Review: Signal for iOS
Open Whisper Systems’ Signal is an encrypted voice and text communication application available for Android and iOS. The technology is built upon the organization’s open source Signal Protocol, which has recently been implemented by messaging heavy-hitters such as WhatsApp and Google Allo.
(Open) Whisper Systems background
Back in 2011, Twitter announced that it acquired well-known security researcher and speaker Moxie Marlinspike’s startup Whisper Systems. The company’s portfolio included a few products, including RedPhone and TextSecure – free voice and text encryption apps for Android users. Soon after the acquisition, Twitter made some of the Whisper Systems software available under an Open Source license (GPLv3), and Open Whisper Systems was formed to work on the projects based on this code.
A year ago, Signal 2.0 was released, and since then it practically became the de facto standard in mobile private communication. This plug by Edward Snowden definitely raised their user base:
Secure communication made easy
For the purpose of this review I’m using Signal on my iPhone, and the current version available for download is 2.2.
Signal, as most other communication apps, doesn’t use separate user accounts but ties it with your phone number. So, after you get the app from the App Store, you’ll need to verify your phone number.
After the successful verification, you’ll need to give Signal access to your contacts. I tried refusing, but the app simply presented me with a note saying that Signal doesn’t store any contact data on their servers and that I have to give it the required permissions in order to be able to use it. While I personally hate giving any application access to my contacts, in the past couple of years this has become standard practice.
The user interface is simple, elegant, and has an overall iMessage feel to it. By opening the contacts, you’ll clearly see which of your peers have Signal installed. This is a privacy focused app, so don’t expect those annoying “(Contact name) joined Signal” messages.
Textual communication: There is nothing special to talk about here; you’ll get the same look and feel as sending text or photos via iMessages.
Voice communication: This is usually one of the problematic aspects of this type of apps. Voice quality is often sub par, especially when dialing and receiving calls when not connected to a wireless network. Voice calls on Signal proved to be fantastic, overall I didn’t have one bad experience related to it – both on a WLAN or 3G.
When you start a voice call, two random words will be presented on your screen and that of the person (Signal user) whom you’re speaking with. This is a security mechanism: you can ask the person to say the words to you, and if they match, you can be sure that the person you’re speaking with (or at least the device they are using) is the one you called.
Privacy and security, hand in hand
Signal makes all of your communication secure. I won’t go into the technical details, but if you are interested, I suggest reading the protocol’s specifications.
Inside the Settings > Privacy screen, there are just a couple of options.
When enabled, “Screen Security” protects the private data on the app screen by showing a blue screen instead of a miniature version of the actual one when the iOS home button is double clicked to show a list of running apps.
“Clear History Logs” is a killswitch through which you can wipe all the communication you’ve conducted through Signal.
Every device has its own identity, a unique fingerprint. This data can be used to double check the identity of the person you are talking to. The check can be verbal, or it can be done by scanning a the fingerprint in the form of a QR code. If the fingerprint is mismatched, you’ll get an error like the one depicted on the image below.
A few issues
I can’t remember the last time I tested an app that didn’t have at least a bug or two, and Signal is no exception.
The first issue is related to the clearing of history logs. Fortunately, it does wipe communication data, but after doing this, at first you won’t be able to start a conversation with anyone (new or old) from your contact list. All contacts, even those using Signal, will be shaded. The only way to overcome this is to swipe the entire screen down, which initiates a re-fresh. There should be an automatic refresh whenever contacts are opened as this is not exactly intuitive.
By tapping and holding a contact’s name in the conversation screen, an option is presented where you can scan someone’s fingerprint. The camera is activated, but in case you opened this by mistake, or if there the QR code you’re trying to scan is invalid, you won’t be able to close the camera and return to the Signal application. The only thing you can do is to force quit the app and start it again.
For the past six months, Signal Desktop was in closed beta. In April, Open Whisper Systems opened the app to the public. Signal Desktop is a Chrome app which runs from Chrome App Launcher and it is linked to the identity setup on your phone. It currently works only for Android users, but multi-device support for iOS is in the pipeline.
Signal should definitely be your go to application for secure and private messaging. Besides it working flawlessly (the UX bugs I mentioned are trivial), it has a great team behind it, and a robust underlying security architecture.