Signal Review (The complete edition you have to read)

What is the Signal App?

signal_app_review
You need an app that you can trust with your messages. Is Signal that app?

Primarily, you can think of Signal as the world’s greatest open source and secure messaging application.

It essentially replaces that regular old SMS app that you might have on your iPhone or Android.

Messages that come to you from other Signal users or you send to other Signal users go over the internet rather than your mobile balance.

Moreover, Signal protects all of them with the help of powerful end-to-end encryption.

So what about messages that you get and send to non-Signal contacts?

Well, Signal makes sure that they go through your regular SMS text messaging service.

Therefore, they are not as secure as Signal’s own messages.

Whenever the user is trying to send an insecure text message, the Signal app takes it upon itself to inform the user that sending such a message is insecure.

Then the app tries to encourage the user to invite his/her contact into the fold of the Signal family.

Such a setup does a great job of ensuring that Signal is as seamless to make use of when trying to send text messages through any means.

The Signal app covers both Signal users as well as non-Signal users.

With that said, keep in mind that the developers behind Signal have designed the app to replace the user’s regular client for SMS.

And because of that, the official Signal app requires the user to register with Signal by inputting a valid cell phone number.

We will discuss this problem in a later section today.

The thing that makes Signal stand out from the rest is that Signal is the most transparent app that you will ever see during usage.

This essentially makes it a lot easier for someone to convince colleagues, family, and friends to come over and use the app right away.

Apart from handling SMS and text messaging, the official Signal app also has support for online and secure video calls and voice (VoIP) between various users.

Of course, Signal is still pretty much a mobile application.

But you can also make use of a desktop version if you want to.

Is the official Signal app completely open source?

Yes.

shutterstock_1252987225

You should know that an open source software application is that application for which the copyright holder has publicly released the source code.

For everyone else apart from the copyright holder, it means they can audit the app independently in order to spot bugs and errors.

Security researchers usually take advantage of such an opportunity to make sure that the application is not engaging in something that it should not engage in.

Back in 2016, security researchers ran a full and independent audit of the Signal app.

And they found that the official Signal app was cryptographically secure.

When a source code is closed, there is actually no method for outsiders to know and understand what a given app’s code is trying to do.

Hence, it is hard to trust such an app keeping the users’ communications safe and secure.

That is also the reason why many suggest that you should never trust an app with your security and privacy that is not open source.

Signal is the open source messaging app that keeps the user’s messages private and secure.

What about encryption?

As alluded to before, Signal makes use of end-to-end encryption for all its messages.

More specifically, Signal secures all user messages by encrypting them before it sends them to your recipient.

Moreover, only the recipient of the message has the privilege to decrypt the message from the sender.

This method of sending messages essentially removes any need on part of the user to trust any kind of third-party application in order to keep their data not only safe and/or secure.

Furthermore, that also means no third-party application or service has the opportunity to access the user’s messages while they are in transit.

In fact, many believe that the only way for a given adversary to have any chance of accessing the user’s messages (which are sent via Signal) is if the adversary has managed to have direct and physical access to the user’s or the user’s recipient’s smartphone.

And even in that case, the official Signal app comes with the option of encrypting all the messages that the user has stored on his/her device.

This essentially also makes it impossible for anyone to access any of the user’s message unless and until a bad actor manages to somehow coerce the owner of the smartphone device to reveal his/her passcode.

All that you need to remember here is that even though Signal takes care of messages that are sent via its own application, it does not do the same for messages that you send to non-Signal users.

How secure is the Signal messaging app?

The official Signal app encrypts and thus secures all Signal messages with the help of the new Signal Protocol.

Our research shows that the Signal Protocol is arguably the one which is most secure.

Some believe that as far as text messaging protocols go, the signal protocol is the most secure one ever developed by anyone.

On a more technical note, the Signal Protocol fundamentally amalgamates,

  • Pre-keys
  • Double Ratchet algorithm
  • The X3DH or the Extended Triple Diffie-Hellman key agreement security protocol

And makes use of

as its cryptographic primitives.

If you want to know more about what all these terms mean and how they come together then click here.

We have already noted the fact that various formal and independent audits have confirmed that the Signal protocol is sound, cryptographically speaking.

Signal also makes use of the same encryption standards when it comes to video and voice calls.

Extra Signal security features

shutterstock_1214472718

Users have the option of locking notifications and messages with paraphrases.

Moreover, the Signal app also allows the user to opt to make use of a, what it calls, incognito keyboard.

It is just a regular keyboard but it differs from the standard keyboards in the sense that it does not try to learn stuff from the things that the user types on it.

The official Signal app also happens to have a feature where it can make messages disappear.

Think of it as more as the defining feature of Snapchat.

One other important feature that the official Signal app provides to users is a mechanism through which users can actually verify a given contact’s identity.

In fact, each given user conversation with another user gets to have a fingerprint or a safety number.

Users have the option of comparing that number with all the other participants and then mark them as verified participants.

This comes in real handy when you want to make sure that the contact really is who he/she says he is.

Some problems with the official Signal app

Recently Signal has made some design decisions which has prompted some publishing outlets in the media to criticize the app.

And to be fair to the staff working at Signal, it has tried to answer those criticisms.

Let’s take a look at just some of them.

The problem of Contact discovery.

Remember when we told you that the Signal app seamlessly replace the default SMS messenger in your phone?

It replaces that with, of course, the official Signal App.

Well, it turns out, in order to actually do that the official Signal app has to make use of real phone numbers in order to match them with real contacts.

Some regard this situation as a legitimate privacy risk.

Perhaps there are people out there who would not prefer a system where sufficient contact discovery takes place based on anonymous usernames and/or email addresses.

But perhaps there are some who would prefer that.

However, our research shows that there are some reasonably solid mitigating factors which go directly in the favor of the official Signal app.

The first factor is that the official Signal app does not have the ability to see the user’s contacts.

Moreover, no one can access your real contact list apart from you.

The second factor is that Signal allows users to register with the help of a disposable or burner SIM card and/or phone.

Once the user has managed to register the official Signal application, the app itself does not really need the phone number in order to run properly.

The problem of Google Play Store

It is true that when Signal first arrived on the scene there was no way for anyone to download the official app apart from doing so at Google Play Store.

shutterstock_1192408069

Because of that, users had to run Google Play Services on their smartphone devices to get the official Signal app to work.

There is also no doubt about the fact that Moxie Marlinspike actually defended, a robustly so, the decision of making the app only available on Google Play Store.

However, a lot of privacy-conscious online consumers and media publications considered the move as a serious privacy and security issues since any proprietary software which is available on Google Play Store has no option but to grant Google the ability to go ahead and perform rather deep low-level surveillance on Android user’s smartphone devices.

And even now, Signal recommends all users that they should download the official Signal app through the Google Play Store.

However, now the company has made it possible for users to download the official app with the help of a Google-free .apk file.

It is available on the official website of Signal for free.

What about the Signal app keeping metadata?

Now, the thing you should understand about the official Signal protocol is that it makes no attempt to stop a given company from trying to retain various pieces of information about with whom and when the Signal user communicates.

However, our research shows that the only information or metadata that Signal, as a service, retains is the last date of a given user’s connection with the official Signal app and the time and date on which the user registered with the service.

Now, keep in mind that even though a lot of other online services have managed to incorporate the official Signal Protocol right into their own offerings, there is no guarantee that they have a robust attitude towards the privacy of their users.

Who funds Signal?

Whisper Systems.

In other words, it is the parent company of Signal.

And it receives various forms of financial assistance from several different agencies which are funded by the United States government.

Do take note that there are other open source and privacy-first projects which are pretty high profile and do the same thing.

Of course, we’re talking about projects such as,

  • The Tor Project
  • The Guardian Projects with products like Orbot and ChatSecure
  • GlobalLeaks (which has received endorsements from developers of Tor like Jacob Appelbaum)
  • LEAP (this is the project that RiseUp.net makes use of for its own services)

There are those privacy activists along with open source software developers who make strong arguments that good math is actually good math irrespective of where that good math or its funding comes from.

The other thing readers should understand is that secure applications and protocols both need a lot of funding.

And that funding has to come from somewhere.

If there are no huge organizations funding open source projects then these would die pretty quickly.

Of course, this simple but fundamental question of project funding has lead many to raise questions about the integrity of such projects and their claims of privacy.

There are lots of places on the internet that talk about how projects which are funded by spooks themselves work.

Now, without that out of the way, we would like to remind you that despite all such concerns, Signal is pretty much the safest and more secure of all mainstream open source projects.

Its application is rock solid and works pretty well cross-platform.

Baseband processor

Many of our readers might still not know that inside each and every smartphone device that any manufacturer has ever built, there is the baseband processor, a closed-source proprietary chip.

You have to understand that very little is actually known about the baseband processor because, of course, it is a chip that is closed source.

And there is no reason to not believe that mobile providers could use this baseband processor to bypass any and all encryption technologies that any application might make use of while being on a mobile phone.

Moreover, some have the skills to readily and easily access any content that exists on a given smartphone device in realtime and cleartext by simply accessing the content at the exact point when an application is encrypting or decrypting it.

But that’s only theory.

Practically speaking, no one has yet come up with a piece of evidence that a hacker or anyone else has managed to do that.

Perhaps we should further stress the point that none of the problems that we have mentioned above are inherently Signal’s own fault.

What we have talked about here are potential flaws which could and rather do affect all software related to mobile security.

What readers should also understand that any adversary which make use of such methods in order to spy on a smartphone device and the user’s communications which are encrypted must have plenty of resources at hand.

The one adversary that has the required resources to do all of it is NSA.

But the NSA generally has a very specific target in mind before it decides to spend a vast amount of resources on a spy operation.

We have no reason to believe that the NSA would waste its already limited resources on blanket spying operations.

Countries that have blocked Signal

Signal introduced measures such as domain fronting when in December of 2016, the government in Egypt decided to block the app.

Such measures allowed existing signal users in various restrictive countries to have the ability to circumvent and bypass internet censorship.

Basically, Signal made it look like the user had connected to some other internet-based online service not named Signal.

Currently, Signal has enabled features such as Domain fronting in countries such as,

  • Qatar
  • Oman
  • UAE
  • Egypt

Hence users in these countries should not have any problems in accessing Signal as normal users.

The unfortunate thing here is that Signal users living in Iran can’t use this feature yet.

What we haven’t mentioned so far in this section is that Signal has to rely on the official Google App Engine and the services that it brings to the table in order to enable features such as domain fronting.

The Google App Engine is currently not available in countries such as Iran.

In compliance with sanctions coming from the United States of America, Google has no choice but to not offer the Google App Engine in Iran.

How to use the official Signal app

We have already mentioned the fact that once you are finished installing the official Signal app on your smartphone device, it becomes your default SMS application.

And those same default settings dictate that all of the user’s old messages along with message history gets imported.

Apart from that, Signal also makes full use of the user’s default dialer and the contact list.

If we are talking about real-world usage then you won’t notice much of a difference in using Signal as your default SMS messaging app.

Especially when you are dealing with users who do not use the Signal app.

The only thing you will notice as something new is the notification that Signal would display to you reminding you to invite your contacts to Signal.

By that same token, your costs related to SMS messages will remain the same depending on your mobile carrier and your mobile payment plan.

When the times comes and you send a message to a contact that is making use of the official Signal app, the Signal app alerts you to the very fact.

It tells you that all messages are secured with the help of encryption, in other words.

As mentioned before, Signal also offers a voice call feature.

It also has a group chat feature and a video chat feature.

All Signal conversations are transmitted securely over the user’s internet connection.

And they are all free.

Of course, you still have to watch out for your bandwidth charges that your mobile provider or internet service provider might throw at your way.

Apps that use Signal Protocol.

  • Facebook Messenger
  • WhatsApp
  • Skype

Generally speaking, the fact that so many popular messaging applications are making use of the Signal protocol is a huge plus for privacy.

The official Signal protocol has managed to bring features such as end-to-end encryption to millions and millions of mobile users who exchange messages with their contacts on a daily basis.

It is true that a good portion of these users never really cared about privacy but that did not matter to the people working behind Signal.

Again, we would like to remind you that even though some of the most popular applications in the messaging category are making use of the Signal Protocol, it does not mean that these third-party messaging applications are as safe and secure as the official Signal app.

Some of these apps are not even close to offering users the kind of privacy that Signal offers.

Moreover, you also have to understand the fact that even though these apps make use of the Signal Protocol, they are closed source.

Hence there is no method for anyone to know with absolute certainty what these apps are trying to do.

Of course, it is unlikely but there is a chance that these messaging apps are involved in the sending of the user’s encrypted keys back to Microsoft or Facebook.

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 3
  • how to get Instagram on a school laptop