Signal Private Messenger

Bringing Encryption to Everybody

By

Signal is an efficient private messenger app that encrypts voice and text messages, integrates easily into existing interfaces, and places all communications in a single display, making encryption a feature that anyone can use.

Signal is an efficient private messenger app that integrates easily into existing interfaces and places all communications in a single display, making encryption a feature that anyone can use.

Dozens of private messenger apps are available today; however, only one has the endorsement of both Edward Snowden and Bruce Schneier and is recommended by both the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union. That app is Signal Private Messenger, developed by the non-profit Open Whisper Systems for Android, iOS, and desktop environments. These endorsements are the result of not just Signal’s ability to encrypt voice and text messages, but also its ability to integrate into existing interfaces for ease of installation and use.

Signal originated in RedPhone and TextSecure, two proprietary encryption tools for Android developed by Whisper Systems, founded by Moxie Marlinspike and Stuart Anderson. Whisper Systems was bought by Twitter in November 2011, and within half a year, both RedPhone and TextSecure, were released under the third version of the GNU General Public License. A year later, Marlinspike left Twitter to found Open Whisper Systems, which is funded by donations and grants, a neutrality that partially explains the high regard for its products.

Since 2013, Open Whisper Systems has merged RedPhone and TextSecure into a single application, adding encrypted group chat and gradually developing Android and iOS versions with comparable feature sets. Recently, it released a beta version of Signal Desktop in the form of a Chrome app. So far, the desktop version, compared with the other versions, has a simplified feature set lacking password protection, for example. However, when linked to a mobile device, Signal Desktop provides centralized storage, as well as the increased usability of a mouse and a full-size keyboard.

Signal is designed as a drop-in replacement for both for voice and text messaging apps (Figure 1). Although voice and text messages use separate protocols, from the perspective of users, the two are treated almost identically, and both are free of cost. Contacts are added from a device’s Contact app into Signal, with encryption keys stored locally.

Figure 1: Signal displays both phone and text messages in a single display. Here, the log of a text conversation displays.

Calls in Signal are routed through Open Whisper Systems’ servers, which handles the exchange of public keys without the need of input from users. Unlike the popular Pretty Good Privacy (PGP), Signal’s protocols switch encryption keys regularly, making conversations harder to crack. Although such encryption keys are ordinarily called fingerprints, Signal refers to them as safety numbers – presumably to replace the often obscure jargon with a more user-friendly term. Users can manually approve and verify safety numbers, either visually or through a QR code, but Signal can still function without these steps.

Additionally, users can manually delete messages or set times when they will be deleted automatically. Signal and its database can also be protected with a passphrase.

What is noticeable about all Signal’s operations is how much they are hidden by default. In most encryption implementations, encrypting and decrypting are additional steps, and these complications probably deter many from using them regularly. By contrast, encryption in Signal is invisible to users unless they specifically change the settings. From the interface, using Signal appears no more complicated than unencrypted messaging – a claim that few other messaging systens can make, although Signal protocols have been widely borrowed, including in CyanogenMod and Facebook Messenger.

Installing Signal

Signal requires installation on an Android or iOS phone. Tablets are not currently supported. For convenience, you can also install Signal Desktop, although it is not necessary for using Signal and cannot operate on its own.

Installing on an Android phone (Figure 2) is only slightly more complicated than installing any app in the Google Play Store. However, if necessary, you can follow the EFF’s instructions. Similar instructions are available for installing to iOS devices from the Apple App store. Unlike most Android apps, it requires access to almost all aspects of your phone, which for any other app might be a security risk.

Figure 2: Signal installs as an Android (shown here) or as an iOS app (not shown).

Once Signal installs, enter your country and phone number and click the Register button. After you re-enter this information to ensure accuracy, Signal verifies your number and sends you a confirmation text.

The installer then asks if you want to make Signal your default messaging app and imports your existing contacts if you accept. Your phone’s default app will probably warn of dire consequences if you do so, but you can still use the original app if necessary, so this warning can be safely ignored. In fact, since Signal displays both voice and text messages for which you have a phone number in a single list, if anything, switching to Signal is a general convenience. Besides, if a listing is not Signal-enabled, Signal still lets you exchange uncrypted messages with it, so there is really no reason to be concerned about the replacement.

At this point, Signal is ready to use. However, you might choose to install Signal Desktop, which is not capable of sending messages by itself but offers the convenience of a larger screen and the use of a mouse.

Signal Desktop is available as a Chrome app. So far, at least, it does not run on any web browser except Chrome or Chromium, although it can be used with other Android or iOS phones.

Signal Desktop is installed via a wizard (Figure 3). At the end of the installation, the wizard displays a QR code (Figure 4). For Signal Desktop to function, you must link it by selecting on a device Setting | Linked devices from the menu in the upper right corner, then scanning the QR code that displays from your phone. When the desktop recognizes the QR code, encryption keys are generated for communication between the phone and the desktop. If you add or delete contacts when using the linked phone without Signal Desktop, the next time you use it, select Settings | Contact | Import Now to resync.

Figure 3: A wizard guides users through the installation of Signal Desktop.
Figure 4: Signal uses QR codes to transmit encryption keys between Signal Desktop and a phone.

Using Signal

Whether you are using the desktop or a phone, Signal is much the same. The main differences are that the desktop has fewer settings and, in the beta version, has three restrictions: It can delete but not add contacts, shows only contacts with which you have interacted, and can only place a call with phone or voice if you have already done so at least once from the linked phone.

On a linked phone, you can still use the original apps for contacts and phone calls without using Signal, but any missed messages from Signal display in them. Additionally, the phone has options for setting notifications. On both the desktop and the phone, you should add a passphrase to Signal – after all, it hardly makes sense to go to the trouble of setting up encryption, then having encrypted messages accessible to anyone who reaches your desktop. Start Signal Desktop from the Apps icon in the upper left corner of the browser.

To communicate, either click the phone icon in the title bar of a contact or use the text field at the bottom of the screen. You can also add an image or audio file, a shot from the camera, your location, or another contact to a message by selecting the paper clip at the bottom right of the screen.

If the phone number you are contacting is not already Signal-enabled, you can still send to it. However, when you call unenabled numbers, an option displays below the title bar that gives you an option to invite your contact to join Signal. In any other app, this option might seem like blatant opportunism, but because all parties in a conversation need to use Signal for encryption, in this case, the advertising seems forgivable.

From each contact, you can also manage your exchanges using the menu at the upper right in the title bar. As you might expect, you can delete the log of your exchanges or change the color-coding for the contact. More unusually, you can set the time from the present that the log expires, display all exchanged images, or verify safety numbers with the link provided (Figure 5). Should a contact become a nuisance, another option is to block them via the Conversation settings submenu.

Figure 5: Although Signal handles the exchange of encryption keys automatically, you can verify them for yourself.

An Example for Security

Signal does have a few limitations. In particular, contacts must have a phone number, not just an email address. Perhaps the most serious limitation is that it must run on specific equipment and operating systems. However, given that the necessary conditions, hardware, and software are readily available, these limitations are mostly matters of preference and are seldom a barrier to using Signal.

The greatest barrier is undoubtedly convincing others to use it, and even that is changing with the current political and social climates.

Even so, Signal is gaining popularity with a speed that few comparable apps can match. I suspect that the secret of its success is that it hides the complexity of encryption from users who simply want its services. Just as importantly, even without encryption, Signal is an efficient messenger, replacing pre-installed apps without a problem, and placing all communications in a single display. Through these tactics, Signal makes encryption a feature that anyone can use – and, in doing so, sets an example for the entire industry.

Related content

  • How Signal does security right.
  • Wengophone

    Video telephony, calls to landlines, short messaging, and conferencing: the free Wengophone outpaces competitors in the VoIP field.

  • Z-Wave

    Z-Wave connects components in the smart home and ensures that remote commands from the control station take effect on real household appliances. We look at how it works, its range, the security of the protocol, and some basics that every Z-Waver should know.

  • KTools: KMobileTools

    Composing text messages on a mobile phone isn’t easy. A handy application called KmobileTools helps you manage your SMS messages and calls.

  • Bluetooth Security

    Is your address book open to the world? Is your mobile phone calling Russia? Many users don’t know how easy it is for an attacker to target Bluetooth.

comments powered by Disqus

Issue 195/2017

Buy this issue as a PDF

Digital Issue: Price $9.99
(incl. VAT)

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia