WhatsApp co-founder Brian Acton. With an initial investment of $50 million from Acton, the Signal Foundation has been and is continuing to be run as a nonprofit organization. This allowed Signal to run entirely on donations by 2020.
Signal started adding new features starting with November 2019, all through February 2020. Its updated roster included videos, stickers, reactions, view-once images, and support for iPads.
Signal gained momentum in the United States of America during the Black Lives Matter protests that followed George Floyd’s death. Twitter CEO Jack Dorsey recommended the app in the wake of increased police surveillance on the movement. This increased downloads five times. What is more, a new feature allowing for face blurring in photos was introduced by the app as a response to federal monitoring efforts.
— jack (@jack) June 3, 2020
On January 7, 2021, Tesla plus SpaceX CEO and richest man in the world title holder Elon Musk tweeted a two-word statement encouraging his followers to “use Signal”. And use Signal they did, with the app registering more than 100,000 new accounts between the 7th and 8th of January. This temporarily ceased the delivery of account verification messages.
— Elon Musk (@elonmusk) January 7, 2021
Signal encountered a new surge in registrants on January 12, when the company reported quintupled downloads in the span of just one day. This resulted in another temporary disruption of services as reported by Bleeping Computer. Famed American whistleblower and Signal enthusiast Edward Snowden tweeted that the unexpected increase was most likely caused by “WhatsApp’s decision to sell out its users to Facebook”.
For those wondering about @SignalApp‘s scaling, #WhatsApp‘s decision to sell out its users to @Facebook has led to what is probably the biggest digital migration to a more secure messenger we’ve ever seen. Hang in there while the Signal team catches up. https://t.co/xNKz4aYUFJ
— Edward Snowden (@Snowden) January 15, 2021
Is Signal Secure? Of Protocol and Privacy
Formerly known as the TextSecure Protocol, the Signal Protocol was developed in 2013, the same year that Moxie Marlinspike founded Open Whisper Systems. It is a non-federated cryptographic protocol designed to provide end-to-end encryption to various channels of communication, namely instant messages, voice calls, and video calls. Its main usage is within the eponymous Signal app. Several other closed-source messaging applications claim to have implemented the Signal Protocol to support their novel secret chat functions. The most widely known examples include:
- Facebook Messenger
The Signal message encryption protocol is based on two different algorithms and a key agreement protocol, as listed on the Technical Information page on the app’s official website:
- Sesame message encryption algorithm
- Double Ratchet key management algorithm
- Elliptic-curve Diffie-Hellman key agreement protocol
Elliptic-curve Diffie-Hellman (ECDH) is a key agreement protocol that allows two parties to create a shared secret over an insecure channel by granting each an elliptic-curve public-private key pair. A shared secret is a term pertaining to cryptography that refers to a piece of data that is known only by the participants involved in a communication. It can either be used directly as a key or to derive another key. As per the Technical Information page on the Signal website, the app makes use of the Diffie-Hellman key agreement protocol in two ways, each detailed in their documents. Through public and private key formats initially defined for the X25519 and X448 elliptic-curve Diffie-Hellman functions, the service creates and verifies EdDSA-compatible signatures known as XEdDSA. The same section also describes VXEdDSA, or the process of extending XEdDSA signatures and transforming them into verifiable random functions, or VRF for short. A separate document details how the Signal app uses the X3DH key agreement protocol, which stands for Extended Triple Diffie-Hellman. Through means of establishing a shared secret key between the sender and receiver who mutually verify each other via public keys, X3DH delivers cryptographic deniability and forward secrecy to the chat.
Double Ratchet Algorithm
Previously known as the Axolotl Ratchet, the Double Ratchet key management algorithm was developed by Moxie Marlinspike in collaboration with crypto engineer Trevor Perrin in 2013. Its main function is providing end-to-end encryption to instant messaging as part of a cryptographic protocol. According to the algorithm’s technical sheet, Double Ratchet:
is used by two parties to exchange encrypted messages based on a shared secret key. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones. The parties also send Diffie-Hellman public values attached to their messages. The results of Diffie-Hellman calculations are mixed into the derived keys so that later keys cannot be calculated from earlier ones. These properties give some protection to earlier or later encrypted messages in case of a compromise of a party’s keys.
Sesame is an algorithm that manages message encryption sessions in a multi-device and asynchronous setting. It was designed to be used in tandem with Double Ratchet end-to-end encrypted chat sessions that are created via the aforementioned X3DH key agreement protocol. For the more technically inclined, I recommend reading all the four documents that I have previously linked, as they explain in much greater detail how Signal app communications are secured.
What Personal Information Does Signal Collect?
A valid phone number is required when creating a Signal account. Filling in other bits of personal profile information, such as name or picture, is optional. If you choose to add these details, they will be end-to-end encrypted just like any other communications on the platform. As another optional feature, you can choose to sync the contacts in your address book with Signal to discover if any of them are signed up for the app. This information is cryptographically hashed when communicated to the server. The messages you send over Signal cannot be decrypted or accessed in any other way, neither by company employees nor connected third parties. Servers store only messages that awaiting delivery to temporarily offline devices. Your personal message history is stored solely on the device on which the app is installed. Randomly generated authentication tokens, push tokens, keys, and other materials required for message and call transmission are stored on Signal servers. However, the app limits these resources to the minimum required for its services to operate properly. Finally, Signal User Support stores and uses any personal data you might share to better research your problem and contact you afterward with a solution.
How Much Does Signal Share with Third Parties?
5 Signal Security Tips to Consider
Instant messaging has become a staple of the modern office, but is Signal secure enough for companies? The app’s official FAQ section clearly states that Signal can also be used for work without having to go through a different signup process or purchasing add-ons. Therefore, your business communications can benefit from its end-to-end encrypted chats and employees can share essential information safely. Nevertheless, boosting digital defenses should be a priority when working with sensitive data or disclosing personal details online. Here are five Signal security tips to consider regardless of whether you are using the instant messaging app for personal interactions or business.
#1 Lock Your Mobile Device
As previously mentioned several times in this article, Signal chats are end-to-end encrypted. This means that neither Signal employees nor mobile service providers can intercept or read messages sent across the app. However, this doesn’t prevent malicious third parties from simply picking up phones and opening the app to read through private conversations. Therefore, locking your phone is essential to the security of your Signal chats and personal info in general. Depending on the make and model of your mobile device, you can choose to either draw a pattern, choose a password, type a numeric PIN, or even authenticate with biometric data such as fingerprint or facial recognition. You can also choose combinations of these verification methods depending on what features are supported by the operating system. For example, I have both a strong password and biometric recognition set up on my Android device. Do you want to take your mobile cybersecurity one step further? Encrypt your Android device and lock selected apps such as Signal. You can find these features under the Security tab of your device’s Settings. As for iOS users, keep in mind that iPhones and iPads generally encrypt all data automatically.
#2 Hide Lock Screen Messages
Signal displays unread messages as lock screen notifications by default. While this might come in handy when you’re on the go, it can also be detrimental to your information security. You never know who’s nearby and manages to sneak a peek at your private conversations. Thus, disabling lock screen notifications for the Signal app is another way you can boost your digital defenses. Hiding lock screen messages together with setting up a strong authentication method for mobile devices is worth practicing within a company as well. Include these specifications in your corporate BYOD policy to ensure that all personal devices brought within the office are secure.
#3 Verify the Identity of Your Contacts
Like many other digital channels of communication, Signal can also be targeted by man-in-the-middle attacks. For this reason, you must confirm the identity of the people you are talking to. Fortunately, doing this is simple enough, as the app assigns each contact a unique verification key. To ensure that your contacts are who they claim to be, you can:
- either scan their QR code,
- or cross-check their unique 66-character sequence.
What is more, the Signal instant messaging app will always display a notification when the verification key of a contact has changed. This can happen for two reasons:
- either you are being targeted by a man-in-the-middle attack,
- or your contact has changed their mobile device.
This is why verifying the identity of your contacts is essential for the security of your conversations, whether they are work-related or not. This is another point that should be included in the company BYOD policy if Signal is used on the job.
#4 Delete Sensitive Messages
After you send or receive a message in a Signal conversation with one of your contacts, copies are stored in two locations only: your and your contact’s respective mobile devices. This happens because, unlike other instant messaging apps, Signal doesn’t store copies of your messages in the cloud except for the aforementioned reason of one party being offline during the exchange. This means that the chances of malicious actors coming across your digital interactions in the online world are slim to none. However, we’ve already discussed how someone can simply pick your phone up or look over your shoulder at incoming notifications. The best way to prevent others from snooping around is by deleting sensitive messages. This is simple enough to achieve. To delete an individual message, simply long-touch it and choose the Delete option from the pop-up menu. As for deleting an entire conversation, the process is similar on Android, while on iOS it involves swiping the selected interaction to the left.
#5 Filter Mobile DNS Traffic
Filtering your mobile traffic at the level of the DNS is crucial to a safe instant messaging experience. DNS filtering adds an extra step between your query and the Internet, checking each request that you make. This what our Heimdal™ Threat Prevention cybersecurity solution does in a nutshell, protecting your mobile device from malicious domains that can compromise its security.
Heimdal® Threat Prevention
In Conclusion…Is Signal Secure or Not?