{"id":40377,"date":"2021-07-02T06:57:59","date_gmt":"2021-07-02T10:57:59","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=40377"},"modified":"2021-07-02T06:57:59","modified_gmt":"2021-07-02T10:57:59","slug":"signal-privacy-security","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/signal-privacy-security\/40377\/","title":{"rendered":"Signal to those looking for privacy"},"content":{"rendered":"

The Signal messaging app leapt in popularity in January 2021, when WhatsApp changed its privacy policy<\/a>. Following Elon Musk\u2019s laconic call to use Signal<\/a>, millions of users downloaded the app, resulting in temporary technical issues with the service.<\/p>\n

However, cybersecurity experts have known about Signal for a long time<\/a>, and that\u2019s no wonder; developers have spent years polishing the app\u2019s privacy and security. Here\u2019s what they have achieved and how to make Signal even more secure.<\/p>\n

Signal features<\/h2>\n

Features available to all Signal users include end-to-end encryption, secure data storage, and the ability to view Signal\u2019s code.<\/p>\n

End-to-end encryption \u2014 a pillar of privacy<\/h3>\n

One of Signal\u2019s indisputable advantages is its default use of end-to-end encryption<\/a>. That means only the parties chatting with one another can read their texts, and nobody \u2014 not even the app\u2019s developers \u2014 can listen in on individual or group calls. Using end-to-end encryption is an important way to improve messaging security<\/a>.<\/p>\n

In many ways, it was thanks to Signal that end-to-end encryption became so widely used in messaging apps. Even the competing WhatsApp, Facebook Messenger, and Skype use the Signal Protocol for secure communication<\/a>. But by comparison, Signal encrypts much more data.<\/p>\n

Unlike Telegram, whose end-to-end encryption works only in so-called secret chats<\/a> for two users, Signal also encrypts group chats and calls end to end<\/a>. Moreover, the service does not store group information such as participants, title, and avatar.<\/p>\n

The developers of Signal also protect chat metadata<\/em> \u2014 extra info about who wrote to whom \u2014 which can be no less sensitive than the contents of the chat and is a frequent source of confidential information leaks<\/a>.<\/p>\n

Finally, Signal also encrypts user profile info. Only the users you approve (contacts, people you have written to, and those you expressly permit to view your account data) can see your name, avatar, and status.<\/p>\n

Privacy of contacts and secure enclaves<\/h3>\n

Signal employs so-called secure enclaves,<\/em> isolated storage on its servers to which even the server owners have no access. It is because of that isolation that you can learn which of your contacts use Signal<\/a> without disclosing your address book to the developers. The app sends an encrypted request to the enclave; the latter checks your contacts against registered users\u2019 numbers and returns an encrypted response. No other living soul will see the content of your request.<\/p>\n

Transparency policy<\/h3>\n

As an open-source project<\/a>, Signal makes its code freely available, so a tech-savvy user can read or build code for Signal\u2019s server software, Android and iOS apps, and desktop versions for Windows, macOS, and Linux, to make sure they contain no backdoors that would provide access to users\u2019 sensitive data.<\/p>\n\n

Setting up Signal<\/h2>\n

Beyond the app\u2019s inherent security, Signal lets users opt for greater privacy and security with a variety of settings.<\/p>\n

Signal PIN<\/h3>\n

You can use a Signal PIN<\/a> to recover your profile as well as the settings and contacts that you save in the app (i.e., contacts not present in your address book), and the list of your blocked contacts, should you lose your device or reinstall the app.<\/p>\n

Does that mean your data is actually stored on Signal servers and accessible to developers or hackers ? Yes and no. Yes, the information is really stored on the servers. But no, it can\u2019t be stolen because it is encrypted and kept in the abovementioned secure enclaves \u2014 and the only key to it is that PIN, which only you know.<\/p>\n

The app prompts users to set up a PIN at registration, and you can change yours in the settings. In case you don\u2019t trust the PIN and the enclaves enough, you can deactivate the feature, either during registration or through the settings. If you do so, however, then if you delete the app you will also be deleting all of the data it\u2019s stored on your device, including contacts not in your address book<\/a>.<\/p>\n

Also, if you have no PIN, someone else can potentially register in Signal using your phone number, for example using SIM swapping<\/a>. The same can happen if you haven\u2019t used the number long enough for it to be disconnected and issued to another person.<\/p>\n

Privacy settings<\/h3>\n

To protect your chats from anyone who happens to handle your smartphone, we recommend activating the screen lock feature in the app settings. Once it\u2019s active, you\u2019ll need to use the same code, fingerprint, or Face ID to access the app as you use to unlock the phone.<\/p>\n

By default, the app doesn\u2019t lock when you collapse it, so make sure to change that setting. Both Android and iOS users can set a screen lock timeout duration in the privacy settings or choose Instant<\/em>. Once locked, Signal will require your code, fingerprint, or Face ID each time you switch back to the app.<\/p>\n

Android users, in addition to relying on an inactivity timeout, can alternatively lock the app manually from the notification bar.<\/p>\n

The Android version of Signal has another useful privacy feature in the settings: the incognito keyboard. If you turn it on, your smartphone will no longer learn your new and most frequently used words and phrases and prompt you for them on the go \u2014 meaning the keyboard app will not process and keep the text you type. The incognito keyboard may not work<\/a> with some devices, in which case the app will warn you when you try to activate the function.<\/p>\n

Finally, you may choose whether you want your contacts to see whether you have read an incoming message or are typing text. Similar to other messaging apps, once you deactivate the option, you will no longer receive the same info about other users.<\/p>\n

Linking devices<\/h3>\n

You can chat in Signal on your smartphone, tablet, and computer at the same time; you just have to link the additional devices to your account.<\/p>\n

To do that, go to Linked devices<\/em> and press +<\/em> to activate the camera and receive a QR code to scan. Next, run Signal on the second device (for example, your PC) and follow the instructions.<\/p>\n

You\u2019ll see a list of all of your linked devices in the app\u2019s settings. We recommend checking that list from time to time for any unknown devices \u2014 that is, unauthorized users. Also don\u2019t forget to unlink any devices you no longer need.<\/p>\n

Chat backups<\/h3>\n

By default, Signal does not create chat backups, but you can activate the feature so that you can recover your chats if need be. Follow the instructions in the settings, and be sure to save the 30-character password phrase the app creates for you. Lose that and your backup copy becomes useless.<\/p>\n

Signal stores backup copies on your device, so if you need to recover your data on a new phone, you will still need access to your old device. That means if you lose your smartphone or it breaks, you won\u2019t be able to restore your chats<\/a>.<\/p>\n

Advanced settings (for the most cautious)<\/h3>\n

These options will completely conceal your messenger activities from prying eyes.<\/p>\n