Is Signal secure?

Over the past year, privacy of communication apps like whatsapp was brought into focus after the company Pegasus was able to hack phones over whatsapp using what was called a “zero-day exploit”.

Signal, contrary to whatsapp is an app that provides enhanced security, privacy features, and comes highly recommended by security experts. While i understand that no app is secure from a zero-day exploit, can hacks of one’s phone though say whatapp, or some some app be used to obtain details of conversation that happened over Signal. Does signal have any measures that provide (partial) security against such hacks ?

Does it make sense(even to some degree) to use signal on devices which may use other apps which have a higher susceptibility to being hacked.

Does it make sense(even to some degree) to use signal on devices which may use other apps which have a higher susceptibility to being hacked?

You don’t provide enough information for us to determine if it makes sense. It depends on your threat model, it’s different for everyone & you cannot protect against everything.

At any given point of time, as an application Signal is much more secure than many other existing solution. And it has a project lead/founder with strong opinion. Which is true in too many Free Software projects, including Linux kernel.

Going back to the original question, @alyosha you have to do your own threat modelling, and think about your daily digital security practices. In general, it is much easier (and cheaper) to attack the phone than attacking or trying to break an app like Signal.

4 Likes

Interesting article about how Signal is trying to offer features like emojis to appeal to the masses without compromising on security but some users want the choice to opt-out to avoid risk: https://www.wired.com/story/signal-encrypted-messaging-features-mainstream/

4 Likes

Kushal, comparison with Linux kernel is not correct in this situation. For an app that depends on a server to operate, focusing on the code that runs on your phone alone is insufficient. What option do you have if you don’t like any current or future policy of Open Whisper Systems/Moxie? You have to live with it or lose contact with every other Signal user (the network that you built over time). You will have to take everyone in your network, even if you choose to operate your own Signal server. Matrix or XMPP gives you a choice to move out without losing your contacts, even when you change your service provider, you can still talk to every other contact you collected over time.

2 Likes

Yes, just like many other software which I used to use, I will move to something else if required.

The point is, it is much harder to move since you have to consider your entire network here, unlike a software that you run only on your machine. It is not just your choice. You either lose your network or take the effort to move your entire network to the new service. If you still don’t see the problem, I rest my case.

1 Like

But you will also have to move all your contacts to the other service. Compared to something like Matrix where if you don’t like the server maintainer then you can run your own & still participate in channels or talk to contacts without moving your whole network.

For me this is not a case for who maintains the server or not. My threat model is different than many of the folks here, and in my usecase Signal is a better choice than anything else available.

I get the point about moving the whole network, but I look at it as security/privacy as the primary reason to use Signal than being able to chat with others on that same system.

I see, I was just trying to explain @praveen’s point, not commenting on your use case.

1 Like

Understood, and thank you and @praveen for this discussion. I hope it will be helpful for others.

I agree with @pilgrim and @praveen and disagree with @kushaldas
The phone number verification and lack of decentralized approach makes Signal app obviously insecure.
XMPP and Matrix IRC are way better.
Also there are some new blockchain based apps being developed.
Check The MOST Private Messaging Apps

Best of luck and stay safe.

4 Likes