How secure is Signal

Signal is arguably the most secure messaging app available. Developed by Open Whisper Systems, Signal encrypts all your messages end-to-end by default, ensuring only you and your recipient can read the messages you send and receive using the app. Released in 2014, the app is available on Windows, macOS, Linux, Android, and iOS. It may be our most secure option for encrypted messaging, but just how secure is Signal?

In this post, we look at Signal’s security model and features to answer the above question. We’ll also provide tips for using Signal as securely and privately as possible.

Let’s get started.

The Signal app vs. the protocol

Signal is both an app and an encryption protocol. Of course, the Signal app uses the Signal protocol.

The Signal protocol is a distributed (i.e., decentralized) cryptographic protocol that enables end-to-end encryption for voice and instant messaging applications. Developed by Open Whisper Systems in 2013, it was first introduced in the open-source messaging app TextSecure, which turned into Signal.

The Signal protocol has been implemented into many popular voice and messaging apps like WhatsApp, Google’s RCS-based messages, Facebook Messenger, and Skype.

To provide end-to-end encryption (E2EE), the Signal protocol uses the Double Ratchet Algorithm, prekeys, and a triple Elliptic-curve Diffie–Hellman (3-DH) handshake while using Curve25519, AES-256, and HMAC-SHA256 as primitives. If the above is gibberish to you, let me just say it’s very secure and will continue to be for the foreseeable future.

Like the protocol, the app is open-source, so anybody with the skills can audit the code. The app allows you to make encrypted voice calls and encrypted text messages. You can also send files of any kind (text, audio, pictures, videos) over Signal, and they’ll also be encrypted end-to-end.

The app experience is clean, with zero ads, analytics, or tracking. Also, unlike Facebook-owned WhatsApp, the app is not developed by a large tech company but rather by the Signal Foundation, a nonprofit organization. Speaking of analytics and tracking, let’s look at what the Signal app actually collects.

What information does Signal collect from its users?

With Signal, the overwhelming majority of your data is encrypted and stored on your device. But some bits of data go to Signal’s servers. Looking through its privacy policy, we find the following:

Signal - Privacy Policy
So, Signal will collect your phone number, as that’s your “username” in Signal. It needs this information to relay your messages. I’ll admit, it would be nice if you didn’t need to use your phone number and could set up a handle of your choice. There are ways to set the service up using a burner number, but it’s somewhat convoluted and beyond the scope of this post. The bottom line is that Signal uses your phone number as your handle.

It collects your contact list in a cryptographically hashed format. Signal needs this information to discover which of your contacts are using Signal and list them in your Signal contacts.

Signal’s privacy policy informs us that some bits of technical data linger on its servers. These are things like authentication tokens, keys, and push notification tokens.

Its privacy policy states that Signal tries to keep its data collection to an absolute minimum – and I’d have to agree. That’s pretty lean and orders of magnitude better than practically any other voice and chat app available. Its biggest drawback is its obligatory use of phone numbers, but this is still an excellent privacy policy.

Of course, all the messages sent over Signal are end-to-end encrypted, so nobody, aside from you and your recipient (not even Signal), can read them. Let’s take a closer look at end-to-end encryption and how it works. It is, after all, Signal’s hallmark feature.

What is end-to-end encryption?

When you send a message but the recipient can’t immediately receive it, it is stored on a server run by Signal until it can be sent.

Other messaging apps store encryption keys on their servers and can in turn decrypt and read your messages as they pass through. They could even modify the contents of your messages.

When you send a message Signal, only the intended recipient has the key to decrypt it. Keys are generated on end users’ devices and never stored on Signal’s servers. Not even Signal itself can decrypt your messages. Because the encryption remains intact from the moment it’s sent to the moment it’s received, we call this end-to-end encryption, or E2EE.

In Signal, all your messages and attachments (and even the stickers you use in conversations) are end-to-end encrypted, so nobody, aside from you and your recipient, can decipher your messages.

So, being open-source and E2EE support with robust encryption algorithms are Signal’s prime security features. Let’s now look at the other security features built into Signal.

Safety numbers

While Signal uses your phone number as your handle by default (more on that later), it also assigns each user a distinct safety number. This is done to allow users to make sure they’re communicating with the person they think they’re communicating with.

When starting a conversation in Signal with a new contact, you can have them confirm their safety number to ensure it matches what’s displayed in your app. If they match, you can be more confident you’re actually talking to whom you think you are (or that a malicious actor has your contact’s phone in their possession).

If your contact’s safety number changes, Signal will alert you of the change. This can happen if a contact removes and reinstalls the app or changes phones. This is to protect Signal users from Man-in-the-middle attacks, in which a third party can intercept and modify the messages being sent between two users.

Verifying a contact’s security number in Signal

To verify one of your contact’s security numbers, I’d recommend doing this outside the Signal app, over the phone, or preferably in person, if possible, to ensure you’re verifying the number with your contact.

  1. From the conversation window of your contact, click on the “account” icon next to the contact’s name at the top of the chat. That contact’s Settings page is displayed.Signal - Safety Number 1
  2. Select View Safety Number. The contact’s safety number and QR code are displayed.Signal - Safety Number 2
  3. Confirm the safety number with your contact, either by reading it back to each other or by scanning the QR code with the Signal app (if you’re in person). Once confirmed, click the Mark as Verified button.Signal - Safety Number 3
  4. You’re taken back to the contact’s Settings page, where the contact is marked as Verified.Signal - Safety Number 4

Disappearing messages

Signal lets you put a timer on messages within conversations. After the set time, the messages disappear from both the sender and the recipient’s conversations. And there’s no way to get them back once they’re gone.

The timer can be set anywhere between one second and four weeks. However, this feature, when enabled, applies to all your conversations. It’s a global setting. You can’t enable it for a single conversation – it’s an all-or-nothing feature.

Enabling disappearing messages

As mentioned above, the disappearing messages feature is app-wide. Once enabled, it applies to all your Signal conversations.

  1. Click your Account icon at the top left of the app’s UI and select Settings. The Settings page is displayed.Signal - Disappearing Messages 1
  2. Select Privacy. The Privacy Settings page is displayed.Signal - Disappearing Messages 2
  3. Select Disappearing Messages. The Disappearing Messages Settings page is displayed.Signal - Disappearing Messages 3
  4. Set the timer to your desired value and click Set at the top right. You’ve enabled disappearing messages.Signal - Disappearing Messages 4

Third-party audits

While not a security feature in itself, third-party audits go a long way to foster user trust. Signal has submitted itself to third-party audits multiple times since it was launched. Various security firms and security researchers have audited different components of the Signal app and protocol. And while a few bugs have been discovered here and there, the conclusion of the audits has always been that Signal is cryptographically sound.

The bugs found were fixed extremely quickly (sometimes on the same day they were discovered). This highlights Signal’s commitment to security and privacy.

Transparency reports

What happens when Signal is served with a subpoena for user data? Well, if the request is for data Signal never collected in the first place, what happens is basically… nothing.

But when it is legally compelled to disclose user data to law enforcement, Signal is committed to documenting this in its transparency reports, which you can view here. This is another way Signal fosters user trust – and it’s appreciated.

Signal vs. WhatsApp vs. Facebook Messenger vs. Skype

All of the above apps use the Signal protocol. But are they all equal? No, they’re not.

WhatsApp

While WhatsApp messages are encrypted by default, their metadata is not encrypted, and WhatsApp collects timestamps and IP addresses. That data also gets correlated to your Facebook data.

Another difference is that, if you switch phones, WhatsApp may renegotiate your encryption keys on your behalf so you can view the messages stored on your old phone. While convenient, it involves breaking Signal’s end-to-end encryption scheme. If someone’s phone is offline for any reason, it would be technically feasible for WhatsApp to fake a new phone and private key to obtain backed up messages and decrypt them.

Facebook Messenger

Facebook Messenger’s security is comparable to WhatsApp’s but slightly worse. E2E encryption is not enabled by default; you need to enable it for each chat manually. Some conversations can never be encrypted, such as chats in Facebook groups, chats with businesses, Marketplace sellers, and “others” (whatever that means).

Skype

As mentioned above, Skype conversations are not E2E encrypted by default. Not only must you enable encryption on a chat-by-chat basis, but you also have to send an invitation for a private conversation (unencrypted) to the person you want to have an encrypted conversation with. Once the recipient accepts the invitation, E2EE is applied to text and voice.

So Signal is the clear winner here. If privacy and security are high on your list of requirements for a messaging app, then Signal is the one to go for. But while it’s the best we’ve got (and it’s excellent), there’s no such thing as 100% privacy and security.

Signal is secure, but…

All of the above makes it abundantly clear that Signal is private and secure. In fact, it’s the most private and secure voice and chat app available.

But that doesn’t mean it’s bulletproof.

In 2023, a team of security researchers found a method to obtain the location of Signal users with an accuracy of just about 82% using a specially crafted timing attack. In this attack, malicious actors can measure how long it takes a targeted Signal user to receive their messages based on the timestamp of the delivery notification that the target device sends back to them once it receives the message.

This attack is made possible by the fact that mobile networks and instant messaging server infrastructure have specific physical characteristics that determine the message’s path for delivery (i.e., the signal pathway). The delays these signal pathways generate in the messages’ delivery times are predictable and based on the target’s location, making it possible for the attacker to deduce the target’s location. All versions of the Signal app (smartphone, tablet, or desktop) are vulnerable to this attack.

I wrote an entire post on the subject, which I recommend you read if you want to get more details on this vulnerability. But I’ll provide some tips on what you can do to mitigate this attack somewhat.

Connect to a VPN

By using Signal over a VPN, you’re adding overhead to your connection, which creates latency that offsets the predictable delivery delays the attackers are banking on. The further away the VPN server you connect to is, the more latency you’ll be adding, potentially throwing off the attacker.

You can switch VPN servers randomly to add even more noise to your messages’ delivery times.

WANT TO TRY THE TOP VPN RISK FREE?

NordVPN is offering a fully-featured risk-free 30-day trial if you sign up at this page. You can use the VPN rated #1 for Signal with no restrictions for a month.

There are no hidden termsjust contact support within 30 days if you decide NordVPN isn't right for you and you'll get a full refund. Start your NordVPN trial here.

Wrapping up

There’s no such thing as a 100% secure product. Maybe gods could achieve that, but that’s not us. We’re fallible humans, and we create imperfect things. But however imperfect Signal may be (along with every other voice & chat app out there), it remains highly private and secure. And the bottom line is that it’s the best thing we’ve got for secure communication.

If the privacy and security of your communications are important to you, I really recommend you use it. And because its end-to-end encryption also applies to your contacts’ attachments, Signal is a great way to securely send files (even large files) to your contacts (though I would recommend using the desktop app to send very large files).

So, is Signal safe? Check. Is it private and secure? Check. Is it as easy to use as any other voice and chat app? Check. Should you be using it? Absolutely.