Editor’s note: Signal provides good protection against dragnet surveillance, but the capabilities of state agencies and large corporations probably allow them to bypass the security provided by apps like this in targeted cases. In other words, Signal is not bulletproof. If your device is compromised, your message are compromised. We recommend Signal and other end-to-end encrypted communication methods as a baseline for safer communication, but in cases of serious risk, other measures must be taken.
By Martin Shelton / Originally published as Signal for Beginners at the Freedom of the Press Foundation
For some reason, people have gotten pretty interested in mobile security lately. So let’s talk about a secure messaging app called Signal.
Signal gives you encrypted messages, as well as voice and video calls. It relies on data, so it’s a great option for free calls and texts over wi-fi. This can be a huge advantage for those of us who don’t want to pay for SMS text messages and phone calls, or who want to make free international calls.
It’s not only convenient, but security experts recommend Signal for a few different reasons. Signal is end-to-end encrypted, meaning that no one but your device and conversational partner’s device can read the messages you send. The team behind the software, Open Whisper Systems, is a privacy centered not-for-profit organization, and relies on grants and donations. Perhaps most importantly, Signal is open source, meaning that the code is publicly viewable. It can be examined for potential security holes, and has stood up to auditing. All of these features make Signal one of the best options for boosting your communication security.
Getting started with Signal
When you first launch the app, it will ask you to verify your phone number.
iPhone users: Type in your number and hit “Activate This Device.” You’ll receive a six-digit code via SMS text message, then type in the code and hit “Submit Verification Code.”
Android users: Type in your phone number, hit “Register” wait for the app to verify your phone number. When it finishes, it will ask if you want to make Signal your default messaging app, which will allow you to receive both SMS messages and Signal messages on the app. That’s up to you, but it’s important to remember that Signal will not encrypt conversations with anyone using regular old SMS text messages.
Click the messaging icon (with the pencil). From here, you can message your contacts who have installed the app. Click on someone who you want to talk to. That’s it — just type in the message and send. From inside the conversation, you can also click the phone icon in the top right corner to start an encrypted call.
Get fancy with messaging
Use group messaging
iPhone users: From the main screen, click the message icon at the top right. Click the group messaging icon in the top right.
Android users: Click the settings icon at the top right and hit “New group.”
From here, you can name your group and add multiple people. You can also change the group icon by clicking on the image to the left. Later, you can always make changes to the group by clicking the conversation settings for the group at the top right.
Signal on desktop
You can use Signal on your desktop as well! Before jumping in, think about whether Signal for desktop works for your situation. If you’re having highly sensitive conversations and think you may have malicious software on your personal computer, you probably don’t want to feed your encrypted messages into that infected machine. For example, if you’re infected with malicious software designed to log your keystrokes or send screenshots to a remote attacker, encryption won’t protect your messages.
If it makes sense for you, try Signal for your desktop. It offers similar messaging features to the mobile app, supporting messages, but not calls.
You can send files by clicking the attachment (paperclip) icon at the bottom of a conversation. This is very important: you can send GIFs here.
Get fancy with security
Make messages disappear
If you want to delete a specific message, press and hold the message. When the menu pops up, click “Delete.” Because Signal stores all of your messages locally and not on a remote server, you are only deleting the message on your personal device. Your conversational partner may still have it.
If you and your conversational partner want to get rid of messages after a certain amount of time by default, there’s a way to do that.
iPhone users: Click on your conversational partner’s name at the top of the screen to open the conversations settings menu.
Android users: Click the settings icon (three dots) in the top right corner. Click “Disappearing Messages.”
Use the slider to change the amount of time you’d like to wait before messages disappear after they’ve been viewed — anywhere from 5 seconds to a week. Again, messages will disappear for both you and your conversational partner. If you change your mind later, you can always change your settings from this menu, or remove disappearing messages.
iPhone users: To delete all messages across all of your contacts, click the settings icon in the top left and navigate to Privacy > Clear History Logs.
Lock screen notification security
Even when your phone is locked, someone with physical access can still read the message and sender name on your lock screen. But we can fix that.
iPhone users: you can find these settings under Settings > Notifications > “Show.” On this page, you can have Signal display sender name and message, sender name only, or no name or message.
Android users: Device > Sound & notification > When device is locked. On this page, you can have Signal show all notifications, “Hide sensitive information content” or don’t show notifications at all. If you still want alerts but don’t want names or messages visible on your lock screen, hit “Hide sensitive information content.”
Now your messages aren’t readable on your lock screen.
On most messengers, there is no way to know that your message isn’t intercepted by a third party. With Signal, you can verify that the current conversation is secure for both messages and calls. Consider verifying your session for sensitive conversations.
You can verify your session with safety numbers. Open a conversation with someone. For iPhone, click the person’s name at the top of the screen, and tap “Show Safety Number.” On Android, click the Settings > Conversation settings > Verify safety numbers. From there, you’ll see a QR code and your safety numbers.
If you and your conversational partner are seeing the same numbers, your session is secure. You want to verify that your numbers match on a different channel — for example, over Twitter DMs, Facebook, Google Hangouts, or a regular old phone call.
If you’re in person with someone, one of you can click “Scan code.” Scan the other person’s QR code with your camera.
You won’t need to verify safety numbers again until someone starts a new session (e.g., when someone gets a new phone).
Signal is not bulletproof
Perhaps it goes without saying, but encryption won’t help with someone who has physical access to your unlocked phone. If you haven’t done so, password protect your device. Exit Signal and turn on your passcode.
iPhone users: Settings app > Touch ID & Passcode
Android users: Settings app > Security > Screen lock
Remember that strong encryption won’t help if your device or your partner’s device is compromised with malware. For example, some kinds of malware are designed to send screenshots of your messages to a remote hacker. The best defense is to simply install new software updates for Signal and your device itself. These updates usually contain valuable security patches; get them as soon as possible.
If your phone is ever lost or stolen, thieves can copy and read data off the device, including your encrypted messages. Luckily it’s pretty easy to protect your device with disk encryption. If you use a modern password-protected iPhone, your device is already encrypted. A few Android devices are encrypted by default (the Pixel line, and some phones in the Nexus line). Android users can enable disk encryption in minutes.
Signal retains nearly no metadata — who spoke to whom, when, and the length of a call. Importantly, however, it’s not designed to prevent live eavesdroppers from capturing metadata.
iPhone users: Signal lets you see your Signal call history from your phone app, like any other call. This might be convenient, but may also allow your iPhone to sync this call history with iCloud (including who spoke to whom, when, and the call length). If you use iCloud and don’t want to upload call history on Signal, double check that it’s turned off: Settings > Privacy > Show Calls in Recents > Disabled.
Signal will occasionally drop calls or texts, and because it relies on data, there will be times you’ll prefer to use phone minutes instead. We need regular phone calls and texts sometimes. That’s okay. But we can protect more of our communications and encourage our friends to do the same.
You’re caught up!
That’s nearly everything new users should know about Signal. If it’s a service you value, consider donating to Open Whisper Systems. For technical folks, contribute code. And if you want to learn more about how to get started with digital security, read Securing Your Digital Life Like a Normal Person. Feel free to reach out with thoughts or suggestions.
Edit: I’ve changed the old donation links to newer ones, and I’ve updated information on Signal’s iOS call history and iCloud. I’ve also clarified about what Signal can and can’t protect with respect to metadata.
This article is crossposted with the Freedom of the Press Foundation. Last updated October 21, 2018.
Signal for Beginners is republished here under a Creative Commons Attribution 4.0 International (CC BY 4.0) license. Click here for more on security culture.