Security
Headlines
HeadlinesLatestCVEs

Headline

How to Use Signal Encrypted Messaging

The best end-to-end encrypted messaging app has a host of security features. Here are the ones you should care about.

Wired
#vulnerability#ios#android#google#sap

In times of uncertainty, people rightly often turn to the encrypted messaging app Signal. Whether it’s to protect sensitive conversations amid social unrest or to keep your communications private after the fall of Roe v. Wade, Signal represents most people’s best way to communicate safely. And thanks in part to a $50 million infusion in 2018 from Brian Acton, the former WhatsApp CEO and current interim Signal Foundation CEO, the once niche app is more accessible than ever.

Signal’s popularity often spikes in times of strife or when alternatives seem more precarious. In May 2020, as police brutality protests swept US cities, daily Signal downloads nearly tripled from their average, according to analytics company Apptopia. It saw another surge in January 2021 after WhatsApp, which end-to-end encrypts personal chats using the Signal Protocol, botched the messaging around a privacy policy update. Apptopia now estimates Signal has more than 600 million active monthly users. All of those people can take advantage of end-to-end encryption, which means that no one—not the government, their phone company, or Signal itself—can read the contents of messages as they pass between devices.

Signal is not the only messaging app to offer end-to-end encryption; iMessage has it, as do stand-alone apps like Telegram. But Signal stands apart, both for its rich features and the fact that its code has been open source for years, meaning cryptographers have had plenty of opportunities to poke and prod it for flaws.

WIRED has long encouraged readers to adopt Signal. Here, we’re offering tips on how to get the most out of it once you do.

Updated August 2022: Signal has added a few new features since we first ran this story, which are now reflected below.

Know Its Limits

For those who are new to encrypted messaging, the most important thing to remember is that it’s not magic. Having Signal on your phone does not make you invincible. Nearly 2,000 users found that out the hard way this month. Signal uses communications firm Twilio to verify users’ phone numbers and send out device registration codes via SMS messages. So when attackers successfully breached Twilio through a recent phishing campaign, they were able to access those SMS codes for some 1,900 Signal accounts and potentially register a victim’s phone number with their own device.

Signal says all affected users “can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.” But the attackers were able to take over at least one account and pose as that person on Signal. It’s a potent reminder that even an app that’s designed around security can have weak spots.

Most importantly, remember that if you’re messaging with someone who doesn’t have Signal installed, nothing’s encrypted. It only works for Signal-to-Signal communications. And make sure you have a strong password on your phone in the first place, since anyone who has physical access to your device can still read your messages.

Signal also has a desktop app, which should be plenty secure for the vast majority of people; just be aware that desktop environments face a litany of threats. And using Signal on multiple devices means more places your messages can be compromised or stolen.

Get Set Up Safely

When you join, Signal requires you to provide a phone number that essentially serves as your user name. This doesn’t mean you have to use your actual phone number, though. To avoid giving it up, use a Google Voice number instead.

To do so, head to Google Voice in your browser, log in with a Google account, and select a new phone number. Google will ask you to verify it by providing your actual phone number, where it’ll send a code that will let you complete your registration. You can now use that Google Voice number for your Signal account, keeping it separate from your main line. (Heads up: If you don’t place a call or receive a single text to your Google Voice number every six months, Google will reclaim that number. If that happens, you can get it back within 45 days. So make sure to shoot your Google Voice number a text at least once every few months.)

You should feel comfortable letting Signal access your device’s contacts; it stores that information on your phone, not in the cloud. The app does periodically send truncated, hashed phone numbers back to Signal’s servers, which is how it checks if any of your contacts are also using it, but the company also says it discards that information “immediately.” That way, the app can alert you when one of your contacts signs up for Signal; if you’d rather not get those updates, tap Settings, then Notifications, and toggle off Contact Joined Signal.

(Note: Android users can access Signal’s Settings menu either by tapping their profile icon or selecting the menu under the three dots in the upper-right corner, then tapping Settings. iOS users will need to tap their profile icon and then Settings to access the full menu.)

On Android, you can make Signal your default messaging app by going to Settings > Apps & notifications > Advanced > Default Apps > SMS app, and picking Signal. Just remember that not everyone you text has it installed and that an iOS user you’re texting with might check their Signal app less often than they do iMessage. (iOS still doesn’t let you change the default messaging app, sorry!)

One of the most critical settings to enable is profile PINs, which will make it easier for you to keep your account data even when you transfer devices and to protect your contact lists, profile information, settings, and more. You can set one up when you join or head to Privacy > Signal PIN in your app settings to set or change yours anytime. The introduction of PINs was controversial among cryptography hard-liners, who questioned whether the so-called Secure Value Recovery they were tied to introduced potential vulnerabilities. It didn’t help that Signal had at first made the PINs mandatory. You can opt out now by going to the Create PIN screen and tapping Select more, then Disable PIN. Just remember that if you do so, you won’t be able to bring your contacts with you to a new device, and sensitive account information may be more vulnerable.

Lastly, once you have your PIN set up, enable Registration Lock by going to Settings > Account and toggling on Registration Lock. With this feature enabled, attackers won’t be able to take over your account and register it to a new device in the way they did through the Twilio hack mentioned above.

Protect Your Screen

It’s important to make sure that what happens in Signal stays in Signal. This means keeping people from seeing what you’re doing there from a lock screen or when switching apps. There’s not much point in having an app for sensitive messages if they just pop up on your display whenever you receive one.

To turn off Signal lock screen notifications on iOS, go to your phone’s Settings > Notifications, then scroll down and tap Signal > Show Previews > Never. On Android, the process is similar. From your home screen, head to Settings, then Apps & Notifications, where you can turn off all notifications. If you need more granular control, you can find that in the Signal app itself, where the steps are the same no matter what platform you’re on. Tap your profile, then Notifications, then Show, where you can choose whether to display the name, content, and actions for an incoming text; just the name; or nothing at all. You can also mute notifications for a specific conversation for a set amount of time by tapping on a message thread, then the contact header, and then Mute. You can silence a contact’s notifications for an hour, a day, a week, or a year.

If you’re on Android and want to enable Signal notifications, you may want to disable smart replies by going to Settings > Apps & Notifications > Notifications > Advanced and making sure “Suggested actions and replies” are turned off. Google says it keeps smart replies private by processing them locally on your device, but the safest bet is to limit Signal’s interactions with the rest of the operating system.

Signal also has a Screen Lock feature that requires your password—or FaceID or TouchID, whatever you use to get into your phone—to view the app’s contents. Within the Signal app on either platform, tap your profile, then Privacy, then toggle the Screen Lock option to on. Android gives you a little more granularity, with a Screen Lock Inactivity Timeout option that lets you set the feature to kick in after a certain amount of time.

You’ll also want to enable Screen Security, which keeps Signal contents from showing up in your app switcher. On Android, select your profile, then Privacy, and switch on Screen Security. If you use iOS, go to your profile, tap Settings > Privacy, and enable Hide Screen in App Switcher.

Make Messages Disappear

While you can always delete messages manually along the way, that action only applies to your own phone. The people you’re chatting with still have it on their devices. To ensure that the conversation is deleted on both ends of a thread, you should embrace “disappearing messages” instead.

Signal now allows you to enable disappearing messages on all new chats by default, which we highly recommend. Go to Settings > Privacy > Default Timer for New Chats, and select the length of time you want your messages to disappear by default. You can choose preset options ranging from 30 seconds to four weeks, or set whatever custom time you like. Note that enabling this setting only applies to new chats and won’t override the settings for chats you were in before turning it on.

You can also tweak your disappearing message settings for individual chats. From within a chat, tap on the name of your contact. Toggle over Disappearing Messages and set the amount of time you want them to be live before they vanish. A timer icon will show up in your thread; either of you can change the disappearing time by tapping on it and adjusting it as needed. That’s also how you can disable disappearing messages altogether within a particular chat.

It’s a handy feature, but a quick reminder that people can still screenshot your conversations to keep a record, so don’t assume they’re gone forever—especially if you don’t trust whoever’s on the other end of the line.

Place an Encrypted Call

Signal’s not just for messages; you can make end-to-end encrypted voice and video calls from the app as well. To do so, just tap the pencil icon within the app like you would to start a chat. Pick a contact, then select either the video icon or phone icon, depending on which type of call you’d like to make.

Signal also now allows group video calls. If you already have a group created, tap on the chat, then select the video icon. If you want to create a new group, select the pencil icon > New Group, select the contacts you’d like to include, and tap Next. Give your group a name, and hit Create. Then tap the video icon.

An important note here: If you do make calls from Signal on iOS, make sure to first head to Privacy within the app and toggle off Show Calls in Recents. Otherwise, your Signal call history will sync with iCloud, creating an unnecessary record of your conversation. And if you’re extra cautious, go to Settings > Privacy and toggle on Always Relay Calls; that’ll route your calls through Signal’s servers and hide your IP address in the process.

Send Photos and Videos

As with other messaging apps, you can use Signal to send photos and videos—with a privacy-friendly media feature that sets it apart.

First things first: If you take a photo from within Signal—just tap the camera icon either from your contact list or within a chat—it doesn’t automatically save to your camera roll, which means it doesn’t get backed up to your cloud photo library. That’s good! The fewer ways you can accidentally leave a trail, the better. If you want to keep an image for posterity, you can tap the save icon in the upper right corner. Otherwise, just send it and move on.

You can also make sure that your photo and video don’t stay on the recipient’s device long. Before you hit send, note the infinity icon next to the chat bubble. That means the media you’re about to share can be viewed indefinitely. Tap it once, though, and it’ll switch to a 1x, meaning that the photo or video will disappear from the conversation as soon as it’s been viewed. A record will remain in the thread that media was shared, but the image itself will no longer be visible.

Extra Measures

This list is not 100 percent comprehensive. Some features are too minor to mention; others are intended for niche use cases. But there are a few other stray tips that might be helpful to know as you get used to using Signal.

Read Receipts: Some people feel strongly about these! If you’re one of them, head to Settings > Privacy and toggle them off when you’re in the app.

Stickers: As part of its long-term quest to find broad appeal, Signal recently added a limited selection of stickers to liven up your secret chats. (Incorporating them required some tricky encryption itself.) Just tap the sticker icon in the chat compose window to peruse your options.

Emoji Reactions: Similarly, Signal finally expanded its emoji reaction options in June 2020. From seven basic choices, the app broadened the palette to a full range of faces, animals, foods, buildings, and yes, smiling poop. To add a reaction, just hold down on the response, then tap the three horizontal dots to access the full keyboard.

Block Party: Block! Block! Block! Block! To shut down unwanted conversations, either tap on the user’s name from within a chat and toggle over Block This User, or strike preemptively by tapping your profile icon, then Privacy > Blocked > Add Blocked User, and then the party you don’t want to hear from.

Message Requests: As of August 2020, you can also approve or block other Signal users when they first reach out to you, without their knowing that you’ve seen their incoming message or call. If you do block someone, they won’t get any indication other than remaining in limbo. And the feature also blocks strangers from adding you to group chats, a popular spammer tactic. It’s similar to what you’ve likely already experienced in Facebook Messenger or Twitter direct messages and will be increasingly useful as Signal’s user base expands.

Private Type: On Android, third-party keyboard apps can retain a record of what you type and swipe; not ideal when you’re trying to send private messages. Under Privacy, go ahead and toggle on Incognito Keyboard to keep them in the dark.

Change your number: If you get a new phone number or want to change the number you use with your Signal account, the app now allows you to do so without losing everything. The feature doesn’t work in all situations or with every version of the app or operating system, so check the details here.

That should be enough to get you started! Just remember, as you get used to the advanced settings and figure out what combination of disappearing messages and screen locking works for you, that you’ve already taken the most important step of all: downloading Signal in the first place.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist