Signal Private Messenger Review -

Signal Private Messenger Review

Our summary

Signal is probably the best option currently available for keeping your text and voice conversations private.

Our Score



  • Open source and now fully audited for backdoors and other nasty surprises
  • Uses strong encryption with Perfect Forward Secrecy
  • Now available as an .apk file so no need for Google Play Services framework
  • Created by privacy legend Moxie Marlinspkie
  • As used by NSA whistle-blower Edward Snowden
Some alternative options for you...
Our Score
Our Score
Our Score

TextSecure and RedPhone were Android apps developed by security outfit Open Whisper Systems. Providing secure encrypted text chat and VoIP voice call capabilities respectively, we regarded both apps as being among the best (and arguably the best) options available for keeping your conversations private on Android.

In March this year (2015) Open Whisper systems released, Signal, an app for iOS that combines the functionality of both TextSecure and RedPhone, and this week it announced that “TextSecure is becoming Signal.”

Existing Android users will find your TextSecure app automatically updated to Signal, while RedPhone users are advised to uninstall the app (and install Signal instead, if you do not already have it installed.)

What is Signal?

Signal is a free and open source app that replaces your regular SMS messenger app, allowing you send and receive SMS messages as normal, except that when texting other Signal users in your contact list, all messages are automatically encrypted.

When texting non-Signal users you are given the option to invite them to Signal, or can simply send a message as normal via (unencrypted) SMS. Note that in the past TextSecure allowed users to send encrypted messages over SMS (as opposed to the internet), but this feature was removed from TextSecure due to lack of interest, and is not present in Signal.)

Signal 1

In addition to sending messages, you can “phone” contacts from within the Signal app. If the contact is another Signal user then the call is encrypted and routed over the internet (similar to Skype, but much more secure. And as with Skype, calls made in this way are free).

If the contact is not a Signal user then the app loads the contact’s telephone number into your regular phone dialer, ready for a normal (unencrypted and liable to your regular phone charges) phone call.

Signal is incorporated as the default messenger app in CyanogenMod, the very popular alternative OS or Android phones, and the TextSecure protocol on which Signal is based has also been adopted by the world’s most popular instant messaging app, WhatsApp (see end of this article for a few thoughts on this.)

Privacy & Security

Both TextSecure and RedPhone, which were both widely regarded in the technology security industry as among the best privacy tools available, are were recommended by Edward Snowden, who has now given the thumbs-up to Signal.

Snowden signal

Because Signal is open source, its code can be independently audited for backdoors and other nasty surprises. Last year a German research team did precisely this for TextSecure, and despite finding a vulnerability (now fixed), it gave the app the all-clear in its paper How Secure is TextSecure?

We are the first to completely and precisely document and analyse TextSecure’s secure push messaging protocol… We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure’s push messaging can indeed achieve the goals of authenticity and confidentiality.

Signal encrypts and decrypts all messages client-side (i.e. on the user’s phone before transmission and upon receipt), so they cannot be intercepted in transit. Messages can also be stored encrypted on the phone.

Each text is encrypted using perfect forward secrecy (using an ephemeral Curve25519 key), so that if any keys are compromised, the attacker will only have access to one small part of the conversation. The text body itself is encrypted using 256-bit AES in CTR mode, with Curve25519 Diffie-Hellman handshake/key protection, and SHA256 hash authentication (for more information on these terms please see here.)

Signal VoIP conversations are likewise encrypted client-side, with all voice communications between the app and servers encrypted using TLS, while the contents of communications are encrypted using 128-bit AES-CBC, with SHA1 hash authentication.

This is not as strong as the encryption used by Signal for text messaging, probably due the fact that encrypting and decrypting data uses processing power, so stronger encryption would negatively impact the quality of calls. For most purposes this level of encryption should be more than sufficient, but if very high levels of privacy are required then you should probably stick to text messaging.


Baseband processor

While all of this is very impressive, some concerns have been voiced. The first of these centers around the baseband processor that is present in every smartphone built to date. As Thom Holwerda writing for OSNews explains,

The problem here is clear: these baseband processors and the proprietary, closed software they run are poorly understood, as there’s no proper peer review. This is actually kind of weird, considering just how important these little bits of software are to the functioning of a modern communication device. You may think these baseband RTOS’ are safe and secure, but that’s not exactly the case. You may have the most secure mobile operating system in the world, but you’re still running a second operating system that is poorly understood, poorly documented, proprietary, and all you have to go on are Qualcomm’s Infineon’s, and others’ blue eyes.

The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.

What this basically means is that ISPs can, if they choose to, bypass any encryption used by any app running on a mobile phone in real-time, allowing them to readily access all content on that phone in cleartext (by simply accessing the content as it becomes encrypted/decrypted).

Or at least that is the theory – no evidence of this actually happening has yet been reported. It should also be stressed that none of this is Signal’s, fault, and is a potential flaw in all mobile security software.

It should also be stressed that an adversary using such methods to spy on smart phone users’ encrypted communications would have to be very powerful (e.g. the NSA), and would almost certainly have to specifically target a known individual’s phone (so no blanket spying).


In addition to the baseband processor problem, the issue of where open source developers receive funding from worries some observers. As with other high profile open source privacy projects such as LEAP (which is used to run, WikiLeaks-alike GlobaLeaks (endorsed by Tor devs such as Jacob Applebaum), the Guardian Project (makers of ChatSecure and Orbot) , and the Tor Project itself, Whisper Systems receives generous financial assistance from US government funded agencies.

Privacy activists and open source developers argue that good math is good math, regardless of where the funding comes from, and that the funding necessary to develop secure systems is otherwise very hard to come by.

This question of funding has, however, led some to question the integrity of such claims. For an excellent discussion on this subject, please see Internet privacy, funded by spooks: A brief history of the BBG by Yasha Levine.

Despite these concerns (which affect all mobile apps and almost all major open source security projects respectively), Signal appears to be among the most secure applications currently available. You pays your money (or not in this case), and you takes your chances…

Google Play Services

The official Android version of Signal requires  the Google Play Services framework to be installed in order to run. Many consider this a major security issue, as this proprietary software gives Google the ability to perform extensive low-level surveillance on users’ devices. Head of Open Whisper Systems and chief developer of Signal, privacy and security legend Moxie Marlinspike, defended the requirement to for Google Play Services on the grounds that the app is dependent on Google’s GCM push messaging framework.

As of March 2015, however, Signal’s message delivery has been performed by Open Whisper Systems itself, and the client relies on GCM only for a wakeup event. For those who are still unhappy at having Google Apps (Gapps) on their device, LibreSignal is an open source Signal fork that uses Websockets instead of GCM, and therefore does not require Google Play Services to be installed.

Signal is now officially available as an .apk file, so no need for Google Play Services framework.

Signal in use

You need to register with Signal using your phone number (it is intended to replace your regular messaging app, so it needs to know this information anyway.) It will then generate a key pair. The identity of other users can be verified by reading out your ‘identity’ (public) keys to each other.

By default all your old messages and message history are imported, and Signal makes use of your default dialler contact list (at least it does in Android – we have not tested the iOS version.)

Signal features a group chat mode, and can send camera, picture, video, audio, and contact info attachments. There is also the option to encrypt messages locally, hiding access to them behind a passphrase. Remember that messages and voice calls between Signal users are not only encrypted, but are free.


Even without taking its privacy and security advantages into consideration, Signal makes an excellent SMS/MMS client that does a good job of replacing the stock one that came with your phone.

As far as security is concerned, it is probably the best option currently available for keeping your text and voice conversations private.

The baseband processor issue is a worry, but until open source baseband processor firmware becomes available (and we are not aware of any currently being developed), the only way around this issue is to only communicate on hardware with no cellphone capability, on  a very secure OS such as TAILS or (maybe) CyanogenMod, and use a secure desktop messaging or VoIP app (the newly released Tor Messenger also looks promising).

Signal is available to download for Android and iOS.

A note about WhatsApp

A major problem when trying to migrate towards a more secure software environment is that this generally requires getting your friends, family and colleagues on board. After all, if your no-one you know can be persuaded to install and use Signal, then it just acts as (not at all bad, but offering no real advantages over stock) SMS client.

Despite initial alarm by privacy advocates when it was purchased by Facebook, WhatsApp now uses the TextSecure protocol, and thanks to its established popularity, it may therefore be much easier to persuade your contacts to actually use WhatsApp (in fact there is a very good chance that many of them already do!)

Unfortunately, despite using the same underlying security protocol, Signal and WhatsApp are not compatible with each other.

Because WhatsApp uses the TextSecure protocol, in theory messages are encrypted client-side and are as secure as those sent via Signal (regardless of WhatApp being owned by Facebook.) However, because WhatsApp is closed source, there is no way to verify this, or that the app does not send a copy of users encryption keys back to Facebook.

The fact the Facebook owns WhatApps also hardly inspires confidence given its abysmal privacy record, so WhatsApp can never be considered anywhere near as secure as Signal.

On the other hand, however, you probably have a lot of friends who already use WhatsApp, and are therefore more likely actually encrypt their messages using the app…

Douglas Crawford
March 12th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

51 responses to “Signal Private Messenger Review

  1. NB says:

    Signal uses a REAL PHONE NUMBER, you cant use VOIP numbers. SO matter whatever the encrytion the fact that the app demands a REAL PHONE NUMBER, cancels the security offered by encryption.

    If they allow VOIP numbers and method where you enter the login code manually (instead of the app detecting the SMS) then the app would fulfill as a secure messenger.

    There is no way in Signal for manual entry of login code.

    1. Douglas Crawford says:

      Hi NB,

      Indeed. With Signal the contents of calls and texts is very securely encrypted (if talking to another Signal user), but metadata is not. Signal is intended to seamlessly replace your default SMS message app and therefore requires a real phone number sign up with. It is quite possible, though, to sign up using a burner phone. You can then discard that phone and carry on using Signal with its number. If you need a VOIP option that uses aliases then I suggest something like Pidgin + OTR.

  2. chuck says:

    My concern is that using the desktop app with any vpn well, they are constantly talking to each other the signal on droid.. desktop etc… regardless of who you are messaging. so both ip’s go somewhere. If you are on the same lan same isp same router your isp can discoveror worse your real ip goes right through to the public. so is it safe to use both?
    at the same time

    1. Douglas Crawford says:

      Hi chuck,

      Signal uses end-to-end encryption. This means that only the sender and intended recipient(s) can see your messages.Your ISP (or VPN provider if using a VPN) can know who is talking to who with Signal, but it cannot know the contents of those communications (it cannot see your texts). When using Signal with a VPN, the data is routed via the VPN tunnel to the VPN server as with all other data. The only real difference is that your VPN can see who you are talking to, not your your ISP. If your VPN keeps no logs, however, then there will be no record of your conversation. TL:DR – yes, it is safe to use Signal and a VPN together.

  3. steve linuxe says:

    Hello,would a adversary see meta data if monitoring Ones phone ie IMEI,IP.MAC when using Sig? it concerns Me that it works of phone number in like Silent circle, also would there be a one way encrypted call option in the future, like Kryptall/SC has that would not reveal Ones phone number? thanks.

    1. Douglas Crawford says:

      Hi Steve,

      Signal requires a phone number in order to register for the service (although an burner phone number can be used for this, and then discarded. The registered number can still be used on another phone). As long as you use the apk version of Signal direct from the official website (which does not rely on Goggle Pay Services), no other metadata is collected.

  4. Claire says:

    Hi Douglas, is it possible to use the signal private messenger in the Philippines when you registered with your phone number in the US?

    1. Douglas Crawford says:

      Hi Claire,

      Yes. Signal requires a working phone number in order to connect you with your contacts, but it does not matter where that number is registered.

  5. D G says:

    HI Douglas.
    Why do so many apps, like Signal, need permissions to access so much of our phones apparent private stuff? For ex: my clock has permissions to everything, including sending and receiving sms or making phone calls w/o my knowledge? Who exactly is sending and recieving what to whom? Signals requires a lot of permissions and it seems each year the list grows as apps are updated. How can any of our info be considered secure under these circumstances? It is possible I do not understand the intent behind these permissionsites but they seem very suspect to me.
    Thanks for your information and articles.
    D G

    1. Douglas Crawford says:

      Hi D G,

      Many apps do require far more permissions than are required for them to do their job, but in Signal’s case I think the permissions it asks for are justified. Please see here for a full list of the permissions Signal asks for, with an explanation for why the app requires them.

  6. Logu says:

    Is the calling feature in signal private messenger more secure than p2p apps like antox and bleep?

    1. Douglas Crawford says:

      Hi Logu,

      Well, Antox is still in Alpha, and should therefore not be considered secure, while Bleep is closed source, which puts it out of the running as far as I am concerned. The advantage both these p2p apps have over Signal is that they do not require a centralized server in order to work, or valid phone number. Because Signal _does_ require these, it should not be considered particularly private, as it would be easy to log metadata relating to messages and calls. But what Signal is, is very secure. No-one will be able to intercept your messages or voice calls (as discussed in this article, voice calls are not as secure as messages, but are still pretty darn secure).

  7. Tom L. says:

    Why do I not get a notification tone when I get a text? I only get them while I’m texting. All my settings seem to be in order.

    It worked for about 2 weeks then stopped. I deleted and re downloaded several times to no avail.

    I have a Samsung Galaxy On5.

    Thank you!

    1. Douglas Crawford says:

      Hi Tom,

      Hmm. They work fine for me. All I can suggest is going to Settings -> Application Manager -> Signal and checking that Allow Notifications is turned on. Might also be worth turning Set as priority on as well…

  8. Rooni says:

    I only recently found this article, thanks.
    The only major problem is convincing users to ditch and leave Whatsapp, this is an almost impossible task LOL.
    Whatsapp now currently does not allow opting-out from sharing everything with Facebook.

  9. Marc says:

    Dear Douglas,

    can you tell more about the financial assistance from US government funded agencies.
    What is your source of info on this?

    Thanks and must say it seems a very good informative article.

    1. Douglas Crawford says:

      Hi Marc,

      Thanks! Between 2013-2014 Open Whisper Systems received some $1,355,000 in funding from the Open Technology Fund. The OTF is a US Government funded program created in 2012 at Radio Free Asia to support global Internet freedom technologies. Its mission is to “[utilize] available funds to support projects that develop open and accessible technologies to circumvent censorship and surveillance, and thus promote human rights and open societies”.

      Does or might this compromise the integrity of Signal? This person certainly thinks it does. On the other hand, Signal is open source, so its code can be independently audited.

      A recent audit by researchers from the University of Oxford in the United Kingdom, Queensland University of Technology in Australia and McMaster University in Canada gave the messaging app the all-clear,

      “We have found no major flaws in its design, which is very encouraging.”

      They have called on researchers to continue the testing and analysis of Signal, however. Personally, I trust good math and open source code that has been independently audited over paranoid inference based on how Signal is funded. But YMMV…

      1. not moxie says:

        Thanks for the article. I’d just like to point out that “Signal is open source, so its code can be independently audited” doesn’t really work. Signal is indeed open source and Moxie himself signs the code released to Google Play Store. However there is no way to audit with Google Play Store does with it, or to check that the binaries that you’re downloading from the Google Play Store actually correspond to the Signal open source code that you audited.

        1. not moxie says:

          typo, should read “However there is no way to audit what the Google Play Store does with it”

          1. Douglas Crawford says:

            Hi not moxie,

            That is a very good point. I’m rather busy at the moment, but will a update this article soon. The solution would be to use LibreSignal instead, but this has been discontinued following Moxie complaining about use of the word “Signal”. As I say, this article is in need of an update.

  10. Harriet says:

    Dear Douglas, thanks for the suggestion, I just did it so. Would be awesome if they created that feature!

  11. Harriet says:

    Why is there no possibility to directly create an audio message and send it? There is no such button that WhatsApp or Telegram have. The only way is to create a message in the voice recorder app and then send it from there via Signal. Quite complicated. is there an easier way or are they planning on creating that feature?

    1. Douglas Crawford says:

      Hi Harriet,

      I’m afraid you will need to ask Open Whisper Systems about this (and probably tick the Feature Request box).

  12. GLG says:

    Good Day, I have been using Signal for a week now and i have several friends that use is as well so I’m getting use to the secure features i hope. i do have a Couple of questions, though.. i was sent a video and i received a message. This Media has been stored in an encrypted database. Unfortunately, to view it with an external content viewer currently requires the data to be temporarily decrypted and written to storage. are you sure that you would like to do that.

    what are the pro and cons to this message?
    where is the encrypted database?
    and does the files stay on my phone once viewed?

    1. Douglas Crawford says:

      Hi GLG,

      – You cannot be sent videos using Signal per se., so you have simply been sent a link to the video.
      – The encrypted database will be wherever your friend has chosen to store the video. You can probably tell from the video URL that you were sent (but this might be masked with a short URL or something similar).
      – The file will be downloaded to your phone (unencrypted). You can permanently delete it, however, using an app such as File Shredder.

  13. Samane says:

    Does deleting message history with a friend remove it from their end to? Or will they still have a record of the converstaion and attachments etc?

    1. Douglas Crawford says:

      Hi Samane,

      That is a very good question. I don’t think it is possible to delete messages on another person’s phone, and I don’t think many users would be happy with that idea anyway, even where such a feature to be available.

  14. Peter says:

    Is signal uploading the users contact list to the server opening the possibility to track multiple users networks of relationships?

    1. Douglas Crawford says:

      Hi Peter,

      According The Intercept,

      “Signal users must share their contact list with the app in order to find other users — in WhatsApp, this is optional but recommended. But Signal doesn’t directly send your contact list to the server. Instead, it uses what’s known as a cryptographic hash function to obfuscate phone numbers before sending them to the server. (It also truncates the hashed phone numbers, if we’re being precise about things.) The server responds with the contacts that you have in common and then immediately discards the query, according to Marlinspike.”

      So no, it should not be possible to track users via their network of contacts.

  15. Angela says:

    My question is, does using signal to text someone internationally avoid fees from mobile carrier? In other words is texting free when using signal as opposed to the stock Msgr on the phone?

    1. Douglas Crawford says:

      Hi Angela,

      So… if the other person also uses Signal, then the message is sent via the internet, and is free. If the other person does not use Signal then the message is sent via regular SMS, and will cost your usual SMS fee.

  16. sreedevi says:

    even though i gave my exact contact no it shows can’t connect to server. ?

    1. Douglas Crawford says:

      Hi sreedevi,

      I’m afraid that you have to take this issue up with the devs.

  17. james says:

    You might want to follow up on how to get google voice or Hangouts as your phone number. However, the issues with the non registered mobile number going to unsecured users should be disclosed…

    Very odd, inho.

    1. Douglas Crawford says:

      Hi james,

      An article on obtaining a Google Voice phone number is a great idea. Thanks. The way in which Signal uses your regular phone number is no secret, and is part of the core appeal of the product as it simply replaces your regular SMS app.

  18. Huw says:

    Signal can only send SMS over internet, so if data and wifi are off either end the message won’t get through, right?

    1. Douglas Crawford says:

      Hi Huw,

      Nope. If your contact is also a Signal user then Signal will send a them an encrypted message over the internet. If your contact is not a Signal member you can just send them a regular SMS message (via the phone network, not the internet). You can also send other Signal users regular SMS messages,w which is useful if no internet is available for either party (long-press on the “Send” icon and select “Insecure SMS).

  19. Shannon says:

    Having issues with missing texts at both client and receiver ends. At times, the texts disappear like they were never written. At others, they simply fail (repeatedly ).

  20. Smarmy says:

    I’m testing out Signal right now, and I just can’t wrap my head around why I need to give it access to all of my contacts in order for it to work. That just screams “bad news” to me. Can anyone give me a reason why someone who needs encryption wouldn’t be rightfully paranoid about that level of access?

    1. Douglas Crawford says:

      Hi Smarmy,

      Signal works as a replacement to your phone’s regular messenger app. When you message or phone another user in your contact list who is also a Signal user, the message or call is encrypted by default. If the contact is not a Signal user the app suggests that you invite them to Signal, or sends the message/call encrypted. Accessing your contacts is required for Signal’s functionality. If you are not happy with this way of doing things, check out my article on Secure alternatives to WhatsApp (and SureSpot in particular.)

  21. Jose Antonio Gonzalez Yaned says:

    Recomendado como muy bueno el Signal

  22. vlad says:

    Well it dont work on iphone4 anymore it keeps saying “Registration fail we couldnt reach the signal server . try again ” …

  23. Duane King says:

    Hello, thanks for a very clear description of this service. I am a counsellor/therapist/social worker and I am looking for ways to email and text clients. For the moment my community health centre has a policy that we should not be emailing or texting any confidential/sensitive information however we can use fax for anything(?!). I mostly work with teens who prefer to communicate electronically so I wish to convince my agency to change their policies however I want to offer solid options. Signal and Hushmail are two options I have identified. Final question: is their a way for me to text a client while keeping my phone number (personal cell) anonymous? I have discovered #31# for calls but what can I do with text messages?? Thanks, Duane

    1. Douglas Crawford says:

      Hi Duane,

      Hushmail is not considered a secure option, thanks to this. Signal is a good option, but it does require you client knowing your phone number. If you wish to hide your phone number then something like ChatSecure or Jitsi may be better (please see my article on Secure alternatives to WhatsApp.) Another option would be to use a secure email service such as ProtonMail or Tutanota.

  24. Kevin Smethers says:

    Why doesn’t Signal have an auto delete function like other secure messengers? Basically if someone found a phone and was able to bypass the PIN, all signal messages can be read.

    Other messengers delete messages each time you open the chat

    1. Douglas Crawford says:

      Hi Kevin,

      Well, bypassing the PIN should not be too easy as the messages are all encrypted locally, but you do have a point. A workaround could be to go to Settings -> Chats and media – Message trimming, and set conversation limit to 0…

      1. TomW says:

        Unless there’s a bug in my version of the app, setting the trim limit to 0 is not possible. It refuses to accept anything lower than 1.

        1. Douglas Crawford says:

          Hi TomW,

          Yup. Just checked and you are right. Sorry.

  25. Charles says:

    Hi. I am using the Signal messaging app on my Samsung Note 3/ Android. How can I delete text messages? I can’t figure out how to do that.

    1. Douglas Crawford says:

      Hi Charles,

      Long-press on the message you want to delete, then when the batch selection icons appear at the top, touch the bin icon.

  26. Colin says:

    In view of the obvious emergencies and disasters being created by all all Western civilizations(?) governments(?) (Its not a conspiracy, just a tried a tested formula) for the purpose of enacting dragonian surveilance laws, witness the controlled 9/11 demolition, any thoughtful responsible world citizen needs secure comms (same as our bodies need blood).

    I’m a typical general purpose Tech savy but only amateur in field of comms. I found your article refreshingly clear to read and understand and exceptionally useful. I’ll check with some of my friends who like to put Unix front ends on to beef up their firewalls. But its most likely I’ll take your advice to install Signal on my Android machines.

    Your input is much appreciated.
    More power to your finger tips,

Leave a Reply

Your email address will not be published. Required fields are marked *