In my last article of this series, we reviewed Threema,  one of the messengers I personally love and use daily, as part of a  series of articles about messaging services available today.

Over  the next two weeks, we will write reviews about the best options for you  and your cellphone examining their startup, evolution, compatibility,  security, and versatility, and we will take a look at their key  features, ease of use, and overall performance.

The subject of our attention today is Signal.

Beginning  life as a startup company called Whisper Systems, security researcher  Moxie Marlinspike and roboticist Stuart Anderson created TextSecure and  RedPhone in 2010. Whisper Systems was acquired by Twitter in November of  2011 "primarily so that Mr. Marlinspike (Moxie) could help the  then-startup improve its security".

TextSecure was subsequently  released by Twitter as a free, open-source software in December 2011,  followed by RedPhone in July 2012, both under the GPLv3 license. In  order to continue the development of TextSecure and RedPhone as a  collaborative open-source project, Marlinspike later left Twitter.

I  was an early adopter of both RedPhone and TextSecure, the latter being a  full replacement for my SMS app as it could send and receive standard  SMS. If the other side had TextSecure installed, the messages were free  and encrypted over the TextSecure servers. It was easy to operate and an  easy sell for every Android user to install. This app worked!

RedPhone,  on the other hand, was choppy, and I couldn't persuade anyone to drop  Skype or other calling services. It simply didn't work as well. At least  not whenever I tried it.

Fast forward now to today's version:

March  2015 marked the launch of Signal, unifying RedPhone and TextSecure in a  single iOS app. At this stage, if the SMS app was removed, this meant  that all communication had to go Signal-to-Signal user, or  Signal-to-TextSecure user, or vice versa. An Android version followed  shortly after.

Signal was the first true end-to-end encrypted chat  and calling software on iOS which was also compatible with Android. The  iOS version was amazing and fully open-source.

There are some aspects of Signal which I disliked, but some of those might just be my paranoid tinfoil hat thinking.

The  first issue which raised a small red flag was funding. The project has  received financial support from, among others, the Freedom of the Press Foundation, the Knight Foundation, the Shuttleworth Foundation, and the Open Technology Fund. The last one is a U.S. government program which has also funded other privacy projects such as the anonymity software Tor and the encrypted instant messaging application Cryptocat.

I  understand that if you are a non-profit organisation and you're offered something which is free and open-source, you take what you can get in  terms of funding. Still, I just always feel uncomfortable when I read  about U.S. Government funding. On the other hand, Edward Snowden has  stated that we can trust everything from Open Whisper Systems (and he  would know!). With this type of endorsement, I will, therefore, let the  funding issue slide.

The next thing is the use of a cellphone  number to sign up. You don't sign up with a username (you can set one up  afterwards though), PIN, email address or anything else, but with your  cellphone number. In other words, we have the same problem here as we have with WhatsApp and Telegram:  your login is your telephone number (not great!). Now, since Signal is  open-source and can be seen and verified by everyone, this cellphone  issue wouldn't appear to be a setback; however, whilst all messages are  fully encrypted, I still dislike this aspect of Signal.

You could  make the point that this ensures that if someone has my cellphone number  and wants to text you, all they need to do is become a Signal user and  hit send. That is true, and I think you can see the issue  there. However, if someone joins Signal and is already in your address  book, Signal will notify you that this new user has joined. This latter  point is a good and much appreciated feature.

However, at the end  of all this, the most important factor to know is still that Signal is  one of the better options around as messages are not stored permanently on the servers, but are deleted once they have been delivered.

Now that we got that out of the way, let's look at how Signal has changed and been improved over the years.

One major plus now is that you can now download Signal without Google Play Service or the PlayStore. Simply go to

Sure,  that doesn't help when it comes to iOS, and the same issues exist with Threema and others, but not much can be done within the covered gardens  of Apple :-)

However, if you run an off-the-shelf Android phone,  you will love Signal. Simply download it from the PlayStore or the app  on the link given above, and I am sure you will love it on iOS as well  (in fairness).

Signal offers individual and group chats, with no  member details stored on Signal servers, crystal clear phone calls, and  even video chats. This last option is not offered at present by Threema.

Signal  uses Curve25519, AES-256, and HMAC-SHA256 as their encryption algorithms. The best part of all this is that it happens on your phone. The entire encryption is done on your phone, and Signal has no key to or  knowledge about any of your communication. Signal allows sending of  high-quality group messages, text, pictures, and video messages and  retains none of it.

In addition, Signal does have one privacy  feature that you don't usually see with a messaging app: an option to  "enable screen security."

You can block contacts, however, you  cannot block all users who you don't have stored in your address book.  This feature would be greatly appreciated.

Typing indicator and  delivery reports can be switched off. Unlike Threema, when you switch  them off, you can't see the delivery report of the other end, so it's a  bit of a double-edged sword. Messages can be set to disappear at any  interval from 1 hour to 1 week, a feature we really love. And the  message would be deleted on both devices, a great extra privacy feature.

When  it comes to Metadata, Signal is doing a great job as well. The Signal  service is designed to minimise the data retained about Signal users, so  the only information Signal can produce in response to a government or  law enforcement request are the date and time a user registered with  Signal and the last date of a user's connectivity to the Signal service.

Signal  servers don't store their users' contacts (such as the contacts  themselves, a hash of the contacts, or  any other derivative contact  information), groups (such as how many groups a user is in, which groups  a user is in, the membership lists of a user's groups), or any records  of with whom a user has been communicating.

Another incredibly  unique and useful development has been an internal encryption feature  called Sealed Sender. Basically, this provides for a system of sender  certificates and delivery tokens to encrypt the sender's contact information. The best analogy (and the one Signal themselves use) is to  imagine being able to eliminate the 'from' address written on the  outside of a conventional letter or package, thereby ensuring the  sender's anonymity. For a fuller explanation and way more technical  detail, check out

Signal  also now offers a great feature with its desktop app, allowing you  to link your cellphone to an actual desktop app. This works on Linux as  well as on Mac and Windows.

A new security feature is screenshot  protection. Usually when you switch apps a screenshot is taken and some  users prefer not to have this stored on their device. There is a  no-screenshot option which is turned off by default, adding to the secure cross-platform communication ability.

Other additional security features are best described by Signal themselves:

"The  Axolotl ratchet in Signal is the most advanced cryptographic ratchet available. Axolotl ensures that new AES keys are used for every single  message, and it provides Signal with both forward secrecy and future  secrecy properties. The Signal protocol also features enhanced  deniability properties that improve on those provided by OTR, except  unlike OTR all of these features work well in an asynchronous mobile  environment."

One killer feature is calling. Here, Signal have really nailed it with the quality of the encrypted call being crystal clear. I've never had a call drop or experienced a choppy connection.  The same goes for video calls. The quality of this option of  coursedepends on your internet speed, but if you have a stable connection, the video is matching that of FaceTime on iOS. Interestingly enough, Moxie's services were needed to create WhatsApp and Facebook messengers (as well as a few others), with their end-to-end encryption  using parts of the Signal set-up.

The sad part here is that these  messengers, unlike Signal, are not open source and owned by one of the  biggest data miners in the world. Don't get me started, I will dissect  WhatsApp and Facebook soon enough.

If you are using iOS or  Android, Signal is hard to beat, it's a killer app when it comes to  privacy. The chat and group chat features are working just as advertised  and it's pure end-to-end, own-device encrypted. With a call and even  video function which is second to none, Signal is a pretty cool  messaging option.

We monitored the network traffic of the  application, and Signal is connecting only to org.thoughtcrime.securesms  (signals servers). There are no analytics or other connections  listening to your device.

The only concern we have on that score  is the usage of your telephone number. This is something everyone needs  to decide by themselves as to whether you like to use it that way or  not. Perhaps Signal can be your replacement for all your actual work  contacts as they would have your telephone number anyway? Combine it  with a chat application what hides these, say Threema, Riot, or even Status, and you have great all-round privacy on your phone.

Snowden is a big fan of Signal. That should give us all a lot of confidence. And, of course, Signal is fully open source, which is absolutely great!

Share this post