Signal is a secure, free, and open source messaging application that uses end-to-end encryption to securely send and receive all kinds of communications with other Signal users. Using the Internet for all encrypted communication, Signal comes highly recommended by some of the top privacy and security advocates.
In this Signal review, we’ll look at the capabilities, usability, and security that Signal offers. We’ll also talk about how the design of the service provides extremely strong protection for your privacy. Signal is truly impressive, so let’s cut the chatter and dig in to the review.
Signal Pros and Cons
+ Pros
- End-to-end (E2E) encryption
- Encryption algorithms: Signal protocol, with Perfect Forward Secrecy (PFS) for text messages, voice messages, and video calls
- Open source software
- Disappearing messages (aka self-destructing messages)
- Published transparency reports
- Logs minimum amount of data
- Does not log IP Addresses
- Can replace your phone’s SMS messaging app
- Focus is totally on individual users
- All Signal products are free of charge
– Cons
- Requires a telephone number to sign up
Now we’ll briefly cover the main features of Signal encrypted messenger.
Feature summary
Here are some key features to consider when deciding whether the Signal app is right for you:
- Signal is generally considered the most secure messaging app in existence.
- 100% open source code. The code is available on GitHub.
- The Signal Messaging Protocol was independently audited in 2016.
- The service is fully GDPR compliant.
- Clients for Android, iOS, Mac OS, Windows, Linux.
Company information
In 2013, Moxie Marlinspike (real name Matthew Rosenfeld) founded Open Whisper Systems to develop the Signal app and protocol. In 2018, Marlinspike and Brian Acton founded Signal Messenger, LLC, to take over the development of both the Signal app and the Signal Protocol.
Signal Messenger, LLC is funded by the Signal Technology Foundation (aka Signal Foundation), a 501(c)(3) non-profit organization. All products of the Signal Foundation are published as free and open-source software.
Where is your Signal data stored?
When you use Signal, your data is stored in encrypted form on your devices. The only information that is stored on the Signal servers for each account is the phone number you registered with, the date and time you joined the service, and the date you last logged on. As Signal points out,
Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with.
All message contents are end-to-end encrypted, so we don’t have that information either.
This is great for your privacy, since no one can get any more information than that without physical access to your device or those of the people you communicate with.
This is different from apps like Wire messenger, which stores info about your contacts on central servers. However, it does mean that if you want to keep copies of your messages, you will need to configure Signal to back them up and restore them on your device.
Follow this link for instructions on using Signal backup and restore.
Third-party testing and audits of Signal
Even when a product is 100% open source like Signal, you don’t really know how good it is until someone checks it out. Here are some published findings by experts you can review to see how good Signal really is.
Signal security audits
A formal security analysis of the Signal protocol was conducted in 2016. According to that analysis, conducted by researchers from Germany, Switzerland, the United States, and Canada, there were no major flaws in the design. It showed that the protocol was cryptographically sound.
This analysis has been updated several times since, without changing the researcher’s conclusion that the protocol is sound. The last update was published in July, 2019.
Note: In September, 2019, a bug in the user interface of the Android version of the Signal app was discovered that could have allowed an attacker to eavesdrop on Signal users.
According to Vice.com, the bug was fixed the same day it was reported. This incident shows both the responsiveness of the Signal team, and the importance of keeping your copy of the Signal app and desktop updated.
Signal hands-on testing
For purposes of this Signal review, I tested out the mobile app for Android, along with the Linux desktop app.
Note: Signal is different than many other secure messaging apps in that you need to install and register it on a mobile phone before you can use it anywhere else. Therefore, I’ll address the mobile (Android) app first.
Installing Signal on an Android phone
Installing Signal on an Android phone involves downloading the app from Google Play and registering your phone using your telephone number. Some people object to registering using a phone number instead of an email address or anonymous username.
But registering with your phone number lets Signal connect easily to your phone’s contact list. Another benefit to this approach is that it lets Signal replace your phone’s built-in messaging app on Android devices.
Note: You can download an Android Signal APK here, and install the app that way, but Signal recommends against it unless you are an advanced user with special needs that would justify doing so.
Once you finish installing and registering your account, the Signal app will use your Internet connection to securely communicate with other Signal users by text, voice, video, group messaging, even file sharing, all using the secure Signal protocol.
Note: If you replace Android’s messaging app with Signal, you will need to distinguish between Signal users and non-users before sending messages. That’s because Signal cannot send encrypted SMS or MMS messages, meaning messages to non-Signal users will not be secure. Signal notifies you whenever you are messaging someone with a Signal account, and will offer you an easy way to invite non-users to join Signal when you connect to them.
Working with Signal
When you open Signal app you’ll see a list of your current phone contacts who are Signal users. The interface itself is clean and includes a wealth of information about the status of your contacts and your communications with them:
Tap the listing for a particular contact to open it. You’ll see the full thread of your conversation with that contact, the same as you would with any other messaging app.
But Signal has a number of features that can enhance your privacy, adjust the user interface, or just have fun adding things like animated stickers. Here are some of those features:
- Secure connection indicators – For iOS and Desktop Signal apps, all communications are always secure. For the Android app, the text input field for a conversation will show the words, “Signal message” and the Send icon will be blue and include an image of a closed lock when the connection is secure.
- Message reaction emojis – Quickly reply to messages with emoji reactions.
- View-once media – On mobile devices you can configure individual photos and videos to disappear after they have been viewed once.
- Group chats – Stay connected with your family and other groups of people.
- Insights – For Android users, a system that shows you what percentage of your Signal messages were sent encrypted.
- Disappearing messages – Set messages to disappear from both your and the recipient’s devices after a set amount of time has elapsed.
- Safety Numbers – Verify that you are communicating with the device you expect to be talking to by comparing safety numbers.
- Encrypted stickers – Add some fun without compromising your security.
Not only are the Signal mobile apps good looking and feature packed, they are also well made. Reviews are also good with Signal receiving ratings of 4.8 out of 5 stars at the Apple app store and 4.5 out of 5 stars at the Google Play store.
Signal Desktop clients
Signal officially supports the following desktop platforms:
- Windows
- Mac OS
- Linux (64 bit and 32 bit)
Installing Signal Desktop for Windows or Signal Desktop for MacOS is just like installing any other app. It only takes a moment to download, and seconds to install.
Installing Signal Desktop for Linux isn’t a particularly user-friendly process. You need to be able to do a bit of work on the Linux command line, but after a couple of steps you’ll have Signal Desktop for Linux installed and ready to run.
Because your phone number is the only way Signal can identify you, you need to link your account to Signal Desktop. Launching Signal Desktop for the first time displays a QR code you can use to make the connection It will look something like this:
Follow the directions on the bottom of this window to connect Signal Desktop to your mobile device and sync your data between the two.
Once the desktop is synched to your mobile phone, you’ll see that clean Signal interface along with your contacts.
I’ll leave it up to you to explore what else the Signal Desktop can do besides displaying those fun stickers!
Support
Signal Support is a searchable collection of around 70 articles addressing the most common questions and topics a Signal user might want information on.
For cases where this isn’t enough, you can hit the Contact Us link at the top of the page to submit a help ticket.
How secure and private is Signal
When it comes to security, the Signal messaging protocol is generally considered to be the most secure messaging protocol available. It is so good that many other messaging products, including Facebook Messenger, Skype, and WhatsApp, claim to have adopted the protocol for use in their own products.
When it comes to privacy, Signal is also a winner. As we discussed earlier, Signal only records three bits of information about their users. This is far less information than other services collect.
And you can take the privacy protections even one step further. This article has detailed instructions for registering a Signal account without disclosing your personal phone number.
Transparency reports
Signal has published only one transparency report, which you can see here. The report, from October 2016, is incredibly detailed, even including transcripts of the subpoena used, and all the additional communication that passed back and forth.
It would be great to see more transparency reports, on a regular schedule, like we see with other services. For example, we noted regular transparency updates in our ProtonVPN review. As another example, Surfshark has a warrant canary that is updated daily.
Signal business features
Unlike other messaging services, such as Wire, Signal offers only a single, free version. There are no pricing tiers, no extra-cost features, and no business-specific features. This is consistent with the idea behind the product, which is to become the most secure messaging app available. Nothing more, nothing less.
Signal prices
The Signal pricing model is about as complicated as the list of Signal business features. The price for everything they publish is zero.
Everything is free and open source software.
While you can use everything from Signal free of charge, the Signal Technology Foundation is an independent 501c3 nonprofit. They are committed to developing open source privacy technology that is desperately needed in this world of endless surveillance. You can make a contribution to the organization by visiting this page, and following the directions you find there.
Conclusion: Consider using Signal in 2021
Signal is clearly one of the leading secure messaging apps available today. While some people dislike the requirement to register with a phone number, the design of the whole system is such that it is hard to see this as a major problem. I have no qualms about recommending Signal to anyone investigating encrypted messaging services for personal use.
It is also a great alternative to WhatsApp that people are flocking to in 2021 as privacy concerns mount with WhatsApp and Facebook.
But you don’t need to take my advice on this. Users are flooding into the Signal camp from all directions. According to this February 2020 article at The Verge, The European Union has told its staff to switch to Signal for all its public instant messaging.
And let’s not forget these endorsements from big-name privacy and security advocates:
The most recent “big name” recommendation for Signal came from Elon Musk in response to the latest WhatsApp privacy issues.
What else is there to say?
Is Signal right for you?
It is hard for me to imagine someone reading this post for whom Signal would not be the right secure messaging app. And remember: If the need to register with a phone number really bothers you, read this article for alternatives to giving Signal your personal phone number.
One other reason not to try Signal: if most of the people you need secure messaging for are already using another secure messaging service like Wire or Telegram, it might make sense to join them there instead of trying to get them to all move to Signal.
Beyond those cases, I believe that anyone looking for a secure messaging service should try Signal now.
For alternatives, check out our roundup of the best encrypted messaging apps, or the other reviews below.
Threema Review
Telegram Review
Session Review
Wickr Review
Keybase Review
Wire Review
Nice write up. It seems people are missing the point.. or at least the point i use it for. Privacy not Security. If you are doing security you want to do other things along with end to end encryption or something totally different.
If you are doing something that is illegal enough for some one to get it and they got your or the recipients phone they can likely get it. My big deal is to keep my messages out of big tech’s hands. Since nothing is stored server side other than your Number, creation and login times.. problem solved. They know who i am when i am but not what it is…. unless the OS is yanking it out some how. Of course the other end needs signal as well.
If Govmnt does what the conspiracy theorists suggest and starts going into personal text messages to censor and such… signal and the like is where its at. Choose which ever you want, but choose one. I choose signal because it is Open Source.
i am strongly considering not using messaging with anyone who doesn’t use signal. Not because it is illegal but because big tech doesn’t need to know that I tell my family I’m going to be late for practice.
Also. take someones phone, point it at their face and when it unlocks text someone in their contacts something silly. Don’t use face/finger print
Posted same message on another thread before noticed that one.
It’s impossible to use Signal without exposing yourself to Google first. If you use client, 3rd party or from unofficial source, even Signal’s own website, you need to go throug Google’s recaptcha to acquire unique identify key, so the know which device is used and when. Google Play shop and AppStore does that same. BB always know, unless you have device which is not used anything else than Signal use!
I noticed in all of your reviews that we don’t address whether or not the messages can be retrieved off of your device if the device is unlocked (perhaps through the use of celebrite) and again, by using a tool like cellebrite, there is an attempted data extraction. There are dozens of articles online and none are clear and many are very conflicting. While I understand that if icloud back up is turned on if you’re using an iPhone that the data gets stored to your cloud, and possibly can be read, or on an android chat back up does the same. Assuming chat back ups and icloud are turned off, and the phone and the apps have passwords, and all the messages you have ever sent have been completely deleted (not through a wipe but just simply emptied the chat, could the entire history of the messages be retrieved although they were deleted? Specifically for threema and signal. Thanks
I think I have found an app that is the basis of the idea behind the people at Signal’s wanting to try integrating cryptocurrency into their service. Status is an open source, peer-to-peer (P2P) encrypted messenger that comes with Ethereum wallet integration and is only available on iOS and Android, respectfully.
https://status.im
If I am right, I think Signal might have a hard time since the app relies on a centralized server network model. Unless their embracing cryptocurrency is a way to help lay the groundwork for Signal to somehow be converted to peer-to-peer? Status looks like a good service and may be growing in popularity, so it remains to be seen what happens.
Signal recommends users scan their contact’s safety numbers in order to prevent potential middle man attacks. This, however, is an interesting development.
https://www.bleepingcomputer.com/news/security/signal-app-safety-numbers-do-not-always-change-heres-why/
Signal app is a free messaging and voice-talk platform similar to WhatsApp but with one most important difference “Privacy”. In fact, the tagline of the Signal messaging app is “Say hello to privacy”, a line that will resonate well with the users and make them want to trust the brand.
Dear Restore Privacy
I just watched this video [https://invidious.fdn.fr/watch?v=tJoO2uWrX1M] by ‘The Hated One’ where he says that Signal has betrayed us as it now will use Mobilecoin. Does this mean it is no longer private particularly at the server side? Should we ditch Signal in favor of Element or Session [I cannot make voice calls with Session]?
Every time we find a decent messenger something comes up. What say ye?
In my view, I think it best to wait since the effort is in Beta and it could end up going the way of Facebook’s proposed cryptocurrency. I think one huge disincentive is the recent clampdowns on cryptocurrencies by the U.S. and other governments as of late that has resulted in large drops in their value.
The kind of scrutiny on the part of government regulators a Signal-MobileCoin venture would invite also makes it unjustifiable both of which are huge drawbacks. These reasons alone might be enough reason for Signal to dump this effort.
https://www.reuters.com/technology/fed-citing-crypto-risk-open-digital-currency-debate-this-summer-2021-05-20/
Before Christmas of last year, a story ran on BBC and other news outlets that stated an Israeli Digital Intelligence Company named Cellebrite was able to hack into Signal by breaking it’s encryption. This is false and Signal Foundation was not contacted for comment or given the ability to respond. Here is a link to their response about Cellebrite’s claim.
https://signal.org/blog/cellebrite-and-clickbait/
I think they have their foundation to say Signal was interupted, we don’t see why not. And Signal is jurisdiction of America. Nothing impossible until it happens. So nothing wrong if we are aware of this noteworthy exception.
https://yasha.substack.com/p/spy-funded-privacy-tools-like-signal
This should prove interesting
Internet Privacy [Signal, Tor, etc], Funded By Govt
https://surveillancevalley.com/blog/internet-privacy-funded-by-spies-cia
also
We need to talk about mathematical backdoors in encryption algorithms
https://www.theregister.com/2017/12/15/crypto_mathematical_backdoors/
Signal Points of interest are as follows:
Signal has been verified to be funded by the U.S. Govt.
The U.S. is part of Five Eyes.
Signal Servers are centralized in the U.S.
Signal runs on Amazon AWS cloud service — and Amazon is itself a CIA contractor
So more than likely the Signal encryption protocol can be accessed by the U.S. Govt; They fund it, they own it, they control it.
Signal is not on F-Droid
More investigation maybe warranted.
I just looked and Signal is on F-Droid. There isn’t anything I can see in either of those two articles you link to that points to Signal being funded by the U.S. government. The feds may have funded the research for the encryption and servers Signal uses but that’s not the same thing. Also, I do not think a message or any cloud or server-based service being located in the U.S. is necessarily a bad thing.
Consider that there are no laws in the U.S. requiring VPN’s, message services, or any server-based company (like those who provide clouds) to keep records of their user’s activities. This being the case, that enhances, and does not detract, user privacy. European countries with strong national privacy laws, Switzerland and Germany, may have laws on their books requiring said services keep records or the E.U. might.
I realize the concerns with intelligence agencies, but if they really want to spy on you they will find ways to do so. Suspicion is certainly warranted, but I think as long as you are a law-abiding citizen and don’t do anything illegal, I don’t think you will have a problem.
Here’s my issue. iPhone user. If Face ID does not work, signal prompts you to enter your iPhone code. Well if your kid or someone knows your phone code, they also know your signal code. Not private in “real world.”
Sorry for the late response. My understanding is that Signal is going to try to make a feature where people who sign up for it won’t have to use a phone number. I think a better way would be to issue an account number, like the VPNs Mullvad and IVPN do, instead. Otherwise, Signal has a PIN or biometric screen lock feature that can prevent a third party from accessing or using it.
There is an issue regarding contact research with Signal.
This will be shown around the 18:25-27 minute mark.
https://yewtu.be/watch?v=TOHDtgdWGSU
Signal’s response to a grand jury’s subpoena for user data.
https://signal.org/bigbrother/central-california-grand-jury/
I use ShazzleChat. Safe and completely private.
Is it open source? I don’t see any webpages indicating it has made it’s source code public. If not, you may want to look elsewhere since if ShazzleChat is proprietary the makers can change the terms and conditions and then use it to mine your data.
Signal’s developer used a very unique method to expose the vulnerabilities in a forensics software form.
https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/
Re “you need to install and register it on a mobile phone before you can use it anywhere else” —
does that mean you can’t install and register for desktop use with a Google Voice number?
if Signal have the features,Screenshot notification, like WickrMe, it would be the best
According to this article, Signal is government-funded and contains a backdoor. Thoughts? https://yasha.substack.com/p/signal-is-a-government-op-85e
Yes, I find the article interesting, but while there are lots of suggestions, it’s still lacking concrete proof of anything. But if this is enough to make you want to jump ship, there are other good secure messengers here.
Actually, a backdoor is not needed. Has anyone seen Anroid or iOS system code ?
When you can see keystrokes, encryption is irrelevant. There’s only one encryption method (otp) that cannot be broken, use it, then enter the cipher text into the messaging app. This renders keyloggers useless.
Convenient… no. Secure… absolutely.
Could you describe how to do that or post a link to a website with instructions about the OTP encryption you speak of?
So far Telegram and Element grab me. Telegram more so.
Telegram has not be proven to be funded by any government
Telegram headquarters is not in the Fourteen Eyes.
Telegram Servers are decentralized and multi-geographic/multinational.
Telegram server keys are not stored in the same geographic location as the servers
Telegram cryptographic protocol; MTProto “Version 2.0 is formally verified 2, meets IND-CCA criterion and uses RSA-2048, AES-256 cryptographic and SHA256 hashing primitives”
Telegram Keys are split between countries.
Telegram servers to be open sourced in 2021
Telegram is on F-Droid
With the concerns about the FBI being able to access a Signal user’s messages, this article breaks down what happened and the information the FBI received was, most likely, of little use for their investigation. Also, the author distinguishes the information the FBI obtained, including comparing Signal to Apple’s iMessage and how Signal is much more secure and private than Apple’s encrypted messenger.
https://thehackernews.com/2016/10/signal-messenger-fbi-subpoena.html
NSA/DI has Signal’s decryption keys.
Proof?
And with that, the anonymous account fell silent…
Hi,
This review is impressive. I wonder! How did you test the app do you have a particular software to do that, I am very curious I’m also interested in testin.
Thanks
MatrixxWeb
Two weeks ago I got my first spam message on Signal which is supposed to be impossible. The message purported to be from Amazon (although I don’t have an Amazon account) and offered me a new iPhone if I clicked on a link to claim my reward which of course I didn’t do. The message apparently originated in Vietnam. I immediately reported the security breach on the Signal support link with full details. I still have the message on my phone. Also followed up a week later. No response.
This is completely unacceptable. I’ll give it another week then delete Signal after telling all my contacts why.
I also received the same spam purportedly from Amazon offering me an Iphone 12. Also my friend who had recommended I change to Signal also received the same span. So much for security.
Hi Diti Ditson. Others are reporting spam too. I’ve deleted Signal but kept this link. It’s strange that Signal’s support team doesn’t seem to be interested in this.
What’s the marvellous info, well enough to remove American Signal chat app, from my phone.
#to me opinion: Not a bad idea for picking Session app (not calling) or a Swiss TeleGuard Swisscows app, quick Sign-up, neither phone# nor e-mail is necessary. The apps do not need those.
Wish it worked on my computer. Otherwise it is OK, time will tell.
@to pee or not to pee and @Sven Tylor
About that article from rt.com (…national security…): Does it mean that it’s not safe to use Signal? Is the government able to see the content of the messages?
As I always say, choosing privacy tools is a subjective process and a lot of it just comes down to who you trust. Remember that Signal is completely open source and has been audited. I think it remains a fine choice. But there are many other options if you want to consider other secure messengers.
the content? that’s the question. i think, simply because something is open source, it doesnt mean that is safe.
Please think again… when audited also means safe to use, why the need for updates then and how many updates got it since the last audit?
are you able to choose yourself the encryption key between you and the other end?
There seems to be an assertion circulating that because Signal was created by the US government/TLA’s it’s somehow not ‘safe’. That argument is non-sequitur.
The RT article cited below is actually very good in that they explain the reason for Signal’s initial creation, i.e. to aid in the overthrowing of democracy-hostile governments. And I’d suggest this in itself is not a cause for concern.
And on a more objective level the encryption seems to be sound as does the security model. And given it has now had a lot more public attention and yet no further qualified concerns have been raised I’d think it safe enough for most people.
And anyway if you were really that concerned you wouldn’t be using a cellular telephone network for anything sensitive. They are pretty much commercial arms of government and as such beholden to them.
first you have to have notional scrutiny clearvoyance to pass the examen, and if you follow a bright light, you will most certainly fail due to the blinded by the bright light outcome.
https://www.rt.com/op-ed/513732-signal-messenger-us-national-security/
Well that’s interesting. Thanks for sharing.
Russian State misinformation. News and information originating from any RT outlet should be considered suspect, or, at least, taken with a large grain of salt regarding sources and intents.
From Wikipedia :
“RT (formerly Russia Today) is a Russian state-controlled international television network funded by the federal tax budget of the Russian government. It operates pay television channels directed to audiences outside of Russia, as well as providing Internet content in English, Spanish, French, German, Arabic, and Russian.”
https://en.wikipedia.org/wiki/RT_(TV_network)
Sure, but I’d also say Wikipedia pushes propaganda as well…
Indeed they unfortunately do. Which is extremely upsetting if one thinks about how and why Wiki was started! People too easily say X is always bad/incorrect and Y is always good/correct. But it doesn’t matter _where_ you read/watch something, one should only care about that what you read is fine and correct. Do your own research, check multiple sources, do all sources agree. Doesn’t matter if it is at BBC, RT, CNN, FoxNews, Wapo, restoreprivacy or good ole Wikipedia for that matter.
And Telegram is affiliated with the Russian government. These apps and services are getting help from shady sources to push them to prominence. Sadly it looks like none of them can be trusted completely including google and fakebook. Remember when people used to think that google was cool. Time for people to take the red pill and wake up. Government and big tech are using all the data to profile users and to compile a social credit score which will be rolled out world wide. It’s already in places like china. Worst case would be for government subversives who think their communications are really private. Mankind is being surrounded by ruthless enemies.