The Signal messenger app encrypts voice and text messages

Private Messenger

Article from Issue 196/2017
Author(s):

Signal is an efficient private messenger app that encrypts voice and text messages, integrates easily into existing interfaces, and places all communications in a single display.

Dozens of private messenger apps are available today; however, only one has the endorsement of both Edward Snowden and Bruce Schneier and is recommended by both the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union. That app is Signal Private Messenger, developed by the non-profit Open Whisper Systems [1] for Android, iOS, and desktop environments. These endorsements are the result of not just Signal's ability to encrypt voice and text messages, but also its ability to integrate into existing interfaces for ease of installation and use.

Signal originated in RedPhone and TextSecure, two proprietary encryption tools for Android developed by Whisper Systems, founded by Moxie Marlinspike and Stuart Anderson. Whisper Systems was bought by Twitter in November 2011, and within half a year, both RedPhone and TextSecure, were released under the third version of the GNU General Public License. A year later, Marlinspike left Twitter to found Open Whisper Systems, which is funded by donations and grants, a neutrality that partially explains the high regard for its products.

Since 2013, Open Whisper Systems has merged RedPhone and TextSecure into a single application, adding encrypted group chat and gradually developing Android and iOS versions with comparable feature sets. Recently, it released a beta version of Signal Desktop [2] in the form of a Chrome app. So far, the desktop version, compared with the other versions, has a simplified feature set lacking password protection, for example. However, when linked to a mobile device, Signal Desktop provides centralized storage, as well as the increased usability of a mouse and a full-size keyboard.

Signal is designed as a drop-in replacement for both for voice and text messaging apps (Figure 1). Although voice and text messages use separate protocols, from the perspective of users, the two are treated almost identically, and both are free of cost. Contacts are added from a device's Contact app into Signal, with encryption keys stored locally.

Figure 1: Signal displays both phone and text messages in a single display. Here, the log of a text conversation displays.

Calls in Signal are routed through Open Whisper Systems' servers, which handles the exchange of public keys without the need of input from users. Unlike the popular Pretty Good Privacy (PGP) [3], Signal's protocols switch encryption keys regularly, making conversations harder to crack. Although such encryption keys are ordinarily called fingerprints, Signal refers to them as safety numbers [4] – presumably to replace the often obscure jargon with a more user-friendly term. Users can manually approve and verify safety numbers, either visually or through a QR code, but Signal can still function without these steps.

Additionally, users can manually delete messages or set times when they will be deleted automatically. Signal and its database can also be protected with a passphrase.

What is noticeable about all of Signal's operations is how much they are hidden by default. In most encryption implementations, encrypting and decrypting are additional steps, and these complications probably deter many from using them regularly. By contrast, encryption in Signal is invisible to users unless they specifically change the settings. From the interface, using Signal appears no more complicated than unencrypted messaging – a claim that few other messaging systems can make, although Signal protocols have been widely borrowed, including in CyanogenMod and Facebook Messenger.

Installing Signal

Signal requires installation on an Android or iOS phone. Tablets are not currently supported. For convenience, you can also install Signal Desktop, although it is not necessary for using Signal and cannot operate on its own.

Installing on an Android phone (Figure 2) is only slightly more complicated than installing any app in the Google Play Store [5]. However, if necessary, you can follow the instructions at the EFF website [6]. Similar instructions are available for installing to iOS devices from the Apple App store. Unlike most Android apps, it requires access to almost all aspects of your phone, which for any other app might be a security risk.

Figure 2: Signal installs as an Android app (shown here) or as an iOS app (not shown).

Once Signal installs, enter your country and phone number and click the Register button. After you re-enter this information to ensure accuracy, Signal verifies your number and sends you a confirmation text.

The installer then asks if you want to make Signal your default messaging app and imports your existing contacts if you accept. Your phone's default app will probably warn of dire consequences if you do so, but you can still use the original app if necessary, so this warning can be safely ignored. In fact, since Signal displays both voice and text messages for which you have a phone number in a single list, if anything, switching to Signal is a general convenience. Besides, if a listing is not Signal-enabled, Signal still lets you exchange unencrypted messages with it, so there is really no reason to be concerned about the replacement.

At this point, Signal is ready to use. However, you might choose to install Signal Desktop, which is not capable of sending messages by itself but offers the convenience of a larger screen and the use of a mouse.

Signal Desktop is also available as a Chrome app [7]. So far, at least, it does not run on any web browser except Chrome or Chromium, although it can be used with other Android or iOS phones.

Signal Desktop is installed via a wizard (Figure 3). At the end of the installation, the wizard displays a QR code (Figure 4). For Signal Desktop to function, you must link it by selecting on a device Setting | Linked devices from the menu in the upper right corner, and then scanning the QR code that displays from your phone. When the desktop recognizes the QR code, encryption keys are generated for communication between the phone and the desktop. If you add or delete contacts when using the linked phone without Signal Desktop, the next time you use it, select Settings |Contact |Import Now to resync.

Figure 3: A wizard guides users through the installation of Signal Desktop.
Figure 4: Signal uses QR codes to transmit encryption keys between Signal Desktop and a phone.

Using Signal

Whether you are using the desktop or a phone, Signal is much the same. The main differences are that the desktop has fewer settings and, in the beta version, has three restrictions: It can delete but not add contacts, shows only contacts with which you have interacted, and can only place a call with phone or voice if you have already done so at least once from the linked phone.

On a linked phone, you can still use the original apps for contacts and phone calls without using Signal, but any missed messages from Signal display in them. Additionally, the phone has options for setting notifications. On both the desktop and the phone, you should add a passphrase to Signal – after all, it hardly makes sense to go to the trouble of setting up encryption, and then having encrypted messages accessible to anyone who reaches your desktop. Start Signal Desktop from the Apps icon in the upper left corner of the browser.

To communicate, either click the phone icon in the title bar of a contact or use the text field at the bottom of the screen. You can also add an image or audio file, a shot from the camera, your location, or another contact to a message by selecting the paper clip at the bottom right of the screen.

If the phone number you are contacting is not already Signal-enabled, you can still send to it. However, when you call unenabled numbers, an option displays below the title bar that gives you an option to invite your contact to join Signal. In any other app, this option might seem like blatant opportunism, but because all parties in a conversation need to use Signal for encryption, in this case, the advertising seems forgivable.

From each contact, you can also manage your exchanges using the menu at the upper right in the title bar. As you might expect, you can delete the log of your exchanges or change the color-coding for the contact. More unusually, you can set the time from the present that the log expires, display all exchanged images, or verify safety numbers with the link provided (Figure 5). Should a contact become a nuisance, another option is to block them via the Conversation settings submenu.

Figure 5: Although Signal handles the exchange of encryption keys automatically, you can verify them for yourself.

An Example for Security

Signal does have a few limitations. In particular, contacts must have a phone number, not just an email address. Perhaps the most serious limitation is that it must run on specific equipment and operating systems. However, given that the necessary conditions, hardware, and software are readily available, these limitations are mostly matters of preference and are seldom a barrier to using Signal.

The greatest barrier is undoubtedly convincing others to use it, and even that is changing with the current political and social climates.

Even so, Signal is gaining popularity with a speed that few comparable apps can match. I suspect that the secret of its success is that it hides the complexity of encryption from users who simply want its services. Just as importantly, even without encryption, Signal is an efficient messenger, replacing preinstalled apps without a problem, and placing all communications in a single display. Through these tactics, Signal makes encryption a feature that anyone can use – and, in doing so, sets an example for the entire industry.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • How Signal does security right.
  • Chat Freely with Jami

    The messenger app Jami offers clients for all popular operating systems and promises maximum anonymity for chats, as well as voice and video calls, by dispensing with central servers.

  • Tox

    The Tox protocol uses file-sharing techniques for messaging and audio-video chats, which gives users a greater degree of privacy and freedom.

  • KTools: KMobileTools

    Composing text messages on a mobile phone isn’t easy. A handy application called KmobileTools helps you manage your SMS messages and calls.

  • FOSSPicks

    Like tardy London buses, Graham has waited months for a decent open source instant messenger client to arrive, and then in this month's FOSSPicks, he found two. Perfect for staying in touch with friends and family from the comfort of your own sofa.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News