Have you ever ordered something over the phone, like pizza, and recounted your credit card information to the cashier rep? How about ever texted something personal to a friend or family member that you wouldn’t want to tell others, let alone everyone you see on the street? When you send these unencrypted messages, do you ever even give a second thought to the possibility of somebody eavesdropping? I mean, we see surveillance spy vans in the movies all the time, and often hear about related issues in the news from people like (former NSA contractor) Edward Snowden. We never think it could happen to us.
Governments, spy agencies, police, and even hobbyists can easily listen in on you without a warrant, let alone your knowledge. There are devices available on the market, (and even resources online to learn about making something similar) that can listen in on most, if not all of our mobile conversations. I have even personally used a device similar to this. It should also be well known that the encryption used to communicate between cell towers are not a trustworthy, as spy agencies in the UK & USA have previously stolen SIM encryption keys from largest SIM card manufacturer in the world, allowing them virtually unlimited access to any cellular data anywhere. These tools and methods are not limited to eavesdropping though; they can also be used to extract files from your phone (including call logs, photos, contact lists, notes,; geolocate you (including your altitude/floor), and even retrieve deleted texts.
So in other words, if you want any guarantee of your privacy, you need to take your own steps to ensure your communications are encrypted by your own doing. Enter Signal: the most secure, publicly available, calling and messaging service available right now to everyone.
What is Signal?
Signal is an app made by the nonprofit Open Whisper Systems (OWS), based out of San Francisco, California. On iOS and as a Google Chrome desktop app, Signal works like any other Internet messaging app: as a user, you can send attachments and place calls through it. On Android it gets even better. Since you can set default apps, you have the option to configure Signal as your default SMS app, which will upgrade your SMS texts to Signal messages. This is similar to what Blackberry does with BBM on their devices and Apple’s iMessage does on iOS. Textsecure used to send encrypted messages via the SMS protocol, but in its latest incarnation as Signal, it simply uses data like iMessage does.
On Android, RedPhone used to exist as a dialer with similar functionality for calls, but the calling functionality now was rolled into the existing Signal app and Redphone has been discontinued. What makes it different than all the other messaging services out there is this: it is completely end-to-end encrypted, meaning that the company that makes the app, your cell carrier, government, etc. likely cannot not read or listen to any of your conversations without forcing their way past your key, finding an exploit within the service itself. All of the code is open source so that security experts are able to continuously offer feedback on its implementation quality.
Why is it Better?
Used by Edward Snowden himself, Signal has been lauded by security experts as the best consumer messaging platform available. Signal also uses something called forward security, which means each time you send a new message, your key changes, such that even if someone did manage to get ahold of your keys, they wouldn’t be able to read any previous messages. Further, during a phone call, it displays two secret words that will only match if your connection has not, against all odds, been intercepted for eavesdropping from a man in the middle attack. You can also confirm this by reading out each other’s keys to each other, which is surprisingly not a common feature in most messaging apps billing themselves as secure.
The Electronic Frontier Foundation (EFF), founded in 1990, is the leading nonprofit organization in the world that defends digital rights and civil liberties. In late 2014, they released (and have been updating) a Secure Messaging Scorecard, which helps visualize how safe and secure more than three dozen messaging services really are. The list includes favorites that you may have been led to believe are the safest option through excellent marketing, like Snapchat, BBM, WhatsApp, iMessage/Facetime, Skype, Facebook, Hangouts and more.
Of the six companies that managed to get all seven security checks validated, Signal is the only one that also has all of the following:
- Permanently free
- Completely open source (easily allows anyone to confirm security claims)
- App available on major mobile operating systems
- Doesn’t require additional tools or changes to default settings
All the other five companies are missing one or more of the above features. In other words, Signal is the only app designed for mass market adoption, where when you download it and use it, it just works.
For the most part, a messaging app is only as valuable as the number of contacts on the platform. So if you want to have private, secure conversations with the people you normally talk with on your phone, you need to also get them to use Signal. Knowing my privacy is in check, I personally use it as my main messager. Although I’m not engaging in any sort of illegal activity, there are still some things that are frankly nobody’s business but yours and the person you are talking with.
As one particular security researcher pointed out, while Signal is arguably the best app out there, like most things Signal is not perfectly secure. Although the contents of your message are secure, the metadata, usually referred to by these other companies as “non-identifying information”, could be extracted from OWS by a government via a warrant (or not), and definitely can identify more about you than you might guess.
You should also be aware of any other computing device with a camera/mic that has granted its access to a lesser private service, especially for these Orwellian “always listening” services like, Hey Siri, Ok Google, Hey Cortana, Alphabet’s Nest Cam, Microsoft’s Xbox Kinect, PlayStation Eye, etc. This also includes devices with mics/cameras that can be hacked remotely, such as any nearby VOIP phones, hacked in by a hardware bug, or implanted software such as a compromised iPhone, which could still be recording when it appears to be off.
At one point, Blackberry used to be the most secure mobile messaging platform available to users and even had a good chance of becoming SMS 2.0, in which at least text messages could have been more secure than they are now, but even that was recently used to locate Mexican fugitive El Chapo. The great thing is that other apps will always be created to try and out secure the next; the new MegaChat seems like it may have a chance to join these ranks. But, for now, we’ll need to wait a little longer to know better.
About Ian Strasser
Ian is an Electrical Engineering student from the University of Waterloo. When he isn’t in school, Ian works on various electrical and software projects.