The Significance of Signal in Cybersecurity for Individuals.

cart Shopcart:$0.00


The Significance of Signal in Cybersecurity for Individuals.


2023-03-23 By: W, Lynn
The Significance of Signal in Cybersecurity for Individuals.

Whether your private conversations are of a personal, professional, or political nature, it is worthwhile to consider that what you say or type on your phone might be subject to surveillance by both domestic and foreign governments, or targeted by criminals seeking to capture sensitive information such as passwords or credit card numbers. Other scenarios that may cause concern include applying for a new job without notifying your current employer, discussing confidential matters with a lawyer, conversing with friends about attending a protest, seeking an abortion or purchasing a gun, sharing private selfies with your partner, or engaging in discreet dating, among other examples. The scope of privacy concerns is vast and varied.

 

Thankfully, the right to privacy is a fundamental human right.

 

Regrettably, most phone communication methods such as voice calls, SMS messages, email, Facebook, Skype, and Hangouts, among others, are not as private as you may assume. This is because your phone company, internet service provider, and the app-makers who facilitate your communication can intercept and potentially access your chats. These can also be accessed by law enforcement agencies, the FBI, and government intelligence organizations such as the NSA. Moreover, your privacy may be compromised by anyone who has access to your phone and can view your notifications or messages without your permission.

However, there are ways to ensure that your private conversations remain genuinely private. One such method involves installing an application called Signal and convincing your contacts to do the same. Next, it’s essential to modify the app’s settings to secure everything.

 

Signal is a user-friendly app that is compatible with both Apple’s iOS and Google’s Android operating systems. It encrypts all communications, ensuring that only the intended recipients can access them. Additionally, Signal’s use of open source code allows security experts to scrutinize its claims of security. It can be downloaded from the App Store for iPhones and the Android Play Store.

While Signal is a well-crafted app, there are further measures you can take to enhance the security of your most confidential conversations. Although I covered some of these steps last year, there have been significant changes to Signal since then. Furthermore, there are valuable Signal features that you may not be familiar with.

 

To learn more about these measures, please refer to the detailed explanations below

 

1.Get your friends to use Signal

2.Securing Your Phone

3.Hide Signal messages on your lock screen

4.Don’t retain your messages forever

5.Securely Share Photos and Videos Privately

6.Have secure group discussions

7.Make secure voice and video calls

8.Sending Messages to Unsaved Contacts Without Adding Them to Your List

9.Using Safety Numbers to Verify Encryption Integrity

10.Signal: Using It on Your Computer

 

 

 

Get your friends to use Signal

 

 

Encrypted messages and calls can only be exchanged between Signal users. Therefore, it is essential to encourage your acquaintances to install Signal, as there is no point in using the app if your confidential messages are still being sent over unencrypted channels, such as SMS.

If you are an activist, urge all participants at your next meeting to download the app. If you are a journalist, inform your sources and editors about Signal. If you’re a political candidate, consider using Signal to communicate with your campaign team.

 

Securing Your Phone

 

Ensuring Strong Security for Your Signal Conversations

Signal offers robust end-to-end encryption, which guarantees that no one, including Signal’s developers, your phone or internet service provider, and government agencies that monitor online traffic, can access your conversations, provided you have correctly verified them.

However, Signal’s encryption does not prevent someone from picking up your phone and reading your messages by accessing the app. To avoid such a scenario, you must set up your phone to require a passcode or different authentication methods to unlock it. Moreover, encrypt your phone’s storage, swiftly update your phone’s operating system and apps, as this makes it harder for hackers to breach your device’s security remotely.

 

If you’re using Android:

Set up screen lock, which requires you to draw a pattern, type a numeric PIN, or type a password to unlock your phone. You can do this from the Settings app under Security > “Screen lock.” Try to make your pattern or passcode random, and avoid using anything obvious such as birthdates. Don’t tell anyone how to unlock your phone unless you’re OK with them reading all of your encrypted messages — and everything else on your phone.

Encrypt your phone’s storage. A screen lock is not much use if a thief can copy your phone’s data to a different device. Encrypting the flash memory on your phone blocks such an attack by scrambling your data so that it can only be unlocked using the same pattern, PIN, or password used to unlock your phone. You can do this from the Settings app under Security > “Encrypt phone.” Note that you need to have a full battery before Android lets you encrypt your phone, and you may have to wait up to an hour while your phone is encrypting.

Install all updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for Android updates by opening the Settings app, and under System tap “About phone” > “System updates.” You should also update all of your apps from the Play Store promptly.

Lock your Signal app with a passphrase. The Android version of Signal lets you lock down the whole app, requiring a separate passphrase to access it. If you followed the steps above (set up a lock screen and encrypted your phone), this isn’t necessary. However, if you ever let others use your phone, you may want to enable it anyway. Open the Signal app, tap the menu icon in the top-right, and go to Settings. Tap Privacy and then tap “Enable passphrase” to set a passphrase. Important caveat: If you lose your passphrase, you’ll have to delete all of your Signal data and start over to keep using the app.

If you’re using an iPhone:

Set a strong passcode. iPhones automatically have encrypted storage, but this encryption only protects your data if you lock your device with a passcode. Everyone should use at least a six-digit passcode, and you should up that to 11 digits if you’re concerned that your phone might fall into the hands of a powerful attacker like a government. Avoid using anything obvious such as birthdates. I wrote about this in detail last year — skip to the bottom of that article for instructions on changing your passcode, and for considerations about using Touch ID.

Install updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for iPhone updates in the Settings app under General > Software Update. You should also update all of your apps in the App Store app under the Updates tab.

 

Hide Signal Messages on Your Lock Screen

Signal’s encryption won’t necessarily help you if other people can see incoming messages displayed on your lock screen. Displaying messages on the lock screen is Signal’s default behavior, but you should change this if your phone is frequently in physical proximity to people who shouldn’t see your Signal messages — roommates, coworkers, or airport screeners, for example.

 

 

Here’s how to lock down your Signal notifications.

 

 

If you’re using Android:

Open the Settings app, and under “Device” > “Sound & notification” select “When device is locked.”

The options are “Show all notification content,” “Hide sensitive notification content,” or “Don’t show notifications at all.” I recommend you choose “Hide sensitive information content” — this way you’ll still be notified when you get a Signal message (or any other sensitive notification), but you’ll have to unlock your phone to see who it’s from and what it says.

If you’re using an iPhone:

Open the Signal app and click the gear icon in the top-left to get to Signal’s settings. Under “Notifications” > “Background Notifications,” tap “Show.”

The options are “Sender name & message,” “Sender name only,” or “No name or message.” I recommend you choose “No name or message” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says.

To completely remove Signal notifications from your iPhone’s lock screen, open the Settings app, tap “Notifications,” scroll down to the list of apps, and tap Signal. From here you can turn off “Show on Lock Screen.”

You may also wish to poke through the settings for any other apps that display sensitive notifications on your lock screen and disable them.

 

 

Don’t Retain Your Messages Forever

After your encrypted Signal message is sent to someone, copies of the plaintext message exist in only two locations: on your phone and on the recipient’s phone. (Unlike other messaging apps, the Signal server never has access to your plaintext messages, and only stores your encrypted messages on the internet for a short amount of time.) This means that if you delete the message from your phone, and the recipient deletes it from their phone, the message will no longer exist. It’s a good idea to regularly delete old messages, especially if they’re part of a sensitive conversation. This way, if your phone ever gets searched, the conversations you don’t even remember having from a year ago — as well as the sensitive conversations from last week — won’t get compromised.

 

Signal lets you send messages that disappear from both your phone and the recipient’s phone after a specified amount of time (between 5 seconds and 1 week). This is useful when you and a friend both want to retain messages from your conversation for a short period of time. But keep in mind, nothing stops the recipient from recording the messages anyway before they disappear (like, by taking screenshots).

 

If you have contacts or Signal groups (more on that below) that you regularly send private text messages to, I recommend setting disappearing messages to 1 week. It’s also easy to temporarily enable disappearing messages and then disable it when you’re done, for example when you need to send someone a password.

 

If you’re using Android:

Open the Signal app and tap on a conversation to open it.

Tap the menu icon in the top-right and select “Disappearing messages,” and choose the amount of time after the message has been seen before it disappears.

If you’re using an iPhone:

Open the Signal app and tap on a conversation to open it.

Tap the name of the person you’re talking to at the top of the screen to get to Conversation Settings.

Turn on “Disappearing Messages,” and choose the amount of time after the message has been seen before it disappears.

 

 

 

You can also manually delete individual messages, or whole conversations, from your own phone. Of course, this won’t delete them from the recipient’s phone — only disappearing messages will do that.

 

If you’re using Android:

 

To delete an individual message: Within a conversation, long-press on the message you’d like to delete to select it. Then tap the trash can icon at the top to delete it. You can also delete records of Signal calls within your conversation the same way.

To delete an entire conversation: From the list of Signal conversations, long-press on a contact to select it. Then tap the trash can icon at the top. This will delete all of the messages you’ve ever traded with that contact from your phone.

Enable “message trimming”: The Android version of Signal has a feature that lets you automatically delete messages in conversations that exceed a specific length. For example, you choose to retain the newest 200 messages with each contact, and automatically delete everything older than that. From the list of Signal conversations, tap the menu icon in the top-right and go to Settings. Tap “Chats and media,” and under “Message trimming” turn on “Delete old messages.” You can then adjust the conversation length limit, which defaults to 500 messages per conversation.

If you’re using an iPhone:

 

To delete an individual message: Within a conversation, long-press on the message you’d like to delete to select it. Then tap the “Delete” option to delete it. You can also delete records of Signal calls within your conversation the same way.

To delete an entire conversation: From the list of Signal conversations, swipe to the left on a contact and choose “Delete.” This will delete all of the messages you’ve ever traded with that contact from your phone.

To delete all messages in your Signal app: The iPhone version of Signal includes a nuclear option. To delete all of the messages you’ve ever sent or received, from the list of Signal conversations, tap the gear icon in the top-left to go to Settings. Tap “Privacy,” then “Clear History Logs.”

 

Securely Share Photos and Videos Privately

 

Signal makes it simple to send people encrypted photos and videos (including animated GIFs!). While you’re in a conversation with someone, just tap the paperclip icon to browse your photo library, or access your camera directly.

 

But Signal also includes a subtle security feature: If you take photos or video with your camera from within the Signal app itself, these won’t automatically save to your phone’s library. Likewise, when you receive a Signal message containing a photo or video, this also won’t automatically save to your phone’s library. If you’d like to save a photo to your library, you can long-press the photo and choose to save it.

 

Why does this matter? Many people automatically sync all of the photos and videos on their phones to iCloud, Google, or other cloud services. And people often allow other apps on their phone, such as Facebook or Instagram, to access their photo library as well. While convenient, this means that, after you’ve uploaded your photos to a cloud service provider, that provider can access them as well. And by extension, so can anyone who can convince the provider to hand over your data, like a law enforcement agency, or who hack your account, as in 2014, when nude photos of female celebrities were published online after their iCloud accounts were compromised.

 

So, if you’re taking a photo of a top secret document to send to a journalist, or if you’re taking a sexy selfie to send to your bae, make sure to take these photos directly from within the Signal app — this way, they’ll have the same level of encryption and privacy as the rest of your Signal messages.

 

Have Secure Group Discussions

One of the most useful features of Signal, in my experience, is the ability to create encrypted group chats. Anyone can create a Signal group and add as many people as they’d like, and everyone in the group can send encrypted messages to everyone else. As with one-on-one Signal conversations, group chats support disappearing messages as well as photos and videos. Here are a few cases where Signal groups can prove useful:

 

Communicating as a team on work projects that are too sensitive for non-encrypted tools like Slack or HipChat

Keeping track of your friends and colleagues at a conference

Keeping track of your affinity group at a protest

Organizing a weekly TV watching night

Running a rogue Twitter account as a team

 

 

Here’s how to use Signal groups

 

If you’re using Android:

From the list of Signal conversations, tap the menu icon in the top-right and choose “New group.”

Give your group a name, and pick which of your contacts you’d like to be a part of your group. Optionally, you can tap the circle to the left of the name field to choose an avatar for your group. Then tap the check in the top-right to create the group.

From within a group, you can click the people icon in the top-right to see a list of everyone else in the group.

From within a group, you can click the menu icon in the top-right for various options. You can click “Edit group” to change the group’s name or add new contacts. You can click “Leave group” to leave it yourself. You can also click “Mute notifications” if this is a noisy group and you don’t care to get notified for now.

 

 

If you’re using an iPhone:

From the list of Signal conversations, tap the pen icon in the top-right to start a new message. Then tap the people icon in the top-right to start a new group.

Give your group a name, and pick which of your contacts you’d like to be a part of your group. Optionally, you can tap the circle to the left of the name field to choose an avatar for your group. Then tap the plus in the top-right to create the group.

From within a group, you can tap the icon in the top-right corner for various options. From there, you can choose “Edit Group” to edit the group name or add new contacts to the group. You can choose “Leave Group” to leave the group yourself. And you can choose “List Group Members” to see who else is in the group with you.

 

While Signal groups are useful, they’re not without problems. Hopefully these will improve in the future, but as of this writing:

 

Anyone in the group can add new members, and it’s impossible to kick someone out of a group. People have to manually leave groups themselves. If someone who shouldn’t be in the group won’t leave it, you just have to make a new, separate group without them, and invite everyone else.
It can be annoying when someone in a group switches phones and their “safety numbers” change. (See more about safety numbers in the section below about verifying that the encryption isn’t under attack.)

There is a bug where, after you switch phones yourself, you’ll be able to receive incoming messages from groups you’re a part of, but you won’t be able to send messages to them yourself.

There is a workaround: If another member edits the group, such as by changing its name, it will refresh the group settings and you’ll be able to post to it again.

 

Make Secure Voice and Video Calls

In addition to enabling secure text messaging, Signal can also be used to make encrypted voice and video calls. While you’re in a text conversation with someone, just tap the phone icon to call them. When they answer, you can just start talking to them like on a normal call, but with the assurance that the Signal call is end-to-end encrypted. If you’d like to start a video call, tap the video camera icon on your phone during a voice call to turn on your camera. That’s it.

 

When you make a voice or video call, it’s possible for the person you’re calling to see what your IP address is, which could be used to learn your location. This probably doesn’t matter most of the time, but occasionally it might — for example, maybe you’d like to have a secure call with someone, but without letting them have any way of knowing what country you’re currently in. Signal has a feature that allows you to relay your calls through their server so that the person on the other end of the call can only see the Signal server’s IP address, and not yours. If you enable it, it will slow down your connection slightly, which might reduce the call quality. Here’s how to enable it:

 

If you’re using Android:

Open the Signal app, tap the menu icon in the top-right and choose “Settings.”

Go to Advanced, and turn on “Always relay calls.”

If you’re on an iPhone:

Open the Signal app and click the gear icon in the top-left to get to Signal’s settings.

Go to Privacy, and turn on “Always Relay Calls.”

 

Sending Messages to Unsaved Contacts Without Adding Them to Your List

 

Securely Messaging Unsaved Contacts

Many individuals sync their phone contacts to cloud services like iCloud, Google or their employer, which may seem convenient, but also means that your contact list becomes accessible to the service providers you sync to. This makes it also accessible to law enforcement agencies who can request data from these providers.

 

If you need to communicate securely with someone without storing their number in your contact list, Signal provides a solution. For instance, if you want to share confidential information with a journalist without appearing as a suspect in a leak investigation, you can avoid storing their phone number that later syncs with the cloud.

 

Signal allows you to initiate conversations with contacts that you have not saved on your phone. You can do this by opening the Signal app, tapping the pen icon to start a new conversation, and typing the phone number in the search field. If that phone number matches a Signal account, you can exchange encrypted messages without saving the number as a contact on your phone.

Using Safety Numbers to Verify Encryption Integrity

 

Sorry if this section is confusing for you — the inner-workings of encryption are always somewhat confusing. The important part is that you learn how to verify safety numbers below.

I said earlier that Signal ensures your communications stay private when it is properly verified. Using Signal properly involves verifying that your communications are not subject to a “man-in-the-middle attack.”

A man-in-the-middle attack is where two parties — Alice and Bob, for example — think they’re speaking directly to each other, but instead, Alice is speaking to an attacker, Bob is speaking to the same attacker, and the attacker is connecting the two, spying on everything along the way. In order to fully safeguard your communications, you have to take extra steps to verify that you’re encrypting directly to your friends and not to impostors.

You and each of your Signal contacts share a unique “safety number.” For example, Alice has one safety number with Bob, but she has a different safety number with Charlie. When Alice compares the safety number she sees on her phone with the number Bob sees on his, if the numbers are the same, that means the encryption is secure. But if the numbers are different, something is wrong: Maybe Alice is seeing a safety number between her and an attacker, or Bob is seeing a safety number between him and an attacker, and this is why they don’t match.

Because it’s unlikely that anyone is trying to attack your encryption the very first time you send a contact a message, Signal automatically trusts the first safety number that it sees for each contact. (If you discuss anything sensitive, you might want to confirm anyway).

To verify that your encryption is secure, first navigate to the verification screen:

Open the Signal app and tap on a conversation to open it.

Tap the contact’s name at the top of the screen.

Tap “Verify Safety Number.”

 

 

There are different ways to verify with a friend that your safety numbers match. It’s easiest to do when you’re in the same room, but it’s also possible to verify remotely.

 

Verifying a Contact In Person

If you’re able to meet up in person, one of you simply needs to scan the other’s QR code. Android users tap the QR code circle to scan, and iPhone users tap the “Scan Code” camera icon at the bottom to scan. Point your camera at your friend’s QR code to scan it, and if it’s successful, that means your encryption is secure.

Verifying a Contact Remotely

If you can’t meet up in person, you can still verify that your safety numbers match remotely — however, it’s kind of annoying.

You need to share the safety numbers you see with your contact using some out-of-band communication channel — that is, don’t share it in a Signal message. Instead, share it in a Facebook message, Twitter direct message, email, or phone call. You could also choose to share it using some other encrypted messaging app, such as WhatsApp or iMessage. (If you’re feeling paranoid, a phone call is a good option; it would be challenging for an attacker to pretend to be your contact if you recognize their voice.)

Once your contact gets your safety number, they need to navigate to the verification screen and compare, digit by digit, what you sent them with what they see. If they match, your conversation is secure.

For both Android and iPhone, you can tap the share icon in the top-right corner of the verification screen to share your safety numbers using other apps, or to copy them to your phone’s clipboard.

Verifying a Contact Who Gets a New Phone

From time to time, you might see a warning in a Signal conversation that says “Safety number changed. Tap to verify.” This can only mean one of two things:

1.Your Signal contact switched to a new installation of Signal, most likely because they bought a new phone, or,

2.An attacker is trying to insert themselves into your Signal conversations.

The latter is less likely, but the only way to rule it out completely is to again go through one of the verification processes for text contacts described above.

Signal: Using It on Your Computer

 

Using Signal on Your Computer Safely

Signal offers a desktop version of the app that you can install on your computer, which can be very convenient, particularly for work purposes. However, keep in mind that this can also increase the potential avenues for attackers to access your private conversations.

To install Signal on your computer, you need the Chrome web browser and then download the Signal app from the Chrome web store. You’ll then be guided to link your desktop app to your Signal account on your phone.

It’s important to understand that when you use Signal on your computer, you may be making your private conversations more vulnerable to attack. If an attacker can access either your computer or phone, they could potentially read your Signal messages. Additionally, while Signal data is securely stored within the app on mobile devices, on computers, it’s typically stored in an accessible folder, which increases the likelihood of exposure.

Therefore, it’s important to weigh the convenience of using Signal on your computer against the potential security risks. It’s worth considering that in some instances, it may be prudent to avoid using Signal on your computer altogether.