How to use Signal more privacy-friendly

How to use Signal more privacy-friendly

Signal is one of the most secure messengers available, making it practically impossible for server operators or other men-in-the-middle to decrypt your conversations, learn about your group memberships or spy on you in another way.

However, some people raise privacy concerns due to Signal’s need for an arbitrary phone number. This time, we show you how to use Signal even more privacy-friendly.

Contents

  1. Setup
  2. Configuration
  3. Operation
  4. Conclusions
  5. Sources

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

Setup

First of all, the Signal client is available for Android or iPhone.¹ You may have concerns about using your (insecure) phone to run Signal. However, you can actually install Android in a VM (e.g. VirtualBox), download the Signal APK from signal.org and install Signal in this virtual environment. This renders some features of Signal useless, of course, since the VM can’t simulate all the hardware in your phone.

On the other hand, the absence of most sensors and chips of phones and stricter control about your VM is more secure than using an unpatched and outdated Android device.

We installed Signal 4.18.3 on Android x86, using Oracle’s VirtualBox. As we showed you before, there is no need to let Signal access your contacts and you don’t have to register your cellphone number in order to use it. Our freshly installed Android x86 didn’t contain any contacts and we only permit Signal to access our storage.

But, but, but … What about the arbitrary phone number? You can either …

  • buy a SIM card in countries which don’t need you to disclose your identity and only use it once to register Signal (for the paranoid: Use a burner phone during this registration process!) or
  • register a VoIP number and only use it once to register Signal or
  • use one of many free online services which allow you to receive SMS for free (for the paranoid: Access their websites via Tor Browser).

We successfully registered Canadian and Russian phone numbers during multiple tests. Furthermore, we accessed the SMS service via the Tor Browser making it impossible to connect our real IP address with the usage of the virtual phone number.

Registration is fairly simple: Enter the virtual phone number in Signal, wait for a six-digit number (via SMS), enter it, done. Stop! What about others who can also access these free services? They could try to re-register your virtual phone number … After registration, go to “Settings” → “Privacy” → “Registration Lock PIN” and set a PIN (up to 16 digits, representing 1016 combinations or 53 bits entropy). Signal will ask you at fixed intervals after your PIN is set to enter your PIN again to help you memorizing it.

¹Yes, there is also Signal Desktop but you need to connect it with a mobile Signal client!

Configuration

You installed Signal and you set your Registration Lock PIN. However, Signal can be configured even more secure and privacy-friendly:

  • Picture and name: (You don’t have to set this!) If you use this feature, this information is encrypted and will be send to new contacts when you contact them for the first time. When you enter groups, you have to manually confirm that you want to show this information to others. Signal servers don’t learn about your picture or name.
  • SMS and MMS: Signal can be used as the default app for SMS and MMS. We recommend to not use Signal for this purpose, because Signal dropped SMS encryption and SMS produce tons of metadata. (Instead you can use Silence which is a fork of Signal’s former SMS encryption feature.) There is also a risk to get confused and accidentally send an unencrypted SMS to a Signal contact (of course, Signal shows visual indication that this conversation isn’t secure).
  • Privacy: We recommend to
    • set screen lock (locks Signal using your Android screen lock or fingerprint)
    • set screen security (screenshots will be blocked)
    • set incognito keyboard (avoids that your keyboard app stores your conversations due to personalization)
    • deactivate receipts (so others can’t see if you read their messages)
  • Disappearing messages: Signal allows you to set disappearing message timers per contact/group. This timer starts immediately after a message has been sent (sender) resp. after a message has been read (recipient).

Signal doesn’t disclose your online status by default (your contacts can’t see whether you are online at the moment or the last time you were online). However, Signal shows one check mark when your message was sent to a Signal server and two check marks when a message has been delivered to the device of the recipient. If receipts are enabled, the check marks will be blue-colored after the recipient opened the conversation.

Operation

After setup and configuration, you can use Signal in day-to-day life. However, you should …

  • verify all of your contacts to avoid man-in-the-middle attacks (open a conversation with one of your contacts → tap on the menu icon → open “Conversation settings” → open “View safety number”). Use an external channel (not Signal!) when you compare your numbers and ensure that you are really talking with your contact (not with a man-in-the-middle).
  • keep in mind that your Registration Lock PIN expires after 7 days of inactivity. “Inactivity” means that no Signal clients of this account are connected to the internet. This timer is immediately reset when your Signal client connects to Signal servers.
  • never forget that there is no 100% security. For instance, if somebody infects your device with malware, he could easily read all of your messages and wiretap your Signal calls. Enforced end-to-end encryption only ensures that the entire connection between your device and the device of the recipient is secure.

Follow us on Mastodon:
@infosechandbook

Conclusions

Signal is already really secure and privacy-friendly by default, however, you can improve this by using a strict configuration and a phone number which can’t be connected with your real identity. You don’t need a phone or SIM card to use Signal and Signal doesn’t need to access your contacts!

We will update this guide after Signal rolled out its new “sealed sender” feature.

Sources

See also