Signal App Review – Is it Really Secure and Private?

You need an app that you can trust with your messages. Signal is considered one of the world’s greatest open-source and secure messaging applications. But does it really protect your data and communications from third parties?

In this Signal messenger review, we’ll discuss the app’s features, settings, privacy capabilities, pros/cons and more.

What Is the Signal App?

signal_app_review
You need an app that you can trust with your messages. Is Signal that app?

In this Signal review, we’ll explain what this encrypted and secure messaging app has to offer and whether it’s one of the best private messenger apps available for your phone.

The Signal messenger application essentially replaces a regular SMS app that you might have on your iPhone or Android. Messages that are sent and received to/from other Signal users travel over the internet rather than through your mobile device. Through this process, Signal your texts through powerful end-to-end encryption.

But what about messages sent to/from non-Signal contacts? Well, Signal makes sure these messages go through your regular SMS text messaging service. Therefore, they are not as secure as Signal’s own messages. Whenever the user is trying to send an insecure text message, the Signal app takes it upon itself to inform the user of potential security issues. Then the app tries to encourage the user to invite their contact(s) into the fold of the Signal family. This setup ensures that your texting experience is as seamless as possible.

The Signal app covers both Signal users as well as non-Signal users. With that said, keep in mind that the developers behind Signal have designed the app to replace the user’s regular client for SMS. And because of that, the official Signal app requires the user to register with Signal by inputting a valid cell phone number. We’ll cover this problem in a later section of this review.

One aspect that separates Signal from the competition is that it’s one of the most transparent apps you will ever see during usage. This essentially makes it easy for Signal users to convince colleagues, family and friends to come over and use the app right away. Apart from handling SMS and text messaging, the Signal app also has support for online and secure video calls and voice (VoIP) communication between users.

Signal is mainly used as a mobile messaging app, but you can download the desktop version as well. It’s available for Windows, macOS and Linux.

Is Signal Safe?

Signal encrypts and secures all Signal messages with the help of the new Signal Protocol. Compared to other text messaging protocols, the Signal Protocol is among the most secure systems developed to date.

On a more technical note, the Signal Protocol fundamentally amalgamates…

  • Pre-keys
  • Double Ratchet algorithm
  • The X3DH (or Extended Triple Diffie-Hellman) key agreement security protocol

And, it makes use of the following systems as its cryptographic primitives:

If you want to know more about what all these terms mean and how they come together, click here. Several formal and independent audits have confirmed that the Signal Protocol is sound, cryptographically speaking. Signal also makes use of the same encryption standards when it comes to video and voice calls.

Installing Signal

Mobile (Android, iOS)

Search for Signal on the Google Play Store on an Android phone or the Apple App Store on an iOS device. Then, use your phone number to register on Signal. You can’t start using the Signal mobile app without a phone number. Some might argue that this compromises their privacy, but Signal says it helps them find other people via the user’s contact list. You can utilize the Signal app to make video calls, audio calls, texts, group messages, and share files. 

Pro Tip:

Note that if the receiver of your content is not using Signal, the app will send encrypted MMS messages to SMS. Signal will always notify you if that is the case. It will also tell you if the other person has a Signal account.

Desktop (Windows, macOS, Linux)

Like any other app, you first have to get the installer from the official website and then follow the installation instructions. You can download the Windows and macOS installers from Signal’s website.

But the process is different for Linux. You will have to execute some instructions from the command line. The Signal Linux app only supports Debian-based Linux distributions. These include Mint, Ubuntu, ElementaryOS, and others. 

Here are the commands you have to execute (from the official website) in order:

# 1. Install the official public software signing key: wget -O- https://updates.signal.org/desktop/apt/keys.asc |\

sudo apt-key add –

# 2. Add the repository to your list of repositories: echo “deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main” |\

sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

# 3. Update your package database and install Signal: sudo apt update && sudo apt install signal-desktop

Again, you will have to input your phone number to register yourself, even on the desktop app. The first time you launch the app, it will display a QR code. Scan it to register and start using the app. 

How Private Is the Signal App?

As an end-to-end encrypted secure messaging app, Signal allows users to receive and send encrypted messages from other mobile app users.

shutterstock_1252987225

Signal is an open-source software application, meaning that the copyright holder has publicly released the source code. Everyone else apart from the copyright holder can audit the app independently to spot bugs and errors. Security researchers usually take advantage of such an opportunity to ensure that the application is not engaging in malicious activity. In 2016, security researchers ran a full independent audit of the Signal app and found it was cryptographically secure.

When source code is closed, there isn’t a method for outsiders to know and understand what a given app’s code is attempting to do. Without this disclosure, it’s difficult to confirm whether the app delivers on its promises to keep users’ communications safe and secure. That is also why many suggest that you should never trust an app with your security and privacy that is not open source.

Signal is the most popular open-source messaging app that delivers on its promise to keep users’ messages private and secure.

What About Encryption?

As mentioned above, Signal makes use of end-to-end encryption for all of its messages. Signal secures all user messages by encrypting them before they’re sent to their intended recipient. This way, only the recipient of the message has the privilege to decrypt the message from the sender.

This method essentially removes any need on the part of the user to trust a third-party application to keep their data safe and secure. Furthermore, it also means no third-party application or service has the opportunity to access the user’s messages while they are in transit.

In fact, many believe that the only way for a given adversary to access the user’s messages (sent via Signal) is if the adversary has managed to gain direct, physical access to their smartphone. And even in that case, the Signal app comes with the option to encrypt all the messages that the user has stored on their device. This end-to-end encrypted messaging system makes it impossible for anyone to access any of the user’s messages unless a bad actor is able to coerce the owner of the smartphone to reveal their passcode.

The key takeaway here is that while Signal takes care of the messages that are sent via its own application, it does not do the same for messages that you send to non-Signal users.

Signal Security Features

Signal mobile app on Android and iOS pgones

Signal provides the option to lock notifications and messages with paraphrases. The app also includes an “incognito keyboard,” which operates like any standard keyboard but doesn’t record the content typed onto it. The Signal app also has a feature that makes messages disappear, similar to the defining feature of Snapchat.

One other important feature offered by the Signal app is its mechanism allowing users to verify a given contact’s identity. Each user of the app gets to have their own fingerprint or safety number. Users have the option to compare that number with all the other participants and then mark them as verified participants. This comes in handy when you want to make sure that the contact really is who they say they are.

Let’s take a brief look at some of the most useful features this open-source messaging app has to offer:

  • Option to auto-delete text messages
  • Signal users can make their text messages disappear from not only their own devices but also from the device of the phone number they sent the text message to after a certain time
  • Option to view the percentage of encrypted text messages among all messages
  • Option to send “view-once” media.
  • Allows users to auto-delete videos and photos after another Signal user has viewed them just once
  • Reaction emojis featured in the reply function
  • Security indicators
  • Desktop and iOS Signal apps allow users to confirm that their encrypted text messages have been sent and received
  • For Android, if the connection is fully secure, Signal will show a blue Send icon, a closed-lock image, and text which says Signal Message

Devices Compatible With Signal

Signal currently supports these platforms:

  • iOS
  • Android
  • Linux
  • Windows
  • macOS

How To Use Signal

Once you’re finished installing the official Signal encrypted messaging app on your smartphone device, you can set it as your default SMS application. (This process might be different for different devices/operating systems.) When you do this, those same default settings dictate that all of the user’s old messages are imported. Signal also makes full use of the user’s default dialer and contact list.

Ultimately, you won’t notice much of a difference in using Signal as your default SMS messaging app—especially when you’re dealing with users who don’t use Signal. However, you might notice a notification reminding you to invite your contacts to Signal. Also, when you send a message to a contact that uses the Signal app, the app alerts you.

As mentioned before, Signal also offers a voice call feature, a group chat feature and a video chat feature. All Signal conversations are transmitted securely over the user’s internet connection. And they are all free. Of course, you still have to watch out for any bandwidth charges that your mobile provider or internet service provider might throw your way. But, your costs related to SMS messages will remain the same depending on your mobile carrier and your mobile payment plan.

Who/What Is Behind Signal?

Open Whisper Systems (formerly Whisper Systems) is the parent organization behind the Signal secure messaging app. Open Whisper receives financial assistance through the Signal Technology Foundation, which is funded by donations, grants and public government-sponsored funds.

Other similar open-source, donor-funded projects also offer privacy-focused tools, like…

Many privacy activists and open-source software developers, argue that privacy-first platforms are essential, irrespective of where the funding comes from. Secure applications and protocols both need a lot of funding, and that funding has to come from somewhere. Yet, this simple but fundamental question has led many to raise concerns about the integrity of such projects and their claims of privacy.

Despite these concerns, though, Signal is still the safest and most secure open-source encrypted messaging app operating in the mainstream market today. Its application is rock solid and works effectively cross-platform.

Problems With the Signal Mobile App

In the past, Signal’s developers have made some design decisions that prompted criticism. The staff working at Signal has tried to answer those criticisms, though. We’ll provide a rundown in this section of our Signal review:

Phone Contact List Discovery

Above, we mentioned that the Signal messaging app seamlessly replaces the default SMS messenger in your phone. To actually do that, Signal has to make use of real phone numbers and match them with real contacts. Some regard this situation as a legitimate privacy risk. Some people may prefer a system where sufficient contact discovery takes place based on anonymous usernames and/or email addresses. That way, they won’t have to give up their contact list or phone number items and text messages stored on their phone.

However, our research shows that there are some reasonably solid mitigating factors going directly in favor of the Signal messaging app. The first factor is that Signal does not have the ability to see the user’s contacts. No one can access your real contact list apart from you.

The second factor is that Signal allows users to register with the help of a disposable or burner SIM card and/or phone. Once the user has managed to register the Signal application, the app itself doesn’t need the phone number in order to run properly.

Problems With Signal on the Google Play Store

When Signal first arrived on the scene, there was no way for anyone to download the official app apart from doing so at Google Play Store.

signal app on the appstore

Because of that, users had to run Google Play services on their smartphone devices to get the Signal app to work. There is also no doubt about the fact that Signal creator Moxie Marlinspike actually defended, and robustly so, the decision of making the app only available on Google Play Store. However, a lot of privacy-conscious online consumers and media publications considered the move as a serious privacy and security issue since any proprietary software which is available on Google Play Store has no option but to grant Google the ability to go ahead and perform rather deep low-level surveillance on Android users’ smartphone devices.

And even now, Signal recommends that all users download the official Signal app through the Google Play Store. However, now the company has made it possible for users to download the official app with the help of a Google-free .apk file. It is available for free on Signal’s website.

What About the Signal App Keeping Metadata?

One thing to understand about the Signal Protocol is that it makes no attempt to stop a given company from trying to retain various pieces of information on the people a Signal user communicates with. However, our research shows that the only information or metadata that Signal, as a service, retains is the last date of a given user’s connection with the Signal app and the time and date when the user registered with the service.

Keep in mind that even though many other online services have managed to incorporate the Signal Protocol right into their own offerings, there’s no guarantee that they have a robust attitude towards the privacy of their users.

There has also been an issue with WebRTC leaks for all messaging apps including Signal (not caused by Signals code but the software in the devices). While for most users this will not be an issue at all, some users want absolutely everything hidden, including their location.

WebRTC leaks can reveal your DNS IP which can narrow down your location, to mitigate this risk you can also run a VPN on your device or use free proxy servers and also test for WebRTC leaks.

Baseband processor

Inside every smartphone device that any manufacturer has ever built, there is the baseband processor—a closed-source proprietary chip. Because it is closed-source, very little is actually known about the baseband processor’s source code. Thus, no one can guarantee that mobile providers couldn’t use this baseband processor to bypass any and all secure and end-to-end encryption technologies that messaging services might use on a mobile device.

Moreover, some have the skills to readily and easily access any content that exists on a given smartphone device in realtime and cleartext by simply accessing the content at the exact point when an application is encrypting or decrypting a message. But this is only theory. Practically speaking, no one has yet come up with a piece of evidence that a hacker or anyone else has managed to do that. Perhaps we should further stress the point that none of the problems we have mentioned above are inherently Signal’s own fault.

However, these potential flaws could (rather, do) affect all software related to mobile security. And, any adversary that uses these methods to spy on a smartphone device and the user’s encrypted communications must have plenty of resources at hand. Government surveillance and security departments, like the U.S. National Security Agency or the Central Intelligence Agency, could fall into this heavily resourced category, though they typically have a particular target in mind before spending a vast amount of resources on a spy operation. The NSA likely will not waste its already-limited resources on blanket spying operations.

Countries That Have Blocked Signal

Signal introduced measures like domain fronting in December 2016 when the Egyptian government decided to block the app. Such measures allowed existing Signal users in restrictive countries to have the ability to circumvent and bypass internet censorship. Signal gave the appearance that the user had connected to another internet-based online service, not Signal itself.

Currently, Signal has enabled features like domain fronting in countries including:

  • Qatar
  • Oman
  • UAE
  • Egypt

Hence, users in these countries should not have any problems accessing Signal as normal users. The unfortunate thing here is that Signal users living in Iran can’t use this feature yet. Signal has to rely on the Google App Engine, and its associated services, in order to enable features like domain fronting. The Google App Engine is currently not available in countries like Iran.

In compliance with sanctions coming from the United States, Google has no choice but to bar the Google App Engine from operating in Iran.

Messaging App Software Programs That Use the Signal Protocol

Messaging apps and platforms that use the Signal Protocol include:

  • Facebook Messenger
  • WhatsApp
  • Skype

The fact that so many popular messaging applications are making use of the Signal Protocol is a huge plus for privacy. The Signal Protocol has managed to bring encrypted, open-source messaging features to millions of mobile users who exchange messages with their contacts on a daily basis.

However, even though some of the most popular applications use the Signal Protocol, it does not mean that these third-party messaging services are as safe and secure as the Signal messaging app itself.

Some of these messaging apps are not even close to offering users the kind of privacy that Signal offers. Many of these apps are also closed-source, meaning no one can know with absolute certainty what these apps are trying to do. While unlikely and unproven, these messaging services could possibly send users’ encrypted keys back to Microsoft or Facebook.

Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.

15 thoughts on “Signal App Review – Is it Really Secure and Private?”

  1. Not being technologically savvy, I don’t understand what this means. 
    “And those same default settings dictate that all of the user’s old messages along with message history gets imported.”

    What does it mean that something gets “imported”? 

    Will all the saved text messages and conversation threads disappear?

    And upon installing the app is there an option to list only certain contacts to receive encrypted messages?

    Reply
  2. Thank you for this article

    Can spyware soemone places on your phone to read texts and apps be used on signal? Can spyware read my messages on this app?

    Reply
  3. Where is the Signal messenger server? And if it is too much secure then can its admin or database manager have any privilege to see the users encrypted communications means Textx & Video/Audio Calls. If they cant see then it will called secure app otherwise users information is still gets leaked like on other apps.

    Reply
    • Hi Hassan.
      Thanks for the comment.
      To that point, no app in the world is one hundred percent secure or private. The fact that you have used a smartphone to connect to the internet basically gives everything away to a malicious hacker of a high skill level.
      Signal is the best app that is ‘available’ for users in the sense that this is the app you want to use if you want to give yourself the highest chance of not getting your messages seen by people who have no business seeing your messages.

      Reply
    • Hi Sohail.
      Thanks for the comment.
      Currently, there seems to be no limit on group creation. Of course, Signal, just like any other messaging app, will have a spam policy where it would block group creation in quick succession.

      Reply
  4. Good morning from south africa. Your article is the 1st I’ve ever seen that avoids jargon and is understandable to a layman. Thus I write to ask this. Can you tell me ( and I suspect many others) exactly what ignoring the security aspects, can I do with Signal that compares with WhatsApp and what are the good bad alternatives of the 2 pls? Tks in hope. ! John

    Reply
    • Signal you can feel much safer, they are the industry leader in secure IM. WhatsApp is owned by Facebook so I wouldn’t trust them as far as I could throw them!

      Reply
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.