In order to maximize the security of your most sensitive conversations, which may be subject to misinterpretation by employers, surveillance by governments, or exploitation by hackers seeking to steal your identity, consider implementing the following security measures:
Signal is a popular messaging app available on both iOS and Android devices, providing easy-to-use communication that encrypts messages so that only the sender and intended recipient can read them. Additionally, Signal has open source code, which enables users to inspect it to verify security. You can download Signal from the Android Play Store or the iPhone App Store.
However, when it comes to your most sensitive conversations, such as those that could be misconstrued by employers or intercepted by governments, it’s important to implement additional steps to maximize security. These steps will be discussed in detail and in order of importance below, allowing you to tailor your usage to your specific needs.
Securing Your Phone: Tips for Enhanced Protection
While Signal’s end-to-end encryption provides secure communication, it’s important to remember that it only protects your conversations from being intercepted during transmission. If someone gains physical access to your phone, they can easily open the Signal app and read through your messages, bypassing encryption.
Therefore, to ensure maximum security, it’s essential to take additional precautions to protect your phone, such as setting up a strong passcode or biometric authentication, enabling two-factor authentication, and avoiding downloading apps from unknown sources. Taking these steps will help to safeguard your personal information and sensitive conversations from unauthorized access.
If you’re using Android:
Set up screen lock, which requires you to draw a pattern, type a numeric PIN, or type a password to unlock your phone. You can do this from the Settings app under Security > “Screen lock.” Try to make it random, and avoid using anything obvious such as birthdates. Don’t tell anyone how to unlock your phone unless you’re OK with them reading all of your encrypted messages.
Encrypt your phone’s storage. A screen lock is not much use if a thief can copy your phone’s data to a different device. Encrypting the flash memory on your phone blocks such an attack by scrambling your data so that it can only be unlocked using the same pattern, PIN, or password used to unlock your phone. You can do this from the Settings app under Security > “Encrypt phone.” Note that you need to have a full battery before Android lets you encrypt your phone, and you may have to wait up to an hour while your phone is encrypting.
Install all updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for Android updates by opening the Settings app, and under System tap “About phone” > “System updates.” You should also update all of your apps from the Play Store promptly.
If you’re using an iPhone:
Set a strong passcode. iPhones automatically have encrypted storage, but this encryption only protects your data if you lock your device with a passcode. Everyone should use at least a six-digit passcode, and you should up that to 11 digits if you’re concerned that your phone might fall into the hands of a powerful attacker like a government. Avoid using anything obvious such as birthdates. I wrote about this in detail in February — skip to the bottom of that article for instructions on changing your passcode, and for considerations about using Touch ID.
Install updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for iPhone updates in the Settings app under General > Software Update. You should also update all of your apps in the App Store app under the Updates tab.
Securing Signal: How to Hide Messages on Your Lock Screen
Signal’s encryption is only as strong as its weakest link, and if incoming messages are displayed on your phone’s lock screen, unauthorized individuals may be able to view them, regardless of Signal’s powerful encryption. This is particularly concerning if your phone is regularly in close proximity to other people who shouldn’t be privy to your Signal conversations, such as coworkers, roommates, or airport security officials.
By default, Signal displays messages on the lock screen, but it’s crucial to change this setting to prevent unauthorized access to your conversations. By doing so, you can ensure that only you can access and read your Signal messages, even if someone else temporarily gains access to your phone.
Here’s how to lock down your Signal notifications.
If you’re using Android:
Open the Settings app, and under “Device” > “Sound & notification” select “When device is locked.”
The options are “Show all notification content,” “Hide sensitive notification content,” or “Don’t show notifications at all.” I recommend you choose “Hide sensitive information content” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says.
If you’re using an iPhone:
Open the Signal app and click the gear icon in the top-left to get to Signal’s settings. Under “Notifications” > “Background Notifications,” tap “Show.”
The options are “Sender name & message,” “Sender name only,” or “No name or message.” I recommend you choose “No name or message” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says.
To completely remove Signal notifications from your iPhone’s lock screen, open the Settings app, tap “Notifications,” scroll down to the list of apps, and tap Signal. From here you can turn off “Show on Lock Screen.”
Maintaining Secure Communication: Verifying Your Chat Contacts in Signal
I said earlier that Signal ensures your communications stay private when it is properly used. Using Signal properly involves verifying that your communications are not subject to a “man-in-the-middle attack.”
A man-in-the-middle attack is where two parties (Romeo and Juliet, for example) think they’re speaking directly to each other, but instead, Romeo is speaking to an attacker, Juliet is speaking to the same attacker, and the attacker is connecting the two, spying on everything along the way. In order to fully safeguard your communications, you have to take extra steps to verify that you’re encrypting directly to your friends and not to impostors.
Most messaging apps don’t provide any way to do this sort of verification. Signal provides two: one for verifying voice calls and one for verifying text conversations.
Verify Your Phone Contacts
It’s easy to verify the security of phone calls on Signal, but you have to verify every call.
For each call, the Signal app displays two words on the callers’ phone screens. In the screen shot below, for example, each screen shows the words “shamrock paragon.” Juliet and Romeo read these words to one another; if the words are the same, and they recognize one another’s voices, the call is secure. If the words are different, someone is attacking the encryption in the call and you should hang up and try calling again, but this time from a different internet connection.
It’s not required, but a popular convention is for the receiver to answer the phone by reading the first word, as in, “Shamrock?” And the caller to respond with the second word, as in, “Paragon.”
Securing Communication through Math: Understanding Signal’s Verification Process
Although it may seem like magic, Signal’s verification process is actually based on advanced mathematical algorithms. When a Signal user initiates a conversation with another user, the two apps establish a shared secret that is encrypted and cannot be intercepted or accessed by third parties, even if they are monitoring the exchange.
This shared secret is then used to generate a unique two-word authentication string that is consistent across both users’ apps. As long as the shared secret remains the same, the authentication string will also remain the same.
This ensures that users can verify the identities of their chat contacts and confirm that they are communicating with the intended party, rather than an imposter or attacker. By understanding the mathematics behind Signal’s verification process, users can have greater confidence in the security of their communications.
Verify Your Text Contacts
It’s more complicated to verify the security of Signal text chats, but once you’ve verified a text chat correspondent, you won’t have to re-verify them again until they get a new phone or re-install Signal.
Each person you text with in Signal has something called an identity key. When Juliet sends Romeo a message for the first time, her Signal app downloads a copy of his identity key and stores it on her phone and visa versa. So long as these identity keys are valid — the key that Juliet has stored for Romeo is actually Romeo’s real key and not some attacker’s key — then the messages they send to each other are secure.
Because it’s unlikely that anyone is trying to attack your encrypted messages the very first time you send a contact a message, Signal automatically trusts the identity key that it downloads. This makes Signal easy to use: All you need to do to have an encrypted conversation is send someone a message, and that’s it. But if you discuss anything sensitive, you still might want to confirm.
To verify the identity key, you first navigate to the verification screen.
If you’re using Android:
Open the Signal app and tap on a conversation to open it
Tap the contact’s name and phone number at the top of the screen
Tap “Verify identity”
If you’re using an iPhone:
Open the Signal app and tap on a conversation to open it
Long-press the contact’s name at the top of the screen until the verification screen appears
Next, you want to confirm you have the correct identity key for your contact. You can do this either by scanning “QR codes,” which work similarly to the bar codes used to ring up groceries, or by comparing “fingerprints,” which are 66-character blocks of text.
Verifying a Text Contact in Person
If you’re able to meet up in person, here’s how you verify identity keys using QR codes:
If you’re using Android:
To be verified, tap the barcode icon in the top-right of the verification screen and select “Display your QR code” (you may be prompted to install the Barcode Scanner app the first time you do this; it is safe to install).
To verify someone else, tap the barcode icon on the verification screen and choose “Scan contact’s QR code,” and then point your camera at the contact’s QR code.
If you’re using an iPhone:
To be verified, tap the QR code icon on the verification screen.
To verify someone else, tap the camera icon on the verification screen, and then point the iPhone camera at the person’s QR code.
When you successfully verify a contact, Signal should pop up a message that says, “Verified!”
Verifying a Text Contact Remotely
If you can’t meet up in person, you can still verify that you have the right identity key by comparing fingerprints — however, it’s kind of annoying.
You need to share your fingerprint with your contact using some out-of-band communication channel — that is, don’t share it in a Signal message. Instead, share it in a Facebook message, Twitter direct message, email, or phone call. You could also choose to share it using some other encrypted messaging app, such as WhatsApp or iMessage. (If you’re feeling paranoid, a phone call is a good option; it would be challenging for an attacker to pretend to be your contact if you recognize their voice.)
Once your contact gets your fingerprint, they need to navigate to the verification screen and compare, character by character, what you sent them with what they see. If they match, your conversation is secure.
Your contact should share their fingerprint with you in the same way, and you should confirm that what they sent you matches what’s on your verification screen as well.
If you’re using Android, unfortunately there’s no way to copy your own fingerprint to your phone’s clipboard to paste into another app. If you want to share it using another app on your phone, you’ll have to manually type it.
If you’re using an iPhone, you can copy your own fingerprint to your phone’s clipboard like this: Open the Signal app and click the gear icon in the top-left to get to Signal’s settings. Tap Privacy, then tap Fingerprint.
Verifying a Text Contact Who Gets a New Phone
From time to time, you might see a warning in a Signal conversation that says “Identity key changed. Tap to verify new key.” This can only mean one of two things:
1.Your Signal contact switched to a new installation of Signal, most likely because they bought a new phone, or,
2.An attacker is trying to insert themselves into your Signal conversations.
The latter is less likely, but the only way to rule it out completely is to again go through one of the verification processes for text contacts described above.
Managing Your Signal Conversation History: Archiving and Deleting Messages
Securing Your Signal Conversation History: Archiving and Deleting Messages
Signal prides itself on its privacy and security features, which include the fact that messages are only stored on the devices of the sender and recipient, and not on any servers or in the cloud. However, it’s still a good idea to delete sensitive conversations once you no longer need them.
Signal also offers the option to archive conversations that you want to keep but don’t want cluttering up your inbox. To archive a conversation, simply swipe it to the right, and it will be moved to an “archived conversations” list.
Deleting messages or conversations on Signal may vary depending on your phone’s operating system. However, a common method is to long-press on the message or conversation you want to delete, which will bring up a menu with the option to delete. Once you confirm the deletion, the message or conversation will be permanently removed from your device.
By regularly archiving or deleting your Signal conversations, you can maintain an organized inbox and ensure that sensitive information is not needlessly stored on your device.
Here are the steps to delete Signal messages and conversations on Android and iPhone:
Android: To delete a message on Android, open the conversation and long-press the message you want to delete. This will highlight the message and give you the option to delete it. To delete a conversation, long-press it in your inbox and select “Delete.”
iPhone: To delete a message on iPhone, open the conversation and long-press the message you want to delete. This will bring up a menu with the option to “Delete.” To delete a conversation, swipe left on it in your inbox and select “Delete.”
It’s important to note that deleting messages on Signal is permanent. Once a message is deleted, it cannot be recovered. If both you and the other party delete the message, it will be completely erased from both devices.
By being proactive about deleting old or sensitive messages and conversations, you can enhance the security of your communications on Signal.