Signal to those looking for privacy

[harlan4096]

Everything you need to know about the privacy-focused messaging app.

The Signal messaging app leapt in popularity in January 2021, when WhatsApp changed its privacy policy. Following Elon Musk’s laconic call to use Signal, millions of users downloaded the app, resulting in temporary technical issues with the service.

However, cybersecurity experts have known about Signal for a long time, and that’s no wonder; developers have spent years polishing the app’s privacy and security. Here’s what they have achieved and how to make Signal even more secure.

Signal features

Features available to all Signal users include end-to-end encryption, secure data storage, and the ability to view Signal’s code.

End-to-end encryption — a pillar of privacy

One of Signal’s indisputable advantages is its default use of end-to-end encryption. That means only the parties chatting with one another can read their texts, and nobody — not even the app’s developers — can listen in on individual or group calls. Using end-to-end encryption is an important way to improve messaging security.

In many ways, it was thanks to Signal that end-to-end encryption became so widely used in messaging apps. Even the competing WhatsApp, Facebook Messenger, and Skype use the Signal Protocol for secure communication. But by comparison, Signal encrypts much more data.

Unlike Telegram, whose end-to-end encryption works only in so-called secret chats for two users, Signal also encrypts group chats and calls end to end. Moreover, the service does not store group information such as participants, title, and avatar.

The developers of Signal also protect chat metadata — extra info about who wrote to whom — which can be no less sensitive than the contents of the chat and is a frequent source of confidential information leaks.

Finally, Signal also encrypts user profile info. Only the users you approve (contacts, people you have written to, and those you expressly permit to view your account data) can see your name, avatar, and status.

Privacy of contacts and secure enclaves

Signal employs so-called secure enclaves, isolated storage on its servers to which even the server owners have no access. It is because of that isolation that you can learn which of your contacts use Signal without disclosing your address book to the developers. The app sends an encrypted request to the enclave; the latter checks your contacts against registered users’ numbers and returns an encrypted response. No other living soul will see the content of your request.

Transparency policy

As an open-source project, Signal makes its code freely available, so a tech-savvy user can read or build code for Signal’s server software, Android and iOS apps, and desktop versions for Windows, macOS, and Linux, to make sure they contain no backdoors that would provide access to users’ sensitive data.

Setting up Signal

Beyond the app’s inherent security, Signal lets users opt for greater privacy and security with a variety of settings.

Signal PIN

You can use a Signal PIN to recover your profile as well as the settings and contacts that you save in the app (i.e., contacts not present in your address book), and the list of your blocked contacts, should you lose your device or reinstall the app.

Does that mean your data is actually stored on Signal servers and accessible to developers or hackers ? Yes and no. Yes, the information is really stored on the servers. But no, it can’t be stolen because it is encrypted and kept in the abovementioned secure enclaves — and the only key to it is that PIN, which only you know.

The app prompts users to set up a PIN at registration, and you can change yours in the settings. In case you don’t trust the PIN and the enclaves enough, you can deactivate the feature, either during registration or through the settings. If you do so, however, then if you delete the app you will also be deleting all of the data it’s stored on your device, including contacts not in your address book.

Also, if you have no PIN, someone else can potentially register in Signal using your phone number, for example using SIM swapping. The same can happen if you haven’t used the number long enough for it to be disconnected and issued to another person.

Privacy settings

To protect your chats from anyone who happens to handle your smartphone, we recommend activating the screen lock feature in the app settings. Once it’s active, you’ll need to use the same code, fingerprint, or Face ID to access the app as you use to unlock the phone.

By default, the app doesn’t lock when you collapse it, so make sure to change that setting. Both Android and iOS users can set a screen lock timeout duration in the privacy settings or choose Instant. Once locked, Signal will require your code, fingerprint, or Face ID each time you switch back to the app.

Android users, in addition to relying on an inactivity timeout, can alternatively lock the app manually from the notification bar.

The Android version of Signal has another useful privacy feature in the settings: the incognito keyboard. If you turn it on, your smartphone will no longer learn your new and most frequently used words and phrases and prompt you for them on the go — meaning the keyboard app will not process and keep the text you type. The incognito keyboard may not work with some devices, in which case the app will warn you when you try to activate the function.

Finally, you may choose whether you want your contacts to see whether you have read an incoming message or are typing text. Similar to other messaging apps, once you deactivate the option, you will no longer receive the same info about other users.
...

Continue Reading