Signal Provides Secure Cross-Platform Replacement for WhatsApp
Apple’s iMessage technology is great for a number of reasons: it’s secure, it’s practically effortless, and the Messages app has all sorts of fun and friendly features. But iMessage has one big drawback: it’s available only on Apple devices. If you message with others who have phones not made by Apple, the default options limit you to bare-bones SMS text messaging, which is insecure. As a result, many people have resorted to alternative messaging apps that work on multiple platforms.
These days, the most popular alternatives are both owned by Facebook: Facebook Messenger and WhatsApp, which Facebook purchased in 2014. Many people dislike and distrust Facebook for its violations of personal privacy and its role in some of the modern ills of society.
Thankfully, a secure and open-source messaging alternative has been gaining in popularity lately: Signal, the Android version of which was recently installed 40 million times in a single day. I was an early adopter, so I couldn’t be more excited to see its sudden embrace by the mainstream, pushed along by worrisome (albeit overstated) changes to WhatsApp’s terms of service and a shout-out from Tesla CEO Elon Musk. (After a massive backlash from users, WhatsApp has decided to delay those changes for three months.)
— Elon Musk (@elonmusk) January 7, 2021
Signal had a bumpy start, but it’s now a well-polished and full-featured messaging app available for the most common platforms: iOS, Mac, Android, Windows, and Linux.
Is Signal Secure?
Signal’s main selling point is its security, but is it really secure? Signal was created by cryptographer and security researcher Moxie Marlinspike (yes, it’s a pseudonym, but it’s what he uses) and is now controlled by the non-profit Signal Foundation. All Signal messages are encrypted on-device and can be decrypted only by the recipient. (If you have three hours to kill, Marlinspike recently sat down with Joe Rogan for a rare interview to discuss his motivations behind Signal).
Every part of Signal is open source. The clients are published under the GPLv3 license, and Signal’s server code is published under the AGPLv3 license. All of Signal’s source code is available for public inspection on GitHub. I should point out that while I’m a big fan of open source and believe it makes for better security, it’s not a panacea. Unless you compile the final binary yourself, you can’t know for sure what’s in the code. That’s not to say that Signal is doing anything nefarious, just that it’s not impossible.
Signal has some heavy-hitting endorsements. NSA whistleblower Edward Snowden was an early proponent and still promotes the app. When asked if Signal could be trusted, he gave this reason: “I use it every day and I’m not dead yet.” Fair enough. (Though being under the watchful eye of the Russian government undoubtedly also helps.)
Here's a reason: I use it every day and I'm not dead yet. https://t.co/Trhgqbwdpj
— Edward Snowden (@Snowden) January 7, 2021
Signal also touts endorsements from security expert Bruce Schneier, journalist and filmmaker Laura Poitras, and Twitter CEO Jack Dorsey. If those endorsements don’t impress you, Signal has been approved for use by United States Senate staffers for secure communications.
(Speaking of Twitter, some people mistakenly believe that Twitter owns Signal, which isn’t true. In 2011, Twitter purchased Whisper Systems, a company co-founded by Moxie Marlinspike that made encrypted message and voice apps, but today’s Signal Foundation is entirely independent.)
Signal has some impressive credentials, but there are always critics. Last year, it was widely reported that Cellebrite had cracked Signal’s encryption, but that turned out to be false. Instead, Cellebrite accessed Signal messages on a phone to which it already had access.
One of the biggest criticisms of Signal is that you need a valid phone number to sign up. Whether or not you’re comfortable with that is up to you. You can use a number from Google Voice or Twilio instead, or any number of burner number apps in the App Store, though I just used my personal phone number. Signal doesn’t share the actual number with anyone—it’s just used as your account identifier behind the scenes.
Signal also requests access to your contacts (which you can deny), though the data is not linked to you. Thanks to Apple’s new privacy disclosures in the App Store, we can compare Signal’s practices to those of its competitors (see “Apple Unveils Stringent Disclosure and Opt-in Privacy Requirements for Apps,” 7 January 2021).
One of Signal’s most prominent critics is Chinese maker and YouTuber Naomi Wu, who claims that Chinese activists using Signal were arrested by the Chinese government. She has repeatedly pointed to two security vulnerabilities in Signal: the potential of compromised phone IMEIs and possible leaks from the phone’s keyboard software. To be clear, these concerns apply only to activists or people who are government-level targets.
Unfortunately, compromised IMEIs or SIM cards are a vulnerability in any service tied to your phone. Signal does mitigate this somewhat: if a contact changes their phone number, you are prompted to verify that their “safety number” is correct.
As for the keyboard issue, she advocates for Signal building in its own keyboard, which I’m not sure if Apple would allow. In iOS, I would refrain from using any third-party keyboard that isn’t open-source. If you use Android, I recommend using one of the open-source keyboards over Google’s built-in keyboard.
As our security editor Rich Mogull often points out: if the government wants to get you, it will. Especially if you’re dealing with a government as driven as China’s. It’s also entirely possible that even if the software is secure, you could be ratted out by a friend. As Earl Long famously said:
Don’t write anything you can phone. Don’t phone anything you can talk. Don’t talk anything you can whisper. Don’t whisper anything you can smile. Don’t smile anything you can nod. Don’t nod anything you can wink.
Even then, Wu says Signal is still the “best choice for 99% of people,” and if more people adopt Signal, it will make its use less suspicious.
Overall, I’m confident that Signal is at least as secure as iMessage. (Bear in mind that iCloud backups include your private iMessage encryption key, which is a significant vulnerability for those concerned about government-level targeting.) Nothing is perfect, but Signal has an excellent overall track record. Plus, it’s surprisingly easy to use for the overwhelming majority of people out there who are just disgusted with Facebook but aren’t worried about eavesdropping by foreign intelligence agencies.
Signal as a Messaging App
Putting tinfoil hats aside, let’s talk about how Signal is to use as a messaging app. If you’re used to Apple’s Messages, it will look familiar, though there are a few quirks. One of those is that you have to first sign up on your iPhone before you can use Signal on a Mac or iPad. For that reason, I will mostly focus on the iPhone app.
Signal scans your contacts’ phone numbers to see if any of them use Signal, and if they do, automatically adds them to your chats list. Once that’s done, you can tap one to message that person. Otherwise, you can tap the pencil icon in the upper-right corner to see all of your Signal contacts, create a message group, look up a contact by phone number, or invite a friend to Signal through email or Messages.
I’ve found the invitations to be a little funky. The mechanism works by either sending an invitation link through the Messages app or email. I’m not quite sure how it accesses the iPhone’s contacts. When I invited my mother to Signal, it showed only her landline number, not her cell phone number. Thankfully, Messages figured it out such that the invitation went to her iPhone through iMessage instead of trying to send an SMS to a landline phone. She didn’t need much help from me, except she first tried to create her account on her iPad, which you can’t do (more on that below).
Just as in Messages, you can swipe threads in Signal to act on them. Swipe from left to right to pin a thread or mark it as unread. Swipe from right to left to delete or archive a thread.
Also like Messages, Signal has read receipts and generates link previews. (Tip: wait a second for the preview to generate after pasting in a URL before sending the message.) Previews are on by default, but you can turn them off in the Privacy settings (tap your avatar in the upper-left corner to access the settings).
In the message view, you’ll find many of the same amenities offered by Messages:
- Tapback responses: Touch and hold a message to apply an emoji response to it. Unlike Messages, which gives you just a few responses, you can attach any emoji to a message, like Slack.
- Respond to individual messages: As in iOS 14, you can respond to an individual message in a group conversation. Swipe a message from left to right to reveal an arrow, and then release. The message you’re replying to is attached to your outgoing message. This feature is handy for busy group conversations.
- Attachments: Tap the plus icon to the left of the message field to insert a photo from the camera, an animated GIF from Giphy, a file (from Files or Photos), a contact card, or a location from Maps. You can also snap a photo and insert it by tapping the camera icon to the right of the message field.
- Stickers: The little post-it note icon in the message field lets you send a sticker. Signal offers a handful of sticker packs you can download for free, and you can find others on the Internet or make your own. I don’t do stickers, so there’s not much I can say here.
- Voice messages: Just as in Messages, you can record and send voice snippets by touching and holding the microphone icon.
Signal has most of the features you want in a messaging app, but there are a few things that Messages can do that it can’t, such as allow Apple Pay Cash payments an install mini apps. But otherwise, Signal is user-friendly and feature-complete.
Signal offers a few privacy-specific features Messages lacks. By default, it blanks itself out when you pull up the app switcher so that no one can spy on your messages there. Plus, you can set messages in a conversation to disappear automatically after a given length of time. It also has a feature that automatically tries to blur faces in attached photos and lets you paint over any it missed.
Signal on the Desktop and iPad
The good news is there are native Signal apps for macOS, iPadOS, Windows, and Linux. The slight annoyance is that you must first sign up using your iPhone and then link your other devices. When you install Signal on a non-phone device, it prompts you to link it to your phone by scanning a QR code. It then takes a few minutes to sync everything.
I can’t say for sure what you’ll see next. Signal transferred all of my messages from my iPhone to my Linux machine but not to my iMac. I even unlinked and re-linked my Mac without losing the messages I had received there. On my iPad, it synced all of my open conversations but none of the messages in them. Once I had set both apps up, they remained entirely in sync.
There are some caveats to device linking. You can’t link more than five devices at a time, in addition to your phone, and you can have only one phone linked at a time. So if you carry multiple iPhones or keep an iPhone and an Android phone, you’ll have to make some choices. You can transfer all of your Signal messages from one iPhone to another, but doing so will delete all your Signal data from your original iPhone and deactivate the app.
You can activate the iPad app by either adding it as a linked device or by transferring everything from an iPhone or another iPad (again, transferring wipes the original).
Signal’s desktop apps work nearly identically to the iPhone app, except the plus icon opens a file picker instead of the options offered on the iPhone. That means you’ll have to dig up your own GIFs, but you can attach pretty much anything you want.
Signal for Phone and Video Calls
Signal supports secure voice and video calls, even group calls with up to eight participants. I participated in a 30-minute test call with Adam Engst and Michael Cohen. Adam and I were on our iPhones, while Michael used a Mac.
As expected, there were a few rough edges. Adam’s video was pixelated throughout the call, with dropped audio here and there. Signal’s iPhone app doesn’t support landscape mode for group calls (though it works in one-on-one video calls). You can’t add anyone else to the call once it’s started. Device switching is half-baked: I tried to join the call in-progress on my Mac, which connected audio, but all I saw was black in the window.
There is no support for system-wide picture-in-picture, though Signal does provide its own in-app picture-in-picture. If you tap the back button in Signal’s iPhone app while in a video call, you can browse your other messages in the app. However, this isn’t an option on the desktop, as the call takes over the entire window.
Despite those minor issues, we were impressed with Signal’s performance, which was equal to or better than FaceTime. Best of all, no bouncing pictures! The feature set is basic, but it’s a serviceable alternative to FaceTime.
In the end, if you’re looking for a messaging option with superior privacy, want secure messaging with your non-Apple friends, or need something that works on various platforms, Signal is absolutely worth a try. Hopefully, Signal can keep its servers up under the demand.
Signal is experiencing technical difficulties. We are working hard to restore service as quickly as possible.
— Signal (@signalapp) January 15, 2021
What’s the source of the macOS app? Searching for “signal” in the App Store app didn’t present an obvious choice. Search turned up this Download Signal, although many might be reluctant to go this route—having it on the App Store would help. But then most people probably don’t use messaging apps on their computer. My wife, for example, goes to her phone for (i)Messages.
Any further thoughts on linking one’s Address Book?
For anybody who prefers a messenger that doesn’t need your phone number or any other personal data and also keeps its nose out of your contacts, there’s Threema. I also like that they’re not in the US (they can’t be forced to do anything based on the CLOUD act) but in fact from the same country that gave us Swiss bank accounts, and they don’t rely on any external hosting services like Amazon or Google either.
Go here, click Download for Mac.
Am I glad to use Threema. See for yourself: Messenger Comparison - Threema
The FBI recently requested user data from Signal, and Signal could provide very, very little. I continue to be impressed with this service.
Join the discussion in the TidBITS Discourse forum