Updated on: September 2, 2024
Signal is one of the most secure and privacy-friendly messaging apps on the market, so I definitely recommend using it over its more popular competitors.
In this article, I outline why that is and all of the ways in which Signal protects your data. I also take a look at who owns the company and what data they collect about you, examine past security incidents, and show you how to set up the app, among other things.
If you want (or need) to be extra careful, I recommend using Signal with a VPN for an additional layer of privacy and security. My favorite VPN in 2024 is ExpressVPN because it has fast speeds and it’s secure and easy-to-use. Editors' Note: ExpressVPN and this site are in the same ownership group.
What Is Signal & Who Owns It?
Signal is a secure messaging app where you can send and receive text, photos, videos, files, and more, as well as engaging in group chats. The app is available on all major platforms, including Android, iOS, Windows, and macOS, and is 100% free.
It’s owned by non-profit organization the Signal Technology Foundation. The company is funded by this foundation and by donations, which helps it maintain independence and prioritize user privacy over profit.
The Signal Technology Foundation was founded by Moxie Marlinspike and Brian Acton.
Brian Acton is a co-founder of WhatsApp who left the project when he came into conflict with Facebook (WhatsApp’s parent company), whose executives wanted to begin targeting ads at users and selling business analytics tools.
Moxie Marlinspike is a well-known cryptographer and security researcher who helped develop the Signal protocol, a form of end-to-end encryption (E2EE) that’s since been adopted by other messaging apps like WhatsApp, Facebook Messenger, and Skype.
How Does Signal Protect Your Privacy?
End-to-End Encryption (E2EE)
Signal uses end-to-end encryption to keep your messages private. This means that Signal scrambles all of your conversations so that they become unreadable to everyone except the intended recipient. The “end-to-end” part of the encryption denotes how the data is encrypted on one end and isn’t decrypted until it reaches the other end, so that not even Signal’s servers (the middleman that helps transmit your data) are able to see what you’re sending.
The encryption leverages several sophisticated security techniques. Signal uses the Double Ratchet Algorithm, which changes security keys with each message, and prekeys, which help set up secure chats even when both parties are not online.
Additionally, Signal uses a triple-step encryption process with elliptic-curve cryptography to establish secure encryption keys between the sender and recipient. This involves Curve25519 for generating key pairs, AES-256 for encrypting message content, and HMAC-SHA256 for verifying the integrity and authenticity of messages.
E2EE is enabled for all conversations automatically, which is really good — you can’t ever accidentally leak sensitive information because you forgot to turn E2EE on. Some messaging apps, like Telegram, require you to turn the feature on by starting a Secret Chat or similar.
Additionally, Signal’s E2EE works for everything, including text messages, pictures, calls, files, group chats, voice and video calls.
Quantum-Resistant Encryption
Signal has future-proofed its encryption against quantum computers, which could eventually pose a threat to the public-key cryptography commonly used today. Quantum computers, unlike traditional ones, can potentially crack encryption algorithms quickly due to their ability to process vast amounts of data simultaneously. This ability makes current cryptographic methods vulnerable.
The company took into consideration that some post-quantum cryptosystems have proven vulnerable to attacks by a classical computer, so rather than replacing Signal’s existing elliptic curve cryptography, it has simply augmented it with the CRYSTALS-Kyber key encapsulation mechanism, so that any attacker that wants to access a user’s communications must break both systems.
Open Source
Signal is one of the few messaging apps that’s completely open source, which means that anyone can go online and take a look at the code used to build and run it.
This transparency is really important for a few reasons. First of all, it means that experts and developers around the world can check the app’s code to ensure that it’s secure and doesn’t have hidden flaws or ways for others to spy on your messages.
By making its code available to all, Signal also builds trust among users. When Signal tells you that your messages are end-to-end encrypted, you can believe it because it’s something that can be easily verified. In contrast, if a closed-source messaging app were to tell you the same thing, you could only take them at their word because there’s no way for you to check if it’s true or not.
The open-source nature of Signal also allows developers and security experts to contribute to its continuous improvement. This collective scrutiny helps ensure that the app remains secure and free from hidden backdoors, allowing for faster identification and fixes of any potential vulnerabilities.
Third-Party Audits
Signal has undergone multiple security audits by independent third parties, both formal and informal. This means that various components of Signal have been examined by third-party cybersecurity experts and hobbyists to see if there are any vulnerabilities. Most of these audit reports are freely available online, and any issues raised by them were quickly addressed.
Transparency Reports
Signal discloses all legal requests it receives for user data on its website. In each transparency report, you can find out what information the government requested from Signal and how the company handled this request. Signal actually posts the PDF of each subpoena they receive and the response they send back to the government. The response is always some variant of how Signal is unable to comply with the request because they don’t possess any of the user data being requested.
Safety Numbers
This feature helps you verify the identity of the person you’re chatting with. Here’s how it works: when you start a new chat with someone, both of you get a unique Safety Number for that conversation. You can compare these numbers at any time to make sure they match. If the numbers are the same on both your device and your friend’s device, it means there is no tampering or interception in your conversation. You can check the number by meeting in person or by another secure method.
Extra tip: Once you mark someone’s safety number as verified, Signal will warn you if your contact’s safety number changes. This may happen if they get a new phone or re-install Signal. But it may also indicate suspicious activity if it happens frequently or unexpectedly.
Call Forwarding
When turned on, all of your calls will be relayed through Signal’s servers. This way, the person you’re calling only sees the IP address of Signal’s servers and not your personal IP address, which can reveal your geographical location or, worse, be used to compromise your network and device’s security.
Do note though that this may negatively impact your call quality as your data has to travel further, from your device to Signal’s servers and then to your contact, so there may be delays or reductions in call clarity.
Disappearing Messages
The Disappearing Messages feature deletes sent and received messages after a set amount of time. You can adjust how long it waits before deleting the message, from 1 second up to 59 weeks. This option is useful because it makes sure personal or confidential conversations don’t remain accessible indefinitely and minimizes potential data breaches and unauthorized access.
Note that this won’t stop someone from copying your message or taking a screenshot of it before it disappears. But it does prevent your entire chat history from falling into someone’s hands if they happen to gain access to your phone. It’s also a great way to keep your conversation history clean.
View-Once Media
You can set the screenshots, photos, or videos you send, so they can only be viewed once. You can’t view them yourself after sending them, and the receiver can only open them once before they’re deleted. This is a great feature if you need to send sensitive media and don’t want it to remain on record. Please keep in mind though that View-Once Media doesn’t prevent the recipient from taking a screenshot or otherwise recording what you send them.
Registration Lock
Registration Lock prevents anyone from registering your phone number with Signal without your Signal PIN. This means that even if an attacker were to get ahold of your phone number, they wouldn’t be able to re-register Signal on a device that they own and impersonate you by sending and receiving Signal messages from your phone number.
Screen Security
Screen Security stops the app switcher on your phone from showing a preview of the Signal app, so someone sitting next to you or looking over your shoulder won’t see any sensitive information when you switch to another app.
On Android phones, this feature also prevents your device from taking screenshots of the Signal app. This means you can’t compromise your own privacy by taking accidental screenshots, and any spyware that might be on your device can’t do so either. Note that this doesn’t prevent malware like keyloggers from recording what you type on the Signal app, so it’s still a good idea to get a reliable antivirus for your Android or iOS phone.
Screen Lock
Screen Lock makes it so that you can’t access the Signal app without first unlocking it. This feature uses the same security measure you have in place for unlocking your phone, which could be a PIN number, a passphrase, or biometric authentication.
It’s a convenient feature if you ever need to lend someone your phone but don’t want to risk them peeking at your Signal conversations. You can set a Screen Lock Timeout (how long it takes before Signal locks itself after an unlock). And on Android phones, you can manually lock Signal.
What Data Does Signal Collect?
Signal collects very little information. It can’t access messages that you send and calls that you make because of end-to-end encryption.
Its Privacy Policy says it can only access information that you provide. Notably, this includes your phone number, which is required for registration (it’s basically your “username”). But it doesn’t include your profile name or picture — this information is also end-to-end encrypted.
You can optionally allow Signal to check if any contacts in your address book also use the app. But any information collected and transmitted from the contacts on your device is cryptographically hashed (meaning Signal can’t see the original information).
If you contact support, they may request personal information from you to help resolve the issue and communicate with you.
Finally, Signal stores some technical information, such as randomly generated authentication tokens, keys, push tokens, and other material that’s required for the app to function.
Signal vs. Other Messaging Apps
Signal is, by far, the best messaging app for privacy and security, but it has a much smaller user base, so it may be more difficult for you to connect to your friends, family, and colleagues. It also doesn’t have as many features as its competitors.
Signal, WhatsApp, Facebook Messenger, iMessage, and Telegram all offer end-to-end encryption (E2EE), which means that nobody, including the company itself, can see your chats. And all of them except Telegram have E2EE enabled by default, so all of your chats are automatically secured.
But only Signal and Telegram are open-source, which means anyone can inspect their code for vulnerabilities. Signal is also available on all major platforms, unlike iMessage, which is only available on iOS or Mac devices.
Where Signal really stands out though is its commitment to privacy. As it’s owned by a non-profit organization (the Signal Foundation), it has little motive to collect or share user data with third parties. In fact, Signal logs almost no information about you beyond what is strictly necessary to operate its services. Compare this to WhatsApp and Facebook Messenger, which collect and share inordinate amounts of data about you, including your phone number, device ID, user identifiers, location, transaction data, product interaction, and more.
You may also appreciate that there are no ads, trackers, or affiliate marketers on Signal at all.
Additionally, Signal has a very clean record. Some user accounts were compromised during an attack in 2022, but it was actually one of Signal’s service providers that was breached and not Signal itself, no user data was leaked, and the whole incident was entirely preventable if the users had enabled Signal’s Registration Lock security feature. In contrast, Meta (formerly Facebook), which owns WhatsApp and Facebook Messenger, has a checkered history of privacy violations and security issues.
For a quick overview of the pros and cons of some the most popular messaging apps on the market, see the table below:
Has Signal Ever Been Compromised?
Signal was compromised once in 2022. However, this incident doesn’t mean that Signal isn’t secure.
It’s very important to note that it was actually one of Signal’s service providers (Twilio) that was hacked and not Signal itself. The hackers were able to gain access to 1,900 accounts, which allowed them to send and receive messages from those phone numbers, but they couldn’t see the users’ message history, contact list, profile information, etc. because all of that is stored on the user’s own device (Signal doesn’t have a copy of it). Also, no data was leaked as part of the attack.
Additionally, Signal has a feature that, if enabled, could have prevented this whole incident. The hackers were able to gain access to the users’ accounts by registering the victims’ phone numbers on a new device, but if the users had turned on Registration Lock, they couldn’t have done this without also having the users’ Signal PIN.
That said, Signal’s security isn’t flawless. Researchers have recently uncovered a potential vulnerability that allows attackers to track a user’s location by measuring the amount of time it takes for someone to receive a message.
This attack isn’t easy to pull off, and it requires the attacker and the victim to have messaged each other on WhatsApp before. But if you’re worried, there is a way for you to guard against this sort of attack: by using a VPN.
All VPNs add some latency to your connection because they also encrypt your traffic, and this extra latency would interfere with the attacker’s ability to accurately calculate your location. To prevent this type of attack, I recommend connecting to a server in a different country, though note that if you’re after the fastest speeds possible you can get with a VPN, you should connect to a server that’s nearby.
Alternatively, you could VPN servers every now and again to further muddle the attacker’s timing data — Surfshark has a convenient Rotating IP feature that regularly changes your IP address without disconnecting you from the VPN.
How to Protect Your Device & Data While Using Signal
- Turn on Disappearing Messages. This deletes messages on Signal after a certain amount of time has elapsed, so if someone were to gain access to your device, they couldn’t read your entire message history.
- Enable Registration Lock. This prevents someone who gains access to your phone number from re-registering the number on their own device (stopping them from impersonating you).
- Turn on Screen Security. This stops your phone’s app switcher from showing a preview of the Signal app, so nothing can be seen when you switch from one app to another. On Android phones this also stops anyone from taking a screenshot of your Signal app.
- Enable Screen Lock. This makes it so that nobody can access the Signal app on your phone without your PIN number, passphrase, or biometric authentication.
- Verify your contact’s Safety Number. This unique number, which is assigned to each contact, helps ensure that you’re talking to the person you think you are.
- Turn on call forwarding. Call forwarding relays your calls through Signal’s servers to hide your IP address from your contact.
- Use a VPN. While everything you send on Signal is encrypted already, a VPN prevents a potential vulnerability by adding latency to your connection, thereby preventing an attacker from tracking your location through a timing attack. Most top VPNs also come with an ad, tracker, and malware blocker to guard against malicious links in your chats. In my opinion, ExpressVPN is the best VPN in 2024.
Editors' Note: ExpressVPN and this site are in the same ownership group.
How to Set Up a Signal Account
- Download the Signal app onto your phone. You can find it on your device’s app store (Play Store for Android devices and the App Store on iOS devices).
- Install the Signal app. Simply follow the on-screen instructions to complete the installation process. You will be asked to give Signal certain permissions (including the ability to access your contacts and to make and manage phone calls), to enter and verify your phone number, to set up your profile, and to create your PIN.
- Launch the Signal app. That’s it! You can now chat with others more privately and securely using Signal.
Frequently Asked Questions
What are the disadvantages of the Signal app?
The biggest disadvantage of the Signal app is that its user base is very small compared to popular messaging apps like WhatsApp, Facebook Messenger, Telegram, etc. This means that many of your friends, family, and colleagues likely won’t have a Signal account, and you’ll have to convince them to switch over. Other disadvantages include requiring your phone number to register and that there’s no way to backup or transfer your data to or from its desktop app.
Is Signal safer than WhatsApp?
Yes, Signal is safer than WhatsApp. Both Signal and WhatsApp have end-to-end encryption and both have useful features like disappearing messages and view-once media. But WhatsApp is owned by Meta (formerly Facebook), which has a long history of privacy and security issues and collects and shares some user data, including your IP address. In contrast, Signal is owned by a non-profit organization and collects the bare minimum of data from its users.
Can the Signal app be hacked?
No app is 100% unhackable, and this applies to Signal as well. In fact, there was one incident in 2022 when Signal was compromised. In this attack, hackers were able to gain access to 1,900 Signal accounts and logged into 3 of them. That said, no data was leaked — the attackers weren’t able to see the victims’ conversations or contact lists. it wasn’t Signal’s security that cracked either, but its service provider, Twilio’s. Last but not least, the attack could have been foiled if the victims had enabled Signal’s Registration Lock feature.
Does Signal sell your data?
No, Signal doesn’t sell, rent, or monetize your data. It has little motive to do so — unlike most popular messaging apps, Signal is owned by a non-profit organization (the Signal Technology Foundation) that’s funded by a foundation and donations. It also collects very little data about its users. It can’t see your messages, your profile, or your contacts, and it doesn’t log your IP address.