Review

Signal Private Messenger Review


Even without taking its privacy and security advantages into consideration, Signal makes an excellent SMS/MMS client that does a good job of replacing the stock one that came with your phone. As far as security is concerned, it is probably the best option currently available for keeping your text and voice conversations private.
Disclosure: compensated affiliate: click here for more information

Reviewed by:
Rating:
5
On November 4, 2015
Last modified:November 9, 2016

Summary:

In our Signal Private Messenger we review we look at a free and open source app that allows you to chat via messages or VoIP using strong encryption.

TextSecure and RedPhone were Android apps developed by security outfit Open Whisper Systems. Providing secure encrypted text chat and VoIP voice call capabilities respectively, we regarded both apps as being among the best (and arguably the best) options available for keeping your conversations private on Android.

In March this year (2015) Open Whisper systems released, Signal, an app for iOS that combines the functionality of both TextSecure and RedPhone, and this week it announced that “TextSecure is becoming Signal.”

Existing Android users will find your TextSecure app automatically updated to Signal, while RedPhone users are advised to uninstall the app (and install Signal instead, if you do not already have it installed.)

What is Signal?

Signal is a free and open source app that replaces your regular SMS messenger app, allowing you send and receive SMS messages as normal, except that when texting other Signal users in your contact list, all messages are automatically encrypted.

When texting non-Signal users you are given the option to invite them to Signal, or can simply send a message as normal via (unencrypted) SMS. Note that in the past TextSecure allowed users to send encrypted messages over SMS (as opposed to the internet), but this feature was removed from TextSecure due to lack of interest, and is not present in Signal.)

Signal 1

In addition to sending messages, you can “phone” contacts from within the Signal app. If the contact is another Signal user then the call is encrypted and routed over the internet (similar to Skype, but much more secure. And as with Skype, calls made in this way are free).

If the contact is not a Signal user then the app loads the contact’s telephone number into your regular phone dialer, ready for a normal (unencrypted and liable to your regular phone charges) phone call.

Signal is incorporated as the default messenger app in CyanogenMod, the very popular alternative OS or Android phones, and the TextSecure protocol on which Signal is based has also been adopted by the world’s most popular instant messaging app, WhatsApp (see end of this article for a few thoughts on this.)

Privacy & Security

Both TextSecure and RedPhone, which were both widely regarded in the technology security industry as among the best privacy tools available, are were recommended by Edward Snowden, who has now given the thumbs-up to Signal.

Snowden signal

Because Signal is open source, its code can be independently audited for backdoors and other nasty surprises. Last year a German research team did precisely this for TextSecure, and despite finding a vulnerability (now fixed), it gave the app the all-clear in its paper How Secure is TextSecure?

We are the first to completely and precisely document and analyse TextSecure’s secure push messaging protocol… We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure’s push messaging can indeed achieve the goals of authenticity and confidentiality.

Signal encrypts and decrypts all messages client-side (i.e. on the user’s phone before transmission and upon receipt), so they cannot be intercepted in transit. Messages can also be stored encrypted on the phone.

Each text is encrypted using perfect forward secrecy (using an ephemeral Curve25519 key), so that if any keys are compromised, the attacker will only have access to one small part of the conversation. The text body itself is encrypted using 256-bit AES in CTR mode, with Curve25519 Diffie-Hellman handshake/key protection, and SHA256 hash authentication (for more information on these terms please see here.)

Signal VoIP conversations are likewise encrypted client-side, with all voice communications between the app and servers encrypted using TLS, while the contents of communications are encrypted using 128-bit AES-CBC, with SHA1 hash authentication.

This is not as strong as the encryption used by Signal for text messaging, probably due the fact that encrypting and decrypting data uses processing power, so stronger encryption would negatively impact the quality of calls. For most purposes this level of encryption should be more than sufficient, but if very high levels of privacy are required then you should probably stick to text messaging.

Concerns

Baseband processor

While all of this is very impressive, some concerns have been voiced. The first of these centers around the baseband processor that is present in every smartphone built to date. As Thom Holwerda writing for OSNews explains,

The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there’s no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device. You may think these baseband RTOS’ are safe and secure, but that’s not exactly the case. You may have the most secure mobile operating system in the world, but you’re still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm’s Infineon’s, and others’ blue eyes.

The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.

What this basically means is that ISPs can, if they choose to, bypass any encryption used by any app running on a mobile phone in real-time, allowing them to readily access all content on that phone in cleartext (by simply accessing the content as it becomes encrypted/decrypted).

Or at least that is the theory – no evidence of this actually happening has yet been reported. It should also be stressed that none of this is Signal’s, fault, and is a potential flaw in all mobile security software.

It should also be stressed that an adversary using such methods to spy on smart phone users’ encrypted communications would have to be very powerful (e.g. the NSA), and would almost certainly have to specifically target a known individual’s phone (so no blanket spying).

Funding

In addition to the baseband processor problem, the issue of where open source developers receive funding from worries some observers. As with other high profile open source privacy projects such as LEAP (which is used to run RiseUp.net), WikiLeaks-alike GlobaLeaks (endorsed by Tor devs such as Jacob Applebaum), the Guardian Project (makers of ChatSecure and Orbot) , and the Tor Project itself, Whisper Systems receives generous financial assistance from US government funded agencies.

Privacy activists and open source developers argue that good math is good math, regardless of where the funding comes from, and that the funding necessary to develop secure systems is otherwise very hard to come by.

This question of funding has, however, led some to question the integrity of such claims. For an excellent discussion on this subject, please see Internet privacy, funded by spooks: A brief history of the BBG by Yasha Levine.

Despite these concerns (which affect all mobile apps and almost all major open source security projects respectively), Signal appears to be among the most secure applications currently available. You pays your money (or not in this case), and you takes your chances…

Google Play Services

The official Android version of Signal requires  the Google Play Services framework to be installed in order to run. Many consider this a major security issue, as this proprietary software gives Google the ability to perform extensive low-level surveillance on users’ devices. Head of Open Whisper Systems and chief developer of Signal, privacy and security legend Moxie Marlinspike, defended the requirement to for Google Play Services on the grounds that the app is dependent on Google’s GCM push messaging framework.

As of March 2015, however, Signal’s message delivery has been performed by Open Whisper Systems itself, and the client relies on GCM only for a wakeup event. For those who are still unhappy at having Google Apps (Gapps) on their device, LibreSignal is an open source Signal fork that uses Websockets instead of GCM, and therefore does not require Google Play Services to be installed.

Signal in use

You need to register with Signal using your phone number (it is intended to replace your regular messaging app, so it needs to know this information anyway.) It will then generate a key pair. The identity of other users can be verified by reading out your ‘identity’ (public) keys to each other.

By default all your old messages and message history are imported, and Signal makes use of your default dialler contact list (at least it does in Android – we have not tested the iOS version.)

Signal features a group chat mode, and can send camera, picture, video, audio, and contact info attachments. There is also the option to encrypt messages locally, hiding access to them behind a passphrase. Remember that messages and voice calls between Signal users are not only encrypted, but are free.

Conclusion

Even without taking its privacy and security advantages into consideration, Signal makes an excellent SMS/MMS client that does a good job of replacing the stock one that came with your phone.

As far as security is concerned, it is probably the best option currently available for keeping your text and voice conversations private.

The baseband processor issue is a worry, but until open source baseband processor firmware becomes available (and we are not aware of any currently being developed), the only way around this issue is to only communicate on hardware with no cellphone capability, on  a very secure OS such as TAILS or (maybe) CyanogenMod, and use a secure desktop messaging or VoIP app (the newly released Tor Messenger also looks promising).

Signal is available to download for Android and iOS.

A note about WhatsApp

A major problem when trying to migrate towards a more secure software environment is that this generally requires getting your friends, family and colleagues on board. After all, if your no-one you know can be persuaded to install and use Signal, then it just acts as (not at all bad, but offering no real advantages over stock) SMS client.

Despite initial alarm by privacy advocates when it was purchased by Facebook, WhatsApp now uses the TextSecure protocol, and thanks to its established popularity, it may therefore be much easier to persuade your contacts to actually use WhatsApp (in fact there is a very good chance that many of them already do!)

Unfortunately, despite using the same underlying security protocol, Signal and WhatsApp are not compatible with each other.

Because WhatsApp uses the TextSecure protocol, in theory messages are encrypted client-side and are as secure as those sent via Signal (regardless of WhatApp being owned by Facebook.) However, because WhatsApp is closed source, there is no way to verify this, or that the app does not send a copy of users encryption keys back to Facebook.

The fact the Facebook owns WhatApps also hardly inspires confidence given its abysmal privacy record, so WhatsApp can never be considered anywhere near as secure as Signal.

On the other hand, however, you probably have a lot of friends who already use WhatsApp, and are therefore more likely actually encrypt their messages using the app…


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

More

33 responses to “Signal Private Messenger Review

  1. Dear Douglas,

    can you tell more about the financial assistance from US government funded agencies.
    What is your source of info on this?

    Thanks and must say it seems a very good informative article.

    1. Hi Marc,

      Thanks! Between 2013-2014 Open Whisper Systems received some $1,355,000 in funding from the Open Technology Fund. The OTF is a US Government funded program created in 2012 at Radio Free Asia to support global Internet freedom technologies. Its mission is to “[utilize] available funds to support projects that develop open and accessible technologies to circumvent censorship and surveillance, and thus promote human rights and open societies”.

      Does or might this compromise the integrity of Signal? This person certainly thinks it does. On the other hand, Signal is open source, so its code can be independently audited.

      A recent audit by researchers from the University of Oxford in the United Kingdom, Queensland University of Technology in Australia and McMaster University in Canada gave the messaging app the all-clear,

      “We have found no major flaws in its design, which is very encouraging.”

      They have called on researchers to continue the testing and analysis of Signal, however. Personally, I trust good math and open source code that has been independently audited over paranoid inference based on how Signal is funded. But YMMV…

  2. Why is there no possibility to directly create an audio message and send it? There is no such button that WhatsApp or Telegram have. The only way is to create a message in the voice recorder app and then send it from there via Signal. Quite complicated. is there an easier way or are they planning on creating that feature?

  3. Good Day, I have been using Signal for a week now and i have several friends that use is as well so I’m getting use to the secure features i hope. i do have a Couple of questions, though.. i was sent a video and i received a message. This Media has been stored in an encrypted database. Unfortunately, to view it with an external content viewer currently requires the data to be temporarily decrypted and written to storage. are you sure that you would like to do that.

    what are the pro and cons to this message?
    where is the encrypted database?
    and does the files stay on my phone once viewed?

    1. Hi GLG,

      – You cannot be sent videos using Signal per se., so you have simply been sent a link to the video.
      – The encrypted database will be wherever your friend has chosen to store the video. You can probably tell from the video URL that you were sent (but this might be masked with a short URL or something similar).
      – The file will be downloaded to your phone (unencrypted). You can permanently delete it, however, using an app such as File Shredder.

  4. Does deleting message history with a friend remove it from their end to? Or will they still have a record of the converstaion and attachments etc?

    1. Hi Samane,

      That is a very good question. I don’t think it is possible to delete messages on another person’s phone, and I don’t think many users would be happy with that idea anyway, even where such a feature to be available.

  5. Is signal uploading the users contact list to the server opening the possibility to track multiple users networks of relationships?

    1. Hi Peter,

      According The Intercept,

      “Signal users must share their contact list with the app in order to find other users — in WhatsApp, this is optional but recommended. But Signal doesn’t directly send your contact list to the server. Instead, it uses what’s known as a cryptographic hash function to obfuscate phone numbers before sending them to the server. (It also truncates the hashed phone numbers, if we’re being precise about things.) The server responds with the contacts that you have in common and then immediately discards the query, according to Marlinspike.”

      So no, it should not be possible to track users via their network of contacts.

  6. My question is, does using signal to text someone internationally avoid fees from mobile carrier? In other words is texting free when using signal as opposed to the stock Msgr on the phone?

    1. Hi Angela,

      So… if the other person also uses Signal, then the message is sent via the internet, and is free. If the other person does not use Signal then the message is sent via regular SMS, and will cost your usual SMS fee.

  7. You might want to follow up on how to get google voice or Hangouts as your phone number. However, the issues with the non registered mobile number going to unsecured users should be disclosed…

    Very odd, inho.

    1. Hi james,

      An article on obtaining a Google Voice phone number is a great idea. Thanks. The way in which Signal uses your regular phone number is no secret, and is part of the core appeal of the product as it simply replaces your regular SMS app.

  8. Signal can only send SMS over internet, so if data and wifi are off either end the message won’t get through, right?

    1. Hi Huw,

      Nope. If your contact is also a Signal user then Signal will send a them an encrypted message over the internet. If your contact is not a Signal member you can just send them a regular SMS message (via the phone network, not the internet). You can also send other Signal users regular SMS messages,w which is useful if no internet is available for either party (long-press on the “Send” icon and select “Insecure SMS).

  9. Having issues with missing texts at both client and receiver ends. At times, the texts disappear like they were never written. At others, they simply fail (repeatedly ).

  10. I’m testing out Signal right now, and I just can’t wrap my head around why I need to give it access to all of my contacts in order for it to work. That just screams “bad news” to me. Can anyone give me a reason why someone who needs encryption wouldn’t be rightfully paranoid about that level of access?

    1. Hi Smarmy,

      Signal works as a replacement to your phone’s regular messenger app. When you message or phone another user in your contact list who is also a Signal user, the message or call is encrypted by default. If the contact is not a Signal user the app suggests that you invite them to Signal, or sends the message/call encrypted. Accessing your contacts is required for Signal’s functionality. If you are not happy with this way of doing things, check out my article on Secure alternatives to WhatsApp (and SureSpot in particular.)

  11. Well it dont work on iphone4 anymore it keeps saying “Registration fail we couldnt reach the signal server . try again ” …

  12. Hello, thanks for a very clear description of this service. I am a counsellor/therapist/social worker and I am looking for ways to email and text clients. For the moment my community health centre has a policy that we should not be emailing or texting any confidential/sensitive information however we can use fax for anything(?!). I mostly work with teens who prefer to communicate electronically so I wish to convince my agency to change their policies however I want to offer solid options. Signal and Hushmail are two options I have identified. Final question: is their a way for me to text a client while keeping my phone number (personal cell) anonymous? I have discovered #31# for calls but what can I do with text messages?? Thanks, Duane

    1. Hi Duane,

      Hushmail is not considered a secure option, thanks to this. Signal is a good option, but it does require you client knowing your phone number. If you wish to hide your phone number then something like ChatSecure or Jitsi may be better (please see my article on Secure alternatives to WhatsApp.) Another option would be to use a secure email service such as ProtonMail or Tutanota.

  13. Why doesn’t Signal have an auto delete function like other secure messengers? Basically if someone found a phone and was able to bypass the PIN, all signal messages can be read.

    Other messengers delete messages each time you open the chat

    1. Hi Kevin,

      Well, bypassing the PIN should not be too easy as the messages are all encrypted locally, but you do have a point. A workaround could be to go to Settings -> Chats and media – Message trimming, and set conversation limit to 0…

      1. Unless there’s a bug in my version of the app, setting the trim limit to 0 is not possible. It refuses to accept anything lower than 1.

  14. Hi. I am using the Signal messaging app on my Samsung Note 3/ Android. How can I delete text messages? I can’t figure out how to do that.

    1. Hi Charles,

      Long-press on the message you want to delete, then when the batch selection icons appear at the top, touch the bin icon.

  15. In view of the obvious emergencies and disasters being created by all all Western civilizations(?) governments(?) (Its not a conspiracy, just a tried a tested formula) for the purpose of enacting dragonian surveilance laws, witness the controlled 9/11 demolition, any thoughtful responsible world citizen needs secure comms (same as our bodies need blood).

    I’m a typical general purpose Tech savy but only amateur in field of comms. I found your article refreshingly clear to read and understand and exceptionally useful. I’ll check with some of my friends who like to put Unix front ends on to beef up their firewalls. But its most likely I’ll take your advice to install Signal on my Android machines.

    Your input is much appreciated.
    More power to your finger tips,
    Colin

Leave a Reply

Your email address will not be published. Required fields are marked *