How does Signal work, and why are people claiming it's not secure?


The encrypted messaging app has been subject to public criticism. But why? And how does it work?

When is a messaging app not secure? A recent campaign to try and malign the Signal messaging app suggests that it’s when certain individuals in high-profile positions suggest to enough people that your service isn’t all it’s cracked up to be.

Signal, which celebrates a decade of existence in July this year, has long been the first choice for people wanting to communicate securely. But in recent weeks, it has been subject to criticism from a number of quarters, with both individuals and companies alleging that the app is not protecting users’ information.

ADVERTISEMENT

The allegations are ones that the company and its CEO, Meredith Whittaker, deny. “We use cryptography to keep data out of the hands of everyone but those it’s meant for (this includes protecting it from us),” she wrote in a statement.

“The Signal Protocol is the gold standard in the industry for a reason – it’s been hammered and attacked for over a decade, and it continues to stand the test of time.”

Where has the criticism come from?

Much of the debate around Signal has been concentrated among a few outspoken voices.

Pavel Durov, the CEO of rival messaging app Telegram, has been one of the most critical individuals in terms of what Signal offers users. He claims that “an alarming number of important people I’ve spoken to remarked that their ‘private’ Signal messages had been exploited against them in US courts or media.”

But Durov – who has a reason to criticise Signal, given he runs a competing service – is far from alone.

“Telegram has launched a pretty intense campaign to malign Signal as insecure, with assistance from Elon Musk,” Matthew Green, a cryptography researcher at Johns Hopkins University, wrote on X earlier this week.

“The goal seems to be to get activists to switch away from encrypted Signal to mostly unencrypted Telegram.”

ADVERTISEMENT

Green was puzzled by this decision because his research, and that of others who have scrutinized Signal’s code base, which is available under an open-source license, has shown that Signal appears more secure than Telegram.

“Telegram, by contrast, does not end-to-end encrypt conversations by default. Unless you manually start an encrypted ‘Secret Chat,’ all of your data is visible on the Telegram server,” Green wrote.

By contrast, “Signal Protocol, the cryptography behind Signal (also used in WhatsApp and several other messengers), is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard.”

How does Signal work?

Signal, along with a handful of other apps, including WhatsApp and Skype, uses the Signal protocol to encrypt messages sent between its tens of millions of users.

The protocol ensures that only the users involved in a conversation can read the contents of messages sent – that means even the app itself cannot. Each session generates a unique session key that is used only for that single session the user has. If Signal discovers the session key is compromised, it doesn’t affect other sessions.

No known issues with the protocol have been identified in its most recent formal analyses, while some vulnerabilities found in a 2017 study were quickly patched.

Is Signal safe?

So, is the criticism of Signal warranted? Third-party analysis suggests not.

“Signal is the only app that has taken steps to hide users’ profiles, contacts, group metadata, and even message sender information,” concluded researchers from Tech Policy Press. In a recent report, they analyzed how a raft of messaging services handled user privacy between September 2022 and May 2023.

ADVERTISEMENT

In fact, the researchers came to the conclusion that other developers needed to follow Signal’s example in best practice to protect users’ data.

Perhaps most telling is Green's conclusion in one of his tweets: “Pavel Durov, the CEO of Telegram, has recently been making a big conspiracy push to promote Telegram as more secure than Signal. “This is like promoting ketchup as better for your car than synthetic motor oil.”