The Signal messaging app leapt in popularity in January 2021, when WhatsApp changed its privacy policy. Following Elon Musk’s laconic call to use Signal, millions of users downloaded the app, resulting in temporary technical issues with the service.
However, cybersecurity experts have known about Signal for a long time, and that’s no wonder; developers have spent years polishing the app’s privacy and security. Here’s what they have achieved and how to make Signal even more secure.
Signal features
Features available to all Signal users include end-to-end encryption, secure data storage, and the ability to view Signal’s code.
End-to-end encryption — a pillar of privacy
One of Signal’s indisputable advantages is its default use of end-to-end encryption. That means only the parties chatting with one another can read their texts, and nobody — not even the app’s developers — can listen in on individual or group calls. Using end-to-end encryption is an important way to improve messaging security.
In many ways, it was thanks to Signal that end-to-end encryption became so widely used in messaging apps. Even the competing WhatsApp, Facebook Messenger, and Skype use the Signal Protocol for secure communication. But by comparison, Signal encrypts much more data.
Unlike Telegram, whose end-to-end encryption works only in so-called secret chats for two users, Signal also encrypts group chats and calls end to end. Moreover, the service does not store group information such as participants, title, and avatar.
The developers of Signal also protect chat metadata — extra info about who wrote to whom — which can be no less sensitive than the contents of the chat and is a frequent source of confidential information leaks.
Finally, Signal also encrypts user profile info. Only the users you approve (contacts, people you have written to, and those you expressly permit to view your account data) can see your name, avatar, and status.
Privacy of contacts and secure enclaves
Signal employs so-called secure enclaves, isolated storage on its servers to which even the server owners have no access. It is because of that isolation that you can learn which of your contacts use Signal without disclosing your address book to the developers. The app sends an encrypted request to the enclave; the latter checks your contacts against registered users’ numbers and returns an encrypted response. No other living soul will see the content of your request.
Transparency policy
As an open-source project, Signal makes its code freely available, so a tech-savvy user can read or build code for Signal’s server software, Android and iOS apps, and desktop versions for Windows, macOS, and Linux, to make sure they contain no backdoors that would provide access to users’ sensitive data.
Setting up Signal
Beyond the app’s inherent security, Signal lets users opt for greater privacy and security with a variety of settings.
Signal PIN
You can use a Signal PIN to recover your profile as well as the settings and contacts that you save in the app (i.e., contacts not present in your address book), and the list of your blocked contacts, should you lose your device or reinstall the app.
Does that mean your data is actually stored on Signal servers and accessible to developers or hackers ? Yes and no. Yes, the information is really stored on the servers. But no, it can’t be stolen because it is encrypted and kept in the abovementioned secure enclaves — and the only key to it is that PIN, which only you know.
The app prompts users to set up a PIN at registration, and you can change yours in the settings. In case you don’t trust the PIN and the enclaves enough, you can deactivate the feature, either during registration or through the settings. If you do so, however, then if you delete the app you will also be deleting all of the data it’s stored on your device, including contacts not in your address book.
Also, if you have no PIN, someone else can potentially register in Signal using your phone number, for example using SIM swapping. The same can happen if you haven’t used the number long enough for it to be disconnected and issued to another person.
Privacy settings
To protect your chats from anyone who happens to handle your smartphone, we recommend activating the screen lock feature in the app settings. Once it’s active, you’ll need to use the same code, fingerprint, or Face ID to access the app as you use to unlock the phone.
By default, the app doesn’t lock when you collapse it, so make sure to change that setting. Both Android and iOS users can set a screen lock timeout duration in the privacy settings or choose Instant. Once locked, Signal will require your code, fingerprint, or Face ID each time you switch back to the app.
Android users, in addition to relying on an inactivity timeout, can alternatively lock the app manually from the notification bar.
The Android version of Signal has another useful privacy feature in the settings: the incognito keyboard. If you turn it on, your smartphone will no longer learn your new and most frequently used words and phrases and prompt you for them on the go — meaning the keyboard app will not process and keep the text you type. The incognito keyboard may not work with some devices, in which case the app will warn you when you try to activate the function.
Finally, you may choose whether you want your contacts to see whether you have read an incoming message or are typing text. Similar to other messaging apps, once you deactivate the option, you will no longer receive the same info about other users.
Linking devices
You can chat in Signal on your smartphone, tablet, and computer at the same time; you just have to link the additional devices to your account.
To do that, go to Linked devices and press + to activate the camera and receive a QR code to scan. Next, run Signal on the second device (for example, your PC) and follow the instructions.
You’ll see a list of all of your linked devices in the app’s settings. We recommend checking that list from time to time for any unknown devices — that is, unauthorized users. Also don’t forget to unlink any devices you no longer need.
Chat backups
By default, Signal does not create chat backups, but you can activate the feature so that you can recover your chats if need be. Follow the instructions in the settings, and be sure to save the 30-character password phrase the app creates for you. Lose that and your backup copy becomes useless.
Signal stores backup copies on your device, so if you need to recover your data on a new phone, you will still need access to your old device. That means if you lose your smartphone or it breaks, you won’t be able to restore your chats.
Advanced settings (for the most cautious)
These options will completely conceal your messenger activities from prying eyes.
- Under Chats, deactivate the retrieval of link previews for your messages. This will prevent Signal from sending an extra Web query to the referenced website, which would otherwise be available to your Internet service provider.
- In the advanced privacy settings, set voice calls to connect through Signal servers instead of connecting directly to your contact. Doing so hides your IP address, which can prove useful under certain circumstances, although the developers warn it may reduce call quality.
- Activate a proxy to avoid potential surveillance even more effectively. Here, a proxy is a protective element between your device and the app’s servers (the service website contains detailed instructions). With a proxy, even Signal will know nothing about your IP address. This option will also be of use in countries that block Signal.
Final recommendations
Now that you’ve guaranteed the privacy of your personal data in Signal, including chats, metadata, and profile information, make sure you’ve also taken steps to prevent unauthorized physical or remote access to your device. Always lock your smartphone, update all of your apps and the operating system in a timely manner, and install a reliable security solution. And for users of other messaging apps, don’t forget to set up Discord and Telegram for maximum security and privacy.