Signal review

Last updated: January 10, 2021
Signal messaging app

Disclaimer: Affiliate links help us produce good content. Learn more.

The Signal Protocol has been making waves in the world of cybersecurity and in this review we will look at how they are doing it. Signal provides end-to-end encryption for instant messaging (including voice and video calls) which fills the void left by WhatsApp in the wake of its concerning Facebook purchase.

The protocol’s developers, Open Whisper Systems, use the technology first and foremost in their own messenger software, Signal. It’s a free, open-source application that initially received funding from several outside sources (including, perhaps worryingly, the US government).

The app, however, is now developed through the Signal Foundation. This is a not-for-profit organization led by Moxie Marlinspike (who co-authored the Signal Protocol) and WhatsApp co-founder Brian Acton. Their mission is purportedly to decentralize information across the globe.

With ground-breaking technology being managed independently, the Signal app appears to be the essential messaging software of the moment. With that in mind, we gave the app a test drive to see how well it performs in practice.

Stay in control of your safety online
Shield your web traffic from the prying eyes of hackers, corporations, and governments with a top-rated VPN.

How to use Signal

The Signal mobile app is mercifully easy to install and navigate. It’s simply a case of heading to the Google Play Store or the App Store and hitting download. Once the file is ready, the app guides you through a quick registration process.

To send and receive messages on Signal, you’ll need to register your phone number. This is done by entering your phone number in the online form, and then entering the verification code you receive via SMS.

You can also install Signal private messenger for desktop, but it must first be registered with iOS or Android in order to send and receive messages. However, once Signal is installed on your mobile device, you can use your mobile to scan the Signal QR code from your desktop. This will link both devices and allow you to use them interchangeably.

Is Signal secure?

As we mentioned, the Signal protocol uses end-to-end encryption. This means that not even the Signal Foundation can see your messages, which has certainly earned the Signal messenger some favour ever since the notoriously invasive Facebook got their hands on the supposedly NASA-grade WhatsApp.

The major components in making this work are the X3DH protocol and the Double Ratchet Algorithm. X3DH stands for “Extended Triple Diffie-Hellman,” and allows for the creation of a secret key between two parties. Double Ratchet then manages and develops these secret keys, renewing them every few days to reduce traceability.

The metadata is stored on Signal’s servers until the messages have been sent; it is then removed. No message logs are kept, and Marlinspike maintains that the only thing Signal does log is connection times. More specifically, Signal only retains information regarding the last day you used the app, and is no more specific than that.

So far, so good. However, to get the best from our Signal review, it’s best to take a closer look at the security aspects around some of the app’s main features.

Video and voice calls

The Signal private messenger was the first app for iOS that allowed users to make easy, strongly encrypted voice calls for free. It does this by using push notifications to start the call and then using the ZRTP protocol to encrypt it.

The best thing about this is that ZRTP is transparent about when encryption is successful. To do this, it generates a random pair of words that appear on both ends of the conversation. If both callers receive the same pair of words (you can say them out loud to one another to confirm this), then you know you are secure.

Video calling works along similar lines to the normal text-based messaging – through the Signal protocol. The Signal messenger uses this to encrypt WebRTC data – which is the program that allows video calls to be made – between each end of the conversation.

If you’re familiar with issues surrounding cybersecurity, you’ll likely feel slightly alarmed by Signal’s use of WebRTC. However, while the program is known to leak IP addresses in virtual private networks (VPN), this is caused by the STUN communication methods – and Signal does not appear to use any of these in its architecture.

Verify safety numbers

Taking inspiration from ZRTP, the Signal messenger generates a unique “safety code” for each conversation. Signal’s method is more complex than ZRTP’s, using sixty digits instead of two words.

The number is accompanied by a QR code that members of the conversation can scan when meeting in person. If physical meetups aren’t possible, the users have the option to read the number aloud to one another. Whichever method is used, the safety number is clearly shown as “verified” when this is successful.

While this may indicate that the Signal app encryption isn’t as infallible as the company claims, it does mean that users can seek easy confirmation when their conversations have been encrypted successfully.

To maintain total security, Signal will update the safety number when one conversation participant switches devices (such as if they begin to use a new phone). It will then send an automatic notification announcing that the number has been changed and requires verification.

By the way, Signal’s FAQ section states that frequent changes to the security number usually indicate foul play.

History erasing and message lifetime

Signal does not store your messages on its own server; rather, they are saved on your own device. Of course, the messages do need to interact with Signal’s servers in order to get sent, but they are deleted as soon as this action is complete.

You also have the option to force the Signal private messenger to auto-delete chat histories after a set amount of time. This ensures total security within the given means, as it narrows the amount of time someone even has the opportunity to hack your information.

Safer notifications

Signal’s notification system leaves something to be desired. While the software technically has the ability to prevent anyone else from seeing you phone number, it automatically displays your mobile number in push notifications whenever you send a message.

With the X3DH protocol and the Double Ratchet Algorithm, the chances of your contact number falling into anyone else’s hands are minimal – information is only stored on the relevant devices, anyway. However, it would be a lot more reassuring if your mobile number was kept as secure as possible when sending texts through the Signal app.

Signal app troubleshooting

Few issues seem to arise with Signal in general. Among the most prevalent, however, is the inability to send messages over wifi; occasionally, the shoe is on the other foot and users find it impossible to send messages without wifi.

Moxie Marlinspike often responds to these issues in GitHub forums, and sometimes the issue turns out to be caused by the device’s own settings. Nevertheless, he occasionally refuses to engage with the issue, leaving the user with no choice but to seek out a different instant messenger.

Aside from that, Signal seems to work fine. It should be noted, however, that it is blocked in Egypt, Oman, Iran, Qatar, and the United Arab Emirates. Signal initially circumvented this censorship with automatic domain fronting, but has ceased doing so in the past few months.

How Signal compares to other private messaging apps

Signal

Launched: 2014
Owner: Signal Foundation/Open Whisper Systems
Users: No recent statistics
End-to-end encryption: Yes
Secret chats: Yes, by default
Secure file sharing: Yes
Data storage in servers: Yes, but only for as long as it takes the message to send
Chat/Messages self-destruction: Yes
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows; Mac OS X

Telegram

Launched: 2013
Owner: Telegram Messenger LLP
Users: 200 million (monthly)
End-to-end encryption: Yes, but only in secret chats
Secret chats: Yes
Secure file sharing: No
Data storage in servers: No
Chat/Messages self-destruction: Yes, but only in secret chat
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows Phone; PC; Mac; Linux

WhatsApp

Launched: 2009
Owner: WhatsApp Inc.
Users: 1.5 billion
End-to-end encryption: Yes
Secret chats: Yes
Secure file sharing: No
Data storage in servers: Yes, but only until the message has been sent. (If the message has not been sent, it remains on the server for 30 days.)
Chat/Messages self-destruction: No
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows Phone; PC; Mac

Most secure messaging apps

Top VPN providers
NordVPN
9.6 / 10
30-day money-back guarantee
Military grade encryption
Friendly support
Surfshark VPN
9.4 / 10
Strong encryption
Excellent performance
Unlimited simultaneous connections

Disclaimer: Affiliate links help us produce good content. Learn more.

13 comments
Leave a Reply

Your email address will not be published. Required fields are marked *


  1. Sheryl

    My cousin and I both use Signal. We want to know how much data it gobbles up when you use phone call or FaceTime modes.


    1. Mikaela Bray Author

      Hi, Sheryl. It’s true that Signal used to gobble up data before but this should’ve been fixed by now. You can check the exact data usage numbers on your phone.


  2. L. Wolfe

    12/11/2020 two days ago Signal updated itself thru Google Play Store. For one day, I kept receiving notifications that Signal would not work unless Google Play Store was enabled (I keep ALL Google apps disabled or at least turned off); but, I could clear the notification and go on with usage as before. Today (day two) Signal has stopped working – no access to messages past or present – with the admonishment that Signal would not work unless Google Play Store was enabled. So even if Signal is not data mining, the requirement that Google Play Store be enabled for Signal to work allows Google a platform for data mining.

    Even if you go to signal.org/install you get rerouted to Google Play Store. Thus, you can not by-pass Google and re-install/install/update the app straight from signal.org.

    Remember, Google in all its forms and apps, to include all its subs like WhatsApp, is the largest personal information data mining entity in the world. And currently, personal information data mining is the largest source of identity theft.

    My rating of Signal is now zero (0) as this appears to be a major security breach. And yes, I’ve uninstalled Signal even though it has cost me ALL of my text messages past and present.


    1. Richard Allen

      why don’t you just update it using the latest APK?


      1. Andromeda237

        @Agreed.


  3. Linux

    Three things I don’t understand.
    1. Why would the whatsapp co-founder put money into this? Isn’t it essentially against what he wants (mining peoples data I would assume). I think his involvement needs to be investigated/explained more
    2. What does signal need to store metadata on their servers? In and end-to-end system on the sender and receiver should be in the loop. Having an intermediary in there is a huge cause for concern. Telegram for instance AFAIK does not need to insert itself in the middle of your conversaton.
    3. Has signal undergone a security audit(s) by anyone? If this information could be put into the article it would be useful to understand just how (in)secure it might be.


    1. Lookasso

      Whatsapp has been sold to Facebook, why should its old owner be involved in data mining?


    2. Deepak Huxley

      These are great questions! Also tre funding of the US Gov? Highly questionable.


      1. CJ Jacobs

        You wonks and your assertion that an app having received money from government entities is growing old. A crap ton of privacy and open source projects wouldn’t exist if they didn’t derive some of their funding from the US government. Getting funding from the US doesn’t “automagically” make a service bad. That statement is especially salient when the service has been audited to make sure it works as it should.


  4. Paul Jerrod

    The security of this app sounds incredible! I hate the way companies collect and distribute information these days, and this seems like a perfect app to use to combat that.


  5. Mike McKinley

    I hope that everyone knows that email is a terribly insecure way to send anything of any importance. If anyone sends you important, private information through email, it is like yelling it out to the world for all to hear. I often have clients that send me their login information to social media sites so I can troubleshoot and maintain their accounts. It is much safer when sent with the Signal app.


  6. Lena J

    It actually sounds interesting, I didn’t even know about this protocole. It really sounds like a great tool for privacy. Thanks for sharing this, I’m discovering new stuff everyday thanks to you guys !


  7. Sven Ebersbach

    This may seem too good to be true, but it bears checking out. If it’s as good as it claims, this could be a great tool for anyone who treasures their privacy. I am awed by this concept and want to thank whoever posted this article to spread the good news!

You may also like
Share
Share
Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.