The Signal Protocol has been making waves in the world of cybersecurity and in this review we will look at how they are doing it. Signal provides end-to-end encryption for instant messaging (including voice and video calls) which fills the void left by WhatsApp in the wake of its concerning Facebook purchase.

The protocol’s developers, Open Whisper Systems, use the technology first and foremost in their own messenger software, Signal. It’s a free, open-source application that initially received funding from several outside sources (including, perhaps worryingly, the US government).

The app, however, is now developed through the Signal Foundation. This is a not-for-profit organization led by Moxie Marlinspike (who co-authored the Signal Protocol) and WhatsApp co-founder Brian Acton. Their mission is purportedly to decentralize information across the globe.

With ground-breaking technology being managed independently, the Signal app appears to be the essential messaging software of the moment. With that in mind, we gave the app a test drive to see how well it performs in practice.

Stay in control of your safety online
Shield your web traffic from the prying eyes of hackers, corporations, and governments with a top-rated VPN.

How to use Signal

The Signal mobile app is mercifully easy to install and navigate. It’s simply a case of heading to the Google Play Store or the App Store and hitting download. Once the file is ready, the app guides you through a quick registration process.

To send and receive messages on Signal, you’ll need to register your phone number. This is done by entering your phone number in the online form, and then entering the verification code you receive via SMS.

You can also install Signal private messenger for desktop, but it must first be registered with iOS or Android in order to send and receive messages. However, once Signal is installed on your mobile device, you can use your mobile to scan the Signal QR code from your desktop. This will link both devices and allow you to use them interchangeably.

Is Signal secure?

As we mentioned, the Signal protocol uses end-to-end encryption. This means that not even the Signal Foundation can see your messages, which has certainly earned the Signal messenger some favour ever since the notoriously invasive Facebook got their hands on the supposedly NASA-grade WhatsApp.

The major components in making this work are the X3DH protocol and the Double Ratchet Algorithm. X3DH stands for “Extended Triple Diffie-Hellman,” and allows for the creation of a secret key between two parties. Double Ratchet then manages and develops these secret keys, renewing them every few days to reduce traceability.

The metadata is stored on Signal’s servers until the messages have been sent; it is then removed. No message logs are kept, and Marlinspike maintains that the only thing Signal does log is connection times. More specifically, Signal only retains information regarding the last day you used the app, and is no more specific than that.

So far, so good. However, to get the best from our Signal review, it’s best to take a closer look at the security aspects around some of the app’s main features.

Video and voice calls

The Signal private messenger was the first app for iOS that allowed users to make easy, strongly encrypted voice calls for free. It does this by using push notifications to start the call and then using the ZRTP protocol to encrypt it.

The best thing about this is that ZRTP is transparent about when encryption is successful. To do this, it generates a random pair of words that appear on both ends of the conversation. If both callers receive the same pair of words (you can say them out loud to one another to confirm this), then you know you are secure.

Video calling works along similar lines to the normal text-based messaging – through the Signal protocol. The Signal messenger uses this to encrypt WebRTC data – which is the program that allows video calls to be made – between each end of the conversation.

If you’re familiar with issues surrounding cybersecurity, you’ll likely feel slightly alarmed by Signal’s use of WebRTC. However, while the program is known to leak IP addresses in virtual private networks (VPN), this is caused by the STUN communication methods – and Signal does not appear to use any of these in its architecture.

Verify safety numbers

Taking inspiration from ZRTP, the Signal messenger generates a unique “safety code” for each conversation. Signal’s method is more complex than ZRTP’s, using sixty digits instead of two words.

The number is accompanied by a QR code that members of the conversation can scan when meeting in person. If physical meetups aren’t possible, the users have the option to read the number aloud to one another. Whichever method is used, the safety number is clearly shown as “verified” when this is successful.

While this may indicate that the Signal app encryption isn’t as infallible as the company claims, it does mean that users can seek easy confirmation when their conversations have been encrypted successfully.

To maintain total security, Signal will update the safety number when one conversation participant switches devices (such as if they begin to use a new phone). It will then send an automatic notification announcing that the number has been changed and requires verification.

By the way, Signal’s FAQ section states that frequent changes to the security number usually indicate foul play.

History erasing and message lifetime

Signal does not store your messages on its own server; rather, they are saved on your own device. Of course, the messages do need to interact with Signal’s servers in order to get sent, but they are deleted as soon as this action is complete.

You also have the option to force the Signal private messenger to auto-delete chat histories after a set amount of time. This ensures total security within the given means, as it narrows the amount of time someone even has the opportunity to hack your information.

Safer notifications

Signal’s notification system leaves something to be desired. While the software technically has the ability to prevent anyone else from seeing you phone number, it automatically displays your mobile number in push notifications whenever you send a message.

With the X3DH protocol and the Double Ratchet Algorithm, the chances of your contact number falling into anyone else’s hands are minimal – information is only stored on the relevant devices, anyway. However, it would be a lot more reassuring if your mobile number was kept as secure as possible when sending texts through the Signal app.

Signal app troubleshooting

Few issues seem to arise with Signal in general. Among the most prevalent, however, is the inability to send messages over wifi; occasionally, the shoe is on the other foot and users find it impossible to send messages without wifi.

Moxie Marlinspike often responds to these issues in GitHub forums, and sometimes the issue turns out to be caused by the device’s own settings. Nevertheless, he occasionally refuses to engage with the issue, leaving the user with no choice but to seek out a different instant messenger.

Aside from that, Signal seems to work fine. It should be noted, however, that it is blocked in Egypt, Oman, Iran, Qatar, and the United Arab Emirates. Signal initially circumvented this censorship with automatic domain fronting, but has ceased doing so in the past few months.

How Signal compares to other private messaging apps

Signal

Launched: 2014
Owner: Signal Foundation/Open Whisper Systems
Users: No recent statistics
End-to-end encryption: Yes
Secret chats: Yes, by default
Secure file sharing: Yes
Data storage in servers: Yes, but only for as long as it takes the message to send
Chat/Messages self-destruction: Yes
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows; Mac OS X

Telegram

Launched: 2013
Owner: Telegram Messenger LLP
Users: 200 million (monthly)
End-to-end encryption: Yes, but only in secret chats
Secret chats: Yes
Secure file sharing: No
Data storage in servers: No
Chat/Messages self-destruction: Yes, but only in secret chat
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows Phone; PC; Mac; Linux

WhatsApp

Launched: 2009
Owner: WhatsApp Inc.
Users: 1.5 billion
End-to-end encryption: Yes
Secret chats: Yes
Secure file sharing: No
Data storage in servers: Yes, but only until the message has been sent. (If the message has not been sent, it remains on the server for 30 days.)
Chat/Messages self-destruction: No
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows Phone; PC; Mac

Recommended reads:

Most secure messaging apps