Signal is a open source and free messenger app created by Open Whisper Systems, the same developers of RedPhone and TextSecure. Launched in 2015, Signal combines the functionality of the two apps (in fact they have now become Signal), supporting secure encrypted messages and VoIP voice calls. The app is designed to help you to keep your conversations private and it is available for Android and iOS.
Features
Signal aims to replace regular SMS messenger options by giving you the possibility of sending and receiving messages in the traditional way. The main difference is that all messages sent to Signal users in your contact list are automatically encrypted. When you send a text to someone who is not using Signal, you can invite them to get the app or simply send a message as a normal, non-encrypted SMS. Although TextSecure offered the option to send encrypted messages over SMS (not only internet), the option is not available in Signal.
Apart from its text functionality, Signal can be used for making an receiving calls from within the app. If you call someone who is also using Signal, the call is encrypted. Just like with Skype, the calls between app users are routed over internet and are free. but what makes Signal stand out is that it offers enhanced security. When you call someone who doesn’t use the app, it loads their telephone number and a normal call (not encrypted and subject to charges) will take place.
CyanogenMod is a highly popular alternative operating system for Android devices and it integrates Signal as its default messenger app. In fact, WhatsApp itself has adopted the same TextSecure protocol that serve as basis for Signal. Like its predecessors TextSecure and RedPhone, Signal even received recognition from Edward Snowden, who tweeted about the app and confirmed that he uses it.
Security
The fact that Signal is open source means that the code can be audited independently for backdoors and other issues. TextSecure was previously given the all-clear by security experts. Signal encrypts and decrypts all messages om the senders phone before transmission and on the recipient’s device, once the message is received. This ensures that the messages can’t be intercepted in transit and they can be stored on the phone as well.
Evert message is encrypted with Perfect Forward Secrecy using an ephemeral Curve25519 key. Even if any keys are broken, the attacker will not be able to access the full conversation. The body of the text is encrypted with 256-bit AES in CTR mode with Curve25519 Diffie-Hellman handshake/key protection, as well as SHA256 hash authentication. VoIP calls performed through Signal are also encrypted client-side and all voice communications between the app and servers are protected using TLS. The contents of the communications are encrypted with 128-bit AES-CBC, with SHA1 hash authentication.
Although the encryption used for calls is not as strong as what is applied to text messages, this can be explained by the fact that the encryption/decryption of data requires a high level of processing power and the quality of calls can be affected by high encryption. The encryption used by Signal to protect calls would be enough in most cases, but if you are handling sensitive information, it is advisable to use the text messaging option instead.
Possible issues
While in general, Signal presents a reliable and secure communication solution, there are some concerns that should be considered. One of them refers to the baseband processor, which is included in all the smartphones currently available. The issue is that baseband processors are like a secondary operating system in your device and they run a proprietary, closed software that is not well documented or understood. Their design is outdated and it facilitates exploits because there is practically no mitigation in place for these.
Furthermore, every baseband processor by default trusts any data that is received from a base station, such as a cell tower. There are no checks performed and all data is trusted automatically. Taking this in mind, in theory at least, it would be possible for ISPs to bypass any encryption used by any app running on a mobile phone in real-time, which would allow them to access all content on that particular phone in cleartext, just by accessing the content as it becomes encrypted/decrypted.
There is no confirmation that this can actually happen or that it has happened and it should be noted that Signal is not directly responsible for this flaw and it is an issue that affects all mobile security software. Plus, only an organization with access to highly advanced tools (such as the NSA) would be able to break into encrypted communications and they would need to target the phone specifically. The best way to address this vulnerability would be open source baseband processor firmware, but unfortunately this is not available at this time. However, users who want to maintain their privacy can take measures such as using hardware that doesn’t support cellphone functionality and use a secure OS like TAILS, as well as a desktop messaging or VoIP app that offers high security.
While baseband processor issues can affect Signal, they are not the app’s fault as previously mentioned. However, there is an aspect that causes some concern and it is the source of the funds received by open source developers. This is a question that relates not only to Signal, but also to other open source projects that may receive money from agencies that are funded by the US government.
While funding is crucial to continue working in the development of secure systems, receiving financial assistance from sources related to the government could compromise the integrity of these projects. However, it has to be said that in the case of Signals, there is no strong evidence showing that the security of the app has been affected by the funding issues.
Google Play Services is another element that could affect the security of Signal. The official Android app of Signal uses the Google Play Services framework for installation and running. This is considered as a security flaw for many given the fact that this proprietary software gives Google the possibility of carrying out low, yet extensive monitoring of users’ devices.
Computer security researcher Moxie Marlinspike, who is also the chief developer of Signal and founder of Open Whisper Systems, has addressed this requirement for Google Play Services, stating that the app needs Google’s GCM push messaging framework. Additionally, the app only uses GCM for wakeup even purposes. If you don’t want to have Google Apps in your phone, you can opt for LibreSignal, a version of the app that works with Websockets and doesn’t require the installation of Google Play Services
How does Signal work?
In order to start using Signal, you need to register using your phone number, since the app is meant to replace your traditional messaging app. Once you register, the app will generate a key pair and it is possible to verify the identity of other users by reading your identity/ public keys to each other. All your previous messages and history are imported and your dialler contact list is used by default.
The app allows you to send contact information, videos, audio files, pictures and there is a group chat mode available. You can also encrypt messages locally, protecting them with a passphrase to prevent eavesdropping. It is worth mentioning that while Signal is very similar in functionality to WhatsApp and the latter uses TextSecure protocol now, the two apps are not compatible.
Signal is open source so it can be independently audited, while WhatsApp is closed source and owned by Facebook, which doesn’t hold a good record in terms of privacy. In fact, recently the messaging app faced controversy when it announced that users’ data will be shared with Facebook. Although users can opt out in their security settings, there is still concern about the user’s information that Facebook may be able to access through WhatsApp.
Conclusion
Signal is an option that enhances the privacy and security of your communications and it is also a practical alternative to your default SMS/MMS client. It is considered by many as the most secure solution of its kind available and provides a convenient way to protect the privacy for your texts and voice calls.