Signal (messaging app)
Signal is an encrypted messaging service for instant messaging, voice calls, and video calls.[14][15] The instant messaging function includes sending text, voice notes, images, videos, and other files.[16] Communication may be one-to-one between users or may involve group messaging.
"Signal Messenger" redirects here. For the company, see Signal Messenger LLC. For its parent organization, see Signal Technology Foundation. For protocol, see Signal Protocol.Developer(s)
- Signal Technology Foundation,
- Signal Messenger LLC and contributors
7.8.1[3] / 16 May 2024
7.8.1[3] / 16 May 2024
7.11[4] / 18 May 2024
7.9.0[5] / 15 May 2024
6.28.1[6] / 4 August 2023
6.28.1[6] / 4 August 2023
5.18.1.2-beta[7] / 12 August 2021
5.0.0-beta.0[8] / 19 March 2021
- Android 5.0 or later
- iOS 13 or later
- Windows 10 and Windows 11[9]
- macOS 10.15 or later[9]
- Linux distributions supporting APT[9]
- FreeBSD
Encrypted voice calling, video calling and instant messaging
The application uses a centralized computing architecture and is cross-platform software. It is developed by the non-profit Signal Foundation and its subsidiary Signal Messenger LLC. Signal's software is free and open-source. Its mobile clients, desktop client, and server are all published under the AGPL-3.0-only license.[a][b][11][10][12][13] The official Android app generally uses the proprietary Google Play Services, although it is designed to be able to work without them. Signal is also distributed for iOS and desktop programs for Windows, macOS, and Linux. Registration for desktop use requires an iOS or Android device.[20][21]
Signal uses mobile telephone numbers to register and manage user accounts, though configurable usernames were added in March 2024 to allow users to hide their phone number from other users.[22] After removing support for SMS on Android in 2023,[23][24] the app now secures all communications with end-to-end encryption. The client software includes mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel.[23][25]
The non-profit Signal Foundation was launched in February 2018 with initial funding of $50 million from WhatsApp co-founder Brian Acton.[26] As of January 2022, the platform had approximately 40 million monthly active users. As of May 2021, it was downloaded more than 105 million times.[27][28]
Signal Timeline
Moxie Marlinspike and Stuart Anderson (Whisper Systems) launch TextSecure and RedPhone on Android.[29]
Moxie Marlinspike leaves Twitter and founds Open Whisper Systems (OWS) as a collaborative open source project for the continued development of TextSecure and RedPhone.[34][35]
OWS adds end-to-end encrypted group chat and instant messaging capabilities to TextSecure.[36]
RedPhone is merged into TextSecure on Android and the app is renamed as Signal.[41]
Signal Desktop is launched as a Chrome App.[42]
Moxie Marlinspike and Brian Acton launch the Signal Foundation with an initial $50 million in funding from Acton, who had left WhatsApp's parent company Facebook in September 2017.[46][47]
Features[edit]
Signal provides one-to-one and group[118] voice and video[14] calls with up to forty participants on iOS, Android, and desktop platforms.[119][120] The calls are carried via the devices' wired or wireless (carrier or WiFi) data connections.[69] The application can send text messages, documents files,[16] voice notes, pictures, GIFs,[121] and video messages. The platform also supports group messaging.
All communication sessions between Signal users are automatically end-to-end encrypted (the encryption keys are generated and stored on the devices, and not on servers).[122] To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band.[123] The platform employs a trust-on-first-use mechanism to notify the user if a correspondent's key changes.[123]
Until 2023, on Android users could opt into making Signal the default SMS/MMS application, allowing them to send and receive unencrypted SMS messages in addition to the standard end-to-end encrypted Signal messages.[67] Users could then use the same application to communicate with contacts who do not have Signal.[67] As of October 2022, this feature has been deprecated due to safety and security concerns, and was removed in 2023.[124][24]
TextSecure allowed the user to set a passphrase that encrypted the local message database and the user's encryption keys.[125] This did not encrypt the user's contact database or message timestamps.[125] The Signal applications on Android and iOS can be locked with the phone's pin, passphrase, or biometric authentication.[126] The user can define a "screen lock timeout" interval, providing an additional protection mechanism in case the phone is lost or stolen.[123][126]
Signal has a feature for scheduling messages.[127] In addition, timers may be attached to messages[128] to automatically delete the messages from both the sender's and the receivers' devices.[128] The time period for keeping the message may be between five seconds and one week,[128] and begins for each recipient once they have read their copy of the message.[129] The developers stressed that this is meant to be "a collaborative feature for conversations where all participants want to automate minimal data hygiene, not for situations where the recipient is an adversary".[128][129]
Signal's app icon may be changed from with a variety of colour themes for customization and the application name can also be customized.[130] Upcoming features includes hiding spoilers[131] as well adding other users via QR code.[132]
Signal excludes users' messages from non-encrypted cloud backups by default.[133]
Signal allows users to automatically blur faces of people in photos to protect identities.[134][135]
Signal includes a cryptocurrency wallet functionality for storing, sending and receiving in-app payments.[136] Apart from certain regions and countries,[136] the feature was enabled globally in November 2021.[137] As of January 2022, the only supported payment method is MobileCoin.[136]
In February 2024, Signal added a username feature to the beta version of the app. This is a privacy feature that allows users to communicate with others without having to share their telephone number.[138][139]
Limitations[edit]
Signal requires that the user provide a telephone number for verification,[140] eliminating the need for user names or passwords and facilitating contact discovery (see below).[141] The number does not have to be the same as on the device's SIM card; it can also be a VoIP number[140] or a landline as long as the user can receive the verification code and have a separate device to set up the software. A number can only be registered on one mobile device at a time.[142] Account registration requires an iOS or Android device.[20][21]
This mandatory connection to a telephone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a "major issue" for privacy-conscious users who are not comfortable with giving out their private number.[141] A workaround is to use a secondary phone number.[141] The ability to choose a public, changeable username instead of sharing one's phone number is a widely-requested feature.[141][143][144] This feature was added to the beta version of Signal in February 2024.[145]
Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number.[141] A similar vulnerability was used to attack at least one user in August 2022, though the attack was performed via the provider of Signal's SMS services, not any user's provider.[105] The threat of this attack can be mitigated by enabling Signal's Registration Lock feature, a form of two-factor authentication that requires the user to enter a PIN to register the phone number on a new device.[146]
When linking Signal Desktop to a mobile device, the conversations history will not be synced; only the new messages will be shown on Signal Desktop.[147]
Usability[edit]
In July 2016, the Internet Society published a user study that assessed the ability of Signal users to detect and deter man-in-the-middle attacks.[25] The study concluded that 21 out of 28 participants failed to correctly compare public key fingerprints in order to verify the identity of other Signal users, and that most of these users believed they had succeeded, while they had actually failed.[25] Four months later, Signal's user interface was updated to make verifying the identity of other Signal users simpler.[148]
In 2023, the French government is pushing for the adoption of a European encrypted messaging alternative to Signal and WhatsApp named Olvid as their secured platform for communications.[149]
Reception[edit]
Security[edit]
In October 2014, the Electronic Frontier Foundation (EFF) included Signal in their updated surveillance self-defense guide.[193] In November 2014, Signal received a perfect score on the EFF's secure messaging scorecard;[122] it received points for having communications encrypted in transit, having communications encrypted with keys the provider does not have access to (end-to-end encryption), making it possible for users to independently verify their correspondents' identities, having past communications secure if the keys are stolen (forward secrecy), having the code open to independent review (open source), having the security designs well-documented, and having a recent independent security audit.[122] At the time, "ChatSecure + Orbot", Pidgin (with OTR), Silent Phone, and Telegram's optional "secret chats" also received seven out of seven points on the scorecard.[122]
Former NSA contractor Edward Snowden has endorsed Signal on multiple occasions.[78] In his keynote speech at SXSW in March 2014, he praised Signal's predecessors (TextSecure and RedPhone) for their ease of use.[194][195] In December 2014, Der Spiegel leaked slides from an internal NSA presentation dating to June 2012 in which the NSA deemed Signal's encrypted voice calling component (RedPhone) on its own as a "major threat" to its mission of accessing users' private data, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as "catastrophic" and led to a "near-total loss/lack of insight to target communications [and] presence".[196][197]
Following the 2016 Democratic National Committee email leak, it was reported by Vanity Fair that Marc Elias (the general counsel for Hillary Clinton's presidential campaign) had instructed DNC staffers to exclusively use Signal when saying anything negative about Republican presidential nominee Donald Trump.[198][199]
In March 2017, Signal was approved by the sergeant at arms of the U.S. Senate for use by senators and their staff.[200][201]
On 27 September 2019, Natalie Silvanovich, a security engineer working in Google's vulnerability research team at Project Zero, disclosed how a bug in the Android Signal client could let an attacker spy on a user without their knowledge.[202] The bug allowed an attacker to phone a target device, mute the call, and the call would complete – keeping the audio open but without the owner being aware of that (however they would still be aware of a ring and / or a vibration from the initial call).[203] The bug was fixed the same day that it was reported and patched in release 4.47.7 of the app for Android.[204]
In February 2020, the European Commission recommended that its staff use Signal.[205] Following the George Floyd protests, which began in May 2020, Signal was downloaded 121,000 times in the U.S. between 25 May and 4 June.[206] In July 2020, Signal became the most downloaded app in Hong Kong on both the Apple App Store and the Google Play Store after the passage of the Hong Kong national security law.[207]
As of January 2021, Signal is a contact method for securely providing tips to major news outlets such as The Washington Post,[208] The Guardian,[209] The New York Times,[210] and The Wall Street Journal.[211]
Candiru claims the ability to capture data from Signal Private Messenger with their spyware, at a fee of €500,000.[212]
On 9 August 2022, Ismail Sabri Yaakob, the Prime Minister of Malaysia, reported that his Signal account was "hacked" and infiltrated by a third party, sending out messages and impersonating the politician. No details were disclosed regarding the method used to gain access to the account.[213]
In-app payments[edit]
In April 2021, Signal announced the addition of a cryptocurrency wallet feature that would allow users to send and receive payments in MobileCoin.[214] This received criticism from security expert Bruce Schneier, who had previously praised the software. Schneier stated that this would bloat the client and attract unwanted attention from the authorities.[215] The wallet functionality was initially only available in certain countries, but was later enabled globally in November 2021.[137]