This article was published on March 28, 2018

How to make the most out of secure messaging app Signal


How to make the most out of secure messaging app Signal

It doesn’t matter whether you are an activist in a police state, a tech-savvy young individual who cares about their privacy, a professional with business secrets of value, or a soon-to-be mother who cares to keep her data private from advertising companies. Privacy breaches and shady uses of our data have become so ubiquitous that using a rigorously secure messaging app should already have become a no-brainer for everyone.

Why not use Facebook Messenger, Google Hangouts, Microsoft Skype, or even Whatsapp you ask? Aren’t they SSL encrypted? No one can access our data in transition, right? And Whatsapp at least is even end-to-end encrypted.

Well, for starters, while SSL encryption prevents third parties and malicious actors from reading your messages on the fly in a so-called man-in-the-middle attack, service providers like your ISP, Google, Microsoft, and Facebook, and in the case of SMS messages your mobile carrier, have access to your full unencrypted texts and messages, shared media files, contacted parties, and voice calls.

Consequently, you have to pay for the “free service” these companies provide with your private data, habits, likes and dislikes and more. In a sense, you are the product.

But that’s not all, these services having full access to your data also means that they can and are obliged, under certain circumstances, to share your data with law enforcement institutions, like the police, FBI, and other well-known three letter agencies.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

What about Whatsapp with its end-to-end encryption mechanism, you wonder? As shown previously, Whatsapp stores a lot of metadata about you and your activities. After all, it is a company for profit.

How else would the business model of a platform acquired by Facebook, one of the biggest online advertising companies, be of value with a free service if not for some way or another connecting your aggregated metadata with Facebook? But enough of that.

This post isn’t about pounding the big five for their business model but rather providing the solution.

There is also the argument that says, “I have nothing to hide, so what’s the hassle, man?” But that’s another story altogether and I assume the readers of this post are past this point.

I take you already know about Signal, the secure messaging app. Signal is available for iOS, Android, MacOS, and Windows, but what distinguishes Signal is that the organization responsible for developing and maintaining it is not a company in the traditional sense but rather a project.

Open Whisper Systems is a non-profit outfit run exclusively by donations and volunteer work. Its client and server side code are open source and peer reviewed and some of the most distinguished privacy advocates, security experts and industry celebrities like Edward Snowden, Bruce Schneier, and Matt Green have publicly endorsed it.

But the best end-to-end encrypted messaging app—any secure software with the lowest attack surface for that matter—won’t help you if you don’t respect healthy cyber habits in general and don’t know enough about how to use its settings, functionality, and how to avoid its pitfalls.

In this context, although Signal is well-designed to keep your private messages actually private it takes some additional steps to maximize its capabilities. Here is all you need to know about Signal from a security and privacy point of view.

Bring your pals to Signal

Being an end-to-end encrypted app, Signal requires you to bring your contacts with whom you intend to chat privately on the messaging platform. By design, Signal can’t connect with other apps and with good reason.

After all, it won’t help to use a super secure messaging app and then compromise the whole security by relaying your messages on traditional SMS or send notifications to your email or other communication channels.

6bafdadd3da4bf7c4b83d6e9661fd3e7

Fortunately, Signal is already a mature messaging platform with over 5 million downloads on Android. If security is of real concern to your friends and colleagues, it won’t be hard to persuade them to switch gears.

Provide for your phones basic security

Signal already brings almost everything to the table to provide for its own security.

No party on the wild internet—not even on your intranet for that matter—can sniff and decrypt your message, thanks to Signal’s solid end-to-end encryption scheme. This also includes state actors with massive resources like the NSA.

In addition, the creators of Signal at Open Whisper Systems, or even any third-party maliciously compromising Signal’s servers, can’t read your messages or the parties you have contacted.

But Signal is not able to prevent someone from physically grabbing your phone and reading your messages. To prevent such a worst case scenario, you need to enable some sort of unlocking mechanism for your smartphone like requiring a passcode.

In addition, you need to make sure that your smartphone uses full disk encryption.

After all, it wouldn’t help to enable an authentication mechanism for unlocking your phone, while someone can dump your whole disk to their computer and access your unencrypted files.

To make sure your phone is not hacked and exploited, you also need to keep your device’s firmware and apps always up to date.

If you have an Android:

  • Lock your phone: If you haven’t already done so, lock your phone by setting up a draw pattern, password or numeric PIN. You can do this by going to the Settings app under Security > “Screen Lock”. Make sure your pattern is not easy to guess. Avoid using birthdays, pet names, family member names or anything publicly available about yourself as your password. Don’t share your unlock credentials with anyone, unless you are OK with them reading all your messages on Signal or anything else on your phone. Please keep in mind that patterns are easily observable and not a real option for locking your device.
  • Encrypt your phone’s storage:  Having your phone locked with a passcode protects you only from parties with the most basic resources in case they have gained physical access to your phone. To use the real potential of screen locking you have to encrypt your phone’s flash disk and sd card if available. Otherwise, they will be able to copy your disk’s content to other devices, fully circumventing the screen lock. Disk encryption scrambles your data and makes it unreadable without the passcode. To enable encryption, go to the Settings app under Security > “Encrypt phone.” Please note that Android won’t let you enable encryption unless you have a full battery. Also, keep in mind that depending on how much data you have on your phone and how fast your device is, it can take up to one hour for the device to complete the encryption process.
  • Regularly install all updates: With nearly every update come important security fixes. Known exploits are widely used in the wild and delaying updates just increase the chances of falling victim to such an attack. To update your Android phone’s firmware go to the Settings app under System >  “About Phone” and tap “System Update”. Don’t forget to update all your apps from Google Play Store on a regular basis too.

If you have an iPhone:

  • Set a strong passcode: iPhones automatically encrypt your storage but this only works if you set a passcode. Older iPhones let you only to set numeric passcodes but from iOS 7 and up you can create alphanumeric passcodes. Create a random and unguessable passcode. Open the Settings app and select “Touch ID and Passcode.” If you already have a passcode and just want to strengthen it select “Change passcode” and enter your old one. If you don’t have a passcode and are setting it for the first time click “Turn passcode on” and enter the new passcode. Pro tip: Don’t use Touch ID to unlock your phone as there is precedent for courts to allow law enforcement to compel you to unlock your phone with your fingerprints.
  • Regularly install all updates: Updates include security fixes and every day you delay an update increases the chances of falling victim to attack. To check for updates in iPhone go to the Settings app under General and click on “Software Update.” You should also keep all your apps up to date through the App Store under the Updates tab.

Hide Signal notifications on your lock screen

Locking your screen won’t help you much if If your Signal messages appear on the lock screen as notifications.

By default, Signal shows received messages on the lock screen. To increase your privacy and avoid giving away your data under any circumstances you should disable this default behavior.

If you have an Android: Open Signal, go the Settings and click on Notifications. There you have a couple of options. You can either turn notifications completely off or limit them to the sender’s name without the actual message or just an empty notification without the name and message. I recommend using the “No name or message” option without turning off notifications altogether. This way you will be notified when a message arrives but you need to unlock your phone to see the content and the sender.

If you have an iPhone: Open Signal and go to Settings. Under Notifications > “Background Notifications” tap on Show. There you can choose to show the sender and their message, sender name only or an empty notification without the name of the sender or the message. I recommend using the third option by choosing “No name or message”. This way you’ll be notified of new Signal messages but you have to unlock your phone to see the sender and content. If you wish to completely disable Signal notifications on iPhone’s lock screen go to the Settings app, tap on Notifications and tap on Signal. From there you can turn off Signal notifications on iPhone’s lock screen altogether.

Have a policy for automatically deleting your messages

Messages on Signal are only retained on the sender’s and receiver’s devices.

Signal only stores sent messages for a short period of time on its servers to make sure they are properly delivered. Keep also in mind that these messages are fully encrypted and Signal has no access to them in plain text format.

But all these precautions won’t help you enough if your device falls into the wrong hands and is by some means unlocked. Imagine how bad it may become if someone roams through your conversations from a year ago, or how a sensitive conversation from just a week ago can bring repercussions.

To avoid that, Signal has a feature called disappearing messages that deletes messages after a certain period of time. You can adjust it to delete messages in a conversation after somewhere between five seconds and one week.

If you have an Android:

  • Open Signal and tap on a conversation to open it.
  • Tap on the menu in the top right corner and select “Disappearing messages”. From there you can choose after what period of time Signal should delete your messages automatically.

If you have an iPhone:

  • Open Signal and tap on a conversation to open it.
  • At the top of the screen tap on the name or phone number of the person you are talking with.
  • From here you can choose after what period of time Signal should delete your messages automatically.
  • You can also manually delete messages or whole conversations from your phone but keep in mind that these messages won’t be removed from your peer’s phone. Only disappearing messages do that.

Make real use of Signal for sending private photos and videos

With Signal you can easily send and receive photos, voice, videos and even large files during a conversation. Just click the paperclip icon on the right and you can choose what you want to send or take a picture just then and there and send it.

But signal incorporates a neat feature that isn’t obvious at first glance: If you take and send a picture with Signal, it won’t be saved to your device by default. Similarly, if you receive a picture or video through Signal it won’t be saved to your SD or Flash disk unless you specifically choose to do so.

As you know, smartphones normally sync with their cloud services like Google and iCloud. As you may already know,  your connection with this services is not end-to-end encrypted. This means that Google, Apple or any other cloud service you’ve signed up with has full access to your unencrypted data.

If your cloud account ever gets hacked your data is compromised. Companies are also obliged to give up your data by court order.

As if that is not enough, there are plenty of not-so-secure-apps that may have access to your cloud accounts or local picture storage that will open new attack vectors and venues to compromise your data.

So if you like your privacy and security like me, use Signal’s nice file and photo sharing feature aplenty.

Create group chats and beware of the problems

Another cool feature of Signal is group chat. Group chats have basically the same secure functionalities of normal conversations but with a group of people.

Setting up a group is quite simple both on Android and iPhone. You just need to go the list of your conversations and tap on the menu at the top right corner of the app. From there choose “New group,” choose a name for your group and invite as many contacts as you wish.

Disappearing messages, end-to-end encryption, sending files and photos and everything else works just as in a normal conversation. In addition, you can disable notifications for a specific group if there is too much talk for you to care for.

But there are two caveats you should be aware of when creating a group:

  • Everyone in the group can add new members and there is no way to kick someone from the group. People need to leave a group voluntarily. So in case you’ve invited someone by mistake or just don’t want him there any more you have to create a new group and invite all the wanted members anew.
  • When someone in the group switches phones it takes a little bit of work to make sure the safety number is correct and your encryption is not under attack (more on that later).

Enjoy secure voice and video calls

In addition to sending encrypted messages and photos, Signal enables you to have secure voice and video calls with your peers. Just tap on the phone icon when you are in a conversation and Signal sets up a call for you. You can enable camera by clicking on the camera icon in a call.

There is one thing you should be aware of when making use of Signal’s voice and video calls. Your peer can see the IP address you are contacting them from. This may not be an issue in most cases, but imagine you want to hide your current location from someone for different reasons.

There is a setting in Signal that lets you just to do so by relaying your calls through Signal’s servers. This way, the receiver of the call is will only see Signal’s server IP. But keep in mind that your connection speed and call quality will decrease slightly.

If you have an Android:

  • Open Signal and go to Settings.
  • Tap on Privacy and enable “Always relay calls”

If you have an iPhone:

  • Open Signal and go to Settings.
  • Tap on Privacy and enable “Always relay calls”

Verify your encryption healthiness with Safety Numbers

Being a security and privacy first messaging app, Signal has a system called Safety Numbers to make sure your conversation is secure. While the probability is really slim, theoretically it would be possible to launch a so-called man-in-the-middle attack on a Signal conversation.

Let’s assume Bob is talking with Alice. In this scenario that attacker sits in the middle of the connection and sets up a secure connection to both Bob and Alice. Having the encryption keys for his connections to both of them, the attacker relays the messages between the parties while sniffing the contents.

Signal uses a separate encryption key for each conversation. So Bob will have a key with Alice, but another with Joe. These uniquely shared keys between contacts on Signal are translated to unique Safety Numbers that must match between the sides of a conversation.

When two people start a conversation on Signal for the first time, Signal assumes the safety numbers match and doesn’t throw a warning because it is very unlikely for Signal conversations to get compromised. But if you want to make sure you can double check by manually compare the numbers. From time to time, especially when someone switches phones, you get a warning from Signal that the safety number has changed. In these cases, you must definitely compare the safety numbers to make sure your conversation is not compromised.

Generally, there are two ways to compare safety numbers: In person or remotely. But first, you need to access the safety number. To do so open a conversation and tap on your contact’s name or phone number. Under Privacy tap on “View safety number”. Here you see a QR code and a long string of numbers.

Signal's Safety Number

If you can meet the contact in person you can just scan their QR to compare. If not, you must share the safety number in a secure channel outside of Signal with your contact to make sure they still match. This can include anything from another secure messaging app like Whatsapp to a normal phone call. From the safety number screen, by tapping the share button on the top left corner, Signal also offers the option to directly share the number and QR code on many messaging services like Slack, Skype, Gmail, and Telegram.

In group conversations, this can become annoying as a member of the group switches phones since everyone in the group gets a warning and has to manually verify the safety number.

Other security features of Signal you should be aware of

There are some other neat features built into Signal that will help to increase your security and privacy. All these features are in the Signal app under Settings > Privacy. Here are some of them:

  • Inactivity timeout passphrase: Remember the passphrase you could set up for Signal itself to protect your conversations from people who with or without your consent get access to your unlocked phone? After enabling it, you can enable here a timeout period so that Signal lock itself automatically due to inactivity.
  • Screen security: Here you can disable screenshots inside the Signal app and the recents lists. This will add another layer of security to Signal by preventing outside apps to take screenshots from your conversations.
  • Incognito keyboard: You are surely familiar with the personalized learning functionality of your phone’s keyboard. It learns the words you use and the typos you normally have and tries to help you by autocorrecting words. To do so, it stores data about your writing habits and this can be a liability when we deal with really sensitive conversations. Incognito keyboard disables this feature, ensuring that nothing about your conversations is leaked outside of the Signal app.
  • Read receipts: Read receipts are the double check marks you see next to your sent messages when the receiver opens Signal and sees them. This is a way of confirming that your messages have been read. This is also true for the messages you receive from others. By disabling this option your contacts won’t see the double check mark next to their messages when you see them and vice versa.

Use Signal’s Desktop app

For people who are much behind their desktops, Signal also offers a desktop version of its app. Unfortunately, the desktop version of Signal does not have nearly as many features as the mobile version, although it has become better over time.

Signal for Desktop is available for Windows, Mac, and Linux. After you’ve set it up on your phone, you can go to Signal’s download page to grab any version of the application you wish.

This story is republished from TechTalks, the blog that explores how technology is solving problems… and creating new ones. Like them on Facebook here and follow them down here:

Get the TNW newsletter

Get the most important tech news in your inbox each week.