I’m running a series of posts on some of the tools I use to stay a little safer and protect my privacy online. Here’s how you can get much better secure messaging on your phone using the Signal app.
I use Signal by Open Whisper Systems as the messaging app on my phone. It has excellent end-to-end encryption verified by third party cryptology experts. There’s actually another messaging app that uses the messaging protocol from Signal, WhatsApp, but that’s owned by Facebook. Facebook’s business model is to sell data about you to advertisers. So, even if the conversations are secured, do you think other data like your contacts, who you are messaging and when you are messaging them is?
When advertising companies provide email and messaging apps, your privacy may not be their top priority. https://t.co/orXvAc0Dho
— DuckDuckGo (@duckduckgo) March 16, 2017
By the way: This other metadata isn’t as secure as it should with Signal either. Your Signal ID is your phone number, so every message that goes through the Signal messaging servers will have personally identifiable information attached to them. However, Signal’s business model is providing secure communications to its users, which is very different from providing personal information of its users to advertisers. The FBI have tried to get Signal to turn over communication metadata in the past, but apparently, Signal doesn’t log much metadata so there isn’t much to turn over.
The encrypted messaging is of course only between other Signal users, but more and more people are discovering Signal. Messaging with other users are going over plain old SMS. The UX is really smooth, and you don’t have to be concerned with whether the person you’re texting is using Signal or not. But you do get a visual cue, so you can decide before sending sensitive info. When your messages are secured, they will have a small padlock.
Secure messaging – and message storage
Not only is the transport of the messages encrypted, but they are also stored encrypted on your phone, so malware and hackers have a much harder time getting to your messages. I’ve only used the Android version, but at least on that platform, Signal also disables taking screenshots of the app, so nasty people can’t circumvent the encrypted storage by automatically grabbing screenshots of your messages.
Even though WikiLeaks in their tweets about the “Vault7” data dump claimed that the CIA can bypass the Signal encryption, the actual documents showed that they can’t. They have to get direct access to your phone and grab the messages while they’re unencrypted on your phone – which is not a simple feat. You can get more in-depth info and explanations in this Wired article.
Secure calls too
Up until recently, you had to use a different app, RedPhone, from Open Whisper Systems to make secure calls. But now Signal also have encrypted calling implemented right into the user-friendly Signal app.
When making secure calls, you do it from your Signal app. It will connect you with your caller and you both will get a call identifier on your screen. The call identifier should be the same on both your screens when the connection is secure. If the ID is different, something’s wrong, like a man in the middle.
Signal messaging is also available on desktop – kinda
If you’re using Google Chrome, you should probably switch to Firefox. But if you’re still using it, there’s a Chrome app available to auto-sync your messages, so you can use your regular computer to message with Signal. You can find more info on Signal Desktop on Open Whisper System’s blog post.
Signal is good, but not perfect
Signal has very good encryption, provides a very good UX and has a large and growing user base. The last point there is important: If your contacts don’t use Signal too, there is a much less incentive for you to use it. Your messages will still be stored encrypted on your phone, but the biggest point is that your messages will be transmitted encrypted.
There are multiple issues with Signal:
- Lack of federation
- Dependency on Google Cloud Messaging
- Your contact list is not private
- The RedPhone server is not open-source
Sander Venema explains these issues very well in the article Why I won’t recommend Signal anymore.
I agree with the issues being raised, but I will still recommend Signal. It is by now a mature solution and with such a large user base it can actually protect your everyday conversations. If you’re concerned with a (privacy-minded) private company or a government getting the details of who you are communicating with and when, you need something even better than Signal. You probably don’t want to use a phone at all for that. A VPN service and Protonmail might be better for you.
Open source and available for free for Android and iOS
The development team is supported by community donations and grants. There are no advertisements, and it doesn’t cost anything to use. Keep Signal alive and running by donating here.