There are dozens of messaging apps for iPhone and Android, but one in particular continues to stand out in the crowd. Signal is easy to use, works on both iOS and Android, and encrypts communications so that only the sender and recipient can decipher them.

It also has open source code, meaning it can be inspected to verify security. You can download Signal from the Android Play Store and the iPhone App Store.

Although Signal is well-designed, there are extra steps you must take if you want to maximize the security for your most sensitive conversations — the ones that could be misinterpreted by an employer, client, or airport security screener; might be of interest to a snooping government, whether at home or abroad; or could allow a thief or hacker to blackmail you or steal your identity.

I discuss these steps at length below, in order of importance. If you wish to jump ahead to a specific section, you can click the appropriate link:

Lock Down Your Phone

Signal uses strong end-to-end encryption, which, when properly used, ensures that no one involved in facilitating your conversation can see what you’re saying — not the makers of Signal, not your cellphone or broadband provider, and not the NSA or another spy agency that collects internet traffic in bulk.

But Signal’s encryption scheme can’t stop someone from picking up your phone and opening the app to read through your conversations. You have to take additional precautions.

If you’re using Android:

  • Set up screen lock, which requires you to draw a pattern, type a numeric PIN, or type a password to unlock your phone. You can do this from the Settings app under Security > “Screen lock.” Try to make it random, and avoid using anything obvious such as birthdates. Don’t tell anyone how to unlock your phone unless you’re OK with them reading all of your encrypted messages.
  • Encrypt your phone’s storage. A screen lock is not much use if a thief can copy your phone’s data to a different device. Encrypting the flash memory on your phone blocks such an attack by scrambling your data so that it can only be unlocked using the same pattern, PIN, or password used to unlock your phone. You can do this from the Settings app under Security > “Encrypt phone.” Note that you need to have a full battery before Android lets you encrypt your phone, and you may have to wait up to an hour while your phone is encrypting.
  • Install all updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for Android updates by opening the Settings app, and under System tap “About phone” > “System updates.” You should also update all of your apps from the Play Store promptly.

If you’re using an iPhone:

  • Set a strong passcode. iPhones automatically have encrypted storage, but this encryption only protects your data if you lock your device with a passcode. Everyone should use at least a six-digit passcode, and you should up that to 11 digits if you’re concerned that your phone might fall into the hands of a powerful attacker like a government. Avoid using anything obvious such as birthdates. I wrote about this in detail in February — skip to the bottom of that article for instructions on changing your passcode, and for considerations about using Touch ID.
  • Install updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for iPhone updates in the Settings app under General > Software Update. You should also update all of your apps in the App Store app under the Updates tab.

Hide Signal Messages on Your Lock Screen

Signal’s powerful encryption won’t necessarily help you if other people can see incoming Signal messages displayed on your lock screen. Displaying messages on the lock screen is Signal’s default behavior, but you should change this if your phone is frequently in physical proximity to people who shouldn’t see your Signal messages — roommates, coworkers, or airport screeners, for example.

Left: Signal notification on locked Android phone. Right: Signal notification on locked iPhone.

Here’s how to lock down your Signal notifications.

If you’re using Android:

  • Open the Settings app, and under “Device” > “Sound & notification” select “When device is locked.”
  • The options are “Show all notification content,” “Hide sensitive notification content,” or “Don’t show notifications at all.” I recommend you choose “Hide sensitive information content” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says.

If you’re using an iPhone:

  • Open the Signal app and click the gear icon in the top-left to get to Signal’s settings. Under “Notifications” > “Background Notifications,” tap “Show.”
  • The options are “Sender name & message,” “Sender name only,” or “No name or message.” I recommend you choose “No name or message” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says.
  • To completely remove Signal notifications from your iPhone’s lock screen, open the Settings app, tap “Notifications,” scroll down to the list of apps, and tap Signal. From here you can turn off “Show on Lock Screen.”

Left: Hidden Signal notification on locked Android phone. Right: Hidden Signal notifications on locked iPhone.

Verify That You’re Talking to the Right Person

I said earlier that Signal ensures your communications stay private when it is properly used. Using Signal properly involves verifying that your communications are not subject to a “man-in-the-middle attack.”

A man-in-the-middle attack is where two parties (Romeo and Juliet, for example) think they’re speaking directly to each other, but instead, Romeo is speaking to an attacker, Juliet is speaking to the same attacker, and the attacker is connecting the two, spying on everything along the way. In order to fully safeguard your communications, you have to take extra steps to verify that you’re encrypting directly to your friends and not to impostors.

Most messaging apps don’t provide any way to do this sort of verification. Signal provides two: one for verifying voice calls and one for verifying text conversations.

Verify Your Phone Contacts

It’s easy to verify the security of phone calls on Signal, but you have to verify every call.

For each call, the Signal app displays two words on the callers’ phone screens. In the screen shot below, for example, each screen shows the words “shamrock paragon.” Juliet and Romeo read these words to one another; if the words are the same, and they recognize one another’s voices, the call is secure. If the words are different, someone is attacking the encryption in the call and you should hang up and try calling again, but this time from a different internet connection.

It’s not required, but a popular convention is for the receiver to answer the phone by reading the first word, as in, “Shamrock?” And the caller to respond with the second word, as in, “Paragon.”

Left: Encrypted Signal voice call in Android. Right: Encrypted Signal voice call on an iPhone.

 

I admit that this sounds like magic, but I assure you that it’s only mathematics. Here’s how it works: When Juliet calls Romeo using Signal, her app communicates with his app and comes up with a shared secret that no one else can possibly learn, even if they’re spying on this exchange — watch this five-minute video if you want to get some information about how this works. The Signal app on each phone takes this shared secret and converts it into the two-word authentication string. As long as the shared secret is exactly the same, the authentication string will be exactly the same as well.

Verify Your Text Contacts

It’s more complicated to verify the security of Signal text chats, but once you’ve verified a text chat correspondent, you won’t have to re-verify them again until they get a new phone or re-install Signal.

Each person you text with in Signal has something called an identity key. When Juliet sends Romeo a message for the first time, her Signal app downloads a copy of his identity key and stores it on her phone and visa versa. So long as these identity keys are valid — the key that Juliet has stored for Romeo is actually Romeo’s real key and not some attacker’s key — then the messages they send to each other are secure.

Because it’s unlikely that anyone is trying to attack your encrypted messages the very first time you send a contact a message, Signal automatically trusts the identity key that it downloads. This makes Signal easy to use: All you need to do to have an encrypted conversation is send someone a message, and that’s it. But if you discuss anything sensitive, you still might want to confirm.

To verify the identity key, you first navigate to the verification screen.

If you’re using Android:

  • Open the Signal app and tap on a conversation to open it
  • Tap the contact’s name and phone number at the top of the screen
  • Tap “Verify identity”

If you’re using an iPhone:

  • Open the Signal app and tap on a conversation to open it
  • Long-press the contact’s name at the top of the screen until the verification screen appears

Left: Signal identity verification in Android. Right: Signal identity verification on an iPhone.

Next, you want to confirm you have the correct identity key for your contact. You can do this either by scanning “QR codes,” which work similarly to the bar codes used to ring up groceries, or by comparing “fingerprints,” which are 66-character blocks of text.

Verifying a Text Contact in Person

If you’re able to meet up in person, here’s how you verify identity keys using QR codes:

If you’re using Android:

  • To be verified, tap the barcode icon in the top-right of the verification screen and select “Display your QR code” (you may be prompted to install the Barcode Scanner app the first time you do this; it is safe to install).
  • To verify someone else, tap the barcode icon on the verification screen and choose “Scan contact’s QR code,” and then point your camera at the contact’s QR code.

If you’re using an iPhone:

  • To be verified, tap the QR code icon on the verification screen.
  • To verify someone else, tap the camera icon on the verification screen, and then point the iPhone camera at the person’s QR code.

When you successfully verify a contact, Signal should pop up a message that says, “Verified!”

Verifying a Text Contact Remotely

If you can’t meet up in person, you can still verify that you have the right identity key by comparing fingerprints — however, it’s kind of annoying.

You need to share your fingerprint with your contact using some out-of-band communication channel — that is, don’t share it in a Signal message. Instead, share it in a Facebook message, Twitter direct message, email, or phone call. You could also choose to share it using some other encrypted messaging app, such as WhatsApp or iMessage. (If you’re feeling paranoid, a phone call is a good option; it would be challenging for an attacker to pretend to be your contact if you recognize their voice.)

Once your contact gets your fingerprint, they need to navigate to the verification screen and compare, character by character, what you sent them with what they see. If they match, your conversation is secure.

Your contact should share their fingerprint with you in the same way, and you should confirm that what they sent you matches what’s on your verification screen as well.

If you’re using Android, unfortunately there’s no way to copy your own fingerprint to your phone’s clipboard to paste into another app. If you want to share it using another app on your phone, you’ll have to manually type it.

If you’re using an iPhone, you can copy your own fingerprint to your phone’s clipboard like this: Open the Signal app and click the gear icon in the top-left to get to Signal’s settings. Tap Privacy, then tap Fingerprint.

Verifying a Text Contact Who Gets a New Phone

From time to time, you might see a warning in a Signal conversation that says “Identity key changed. Tap to verify new key.” This can only mean one of two things:

  1. Your Signal contact switched to a new installation of Signal, most likely because they bought a new phone, or,
  2. An attacker is trying to insert themselves into your Signal conversations.

The latter is less likely, but the only way to rule it out completely is to again go through one of the verification processes for text contacts described above.

Archive and Delete Messages

After Juliet sends a message to Romeo using Signal, copies of this message exist in only two locations: on Juliet’s phone and on Romeo’s phone. Unlike other messaging apps, Signal doesn’t store a copy of your messages on internet servers (“in the cloud”). Still, if you have a sensitive conversation, it may be a good idea to delete it when you no longer need it.

You can also archive conversations that you want to keep around but don’t want cluttering your Signal app. Here’s how to delete and archive Signal conversations.

When you open the Signal app, you will see a list of your conversations — your inbox, essentially. You can swipe a conversation to the right to archive it, which moves it out of your inbox and into an “archived conversations” list. Deleting a message or conversation varies depending upon your phone’s operating system:

If you’re using Android:

To delete a message, open the conversation, pick the message you’d like to delete, and long-touch it. This will select the message and give you the option to delete it. Similarly, to delete a conversation, pick a conversation from your inbox and long-touch it. This will select the conversation and give you the option to delete it.

If you’re using an iPhone:

To delete a message, open the conversation, pick the message you’d like to delete, long-touch it, and choose “Delete.” To delete a conversation, pick the conversation you’d like to delete from your inbox and swipe to the left to delete it.

Deleting messages is permanent. If you delete a message from your Signal app, and the person you’re talking to deletes it from their Signal app, the message will be completely gone.