1 October 2016

Signal (for iPhone)

Editors
By Max Eddy

Since the Snowden revelations of 2013, technology companies have been touting their security bona fides like they would new designs or breakthrough features. Messaging apps now list encryption schemes alongside stickers and GIF makers. The Signal iPhone app from Open Whisper Systems does the best job bridging the gap between usability and excellent security, although using it does mean sacrificing some of the fun of messaging.

Starting Up
Signal is available for free through the App Store, and I had no trouble installing it on my iPhone 6. The app is also available for Android, where the greater latitudes of Google's platform allow it to function as a total replacement for the stock SMS app. The apps can communicate cross-platform.

SecurityWatchSignal uses your phone number to automatically find other Signal users with whom you can chat securely, so naturally you have to register your phone number. Just tap in your digits, and add the registration code sent to your phone via SMS. This same process is more or less the norm across mobile messengers. Even Google Allo needs your phone number. Editors' Choice winner Facebook Messenger, notably, does not. Though Signal's developers have taken steps to ensure that this exchange protects your privacy, they acknowledge that a perfect solution has yet to be found.

Open WhisperSystems recently announced that the iPhone app is now interoperable with the existing Chrome browser app. Linking the two is as easy as taking a photo of a QR code. It's simple, similar to how WhatsApp handles multi-device messaging, but without the need to keep your phone within range of your computer. You can easily de-register computers from the Settings menu in the Signal app, keeping you in control of which machines can access your account.

Secure Signaling
The Signal app has been completely overhauled since I last reviewed it. Gone is the awkward bottom-screen navigation. There are now just two screens: Inbox and Archive. The Inbox shows your recent messages, both read and unread. Tap on a message to open it. Swipe left to either Delete or Archive it. Archived messages are stored in the Archive section, where they're close at hand but out of sight.

Open WhisperSystems Signal (for iPhone)To start a new chat, tap the button to the upper right. Doing so calls up a list of all the people in your contact list who have also installed Signal. Tap one to start a message, or tap the symbol in the upper right to start a group-messaging session. Group messaging works just like person-to-person, and anyone can add or leave the group at any time.

Messages in Signal look a lot like messages in the iOS 10 Messages Messages app. Your text appears in blue speech bubbles on the right of the screen, and incoming messages appear in grey bubbles on the left. You can also send images you've already taken and added to the Photos app, or shoot fresh videos or photos directly from Signal. For security's sake, any pictures or videos you take with Signal aren't stored on your phone.

Text can only take you so far, but you can speak securely though Signal as well. Inside any one-on-one chat, you can tap the phone icon in the upper right to begin an encrypted VoIP conversation. Again, you can only talk to other Signal users, and those are the only people that show up in the Contacts section. When you receive a call, Signal pops a push alert and plays a tune reminiscent of a vaporwave track. Answering pulls up a custom call screen, which sports all of the features you'd expect, such as Hold, Speakerphone, and Mute.

Signal also displays a random, two-word phrase for every call. Both you and the person on the other end of the line see the same phrase and can confirm each other's identity by speaking it aloud. Cryptocat and some encrypted chat services use similar secret phrases for authentication.

Open WhisperSystems Signal (for iPhone)When I travel to the Black Hat security conference, I use the Signal app to stay in touch with home and my colleagues at the conference. When connected to Wi-Fi, calls sound excellent, slightly better than regular phone calls. There's minimal latency in the conversation, and only occasional, mild audio distortions. Without Wi-Fi, things can be a little touch and go. Most of the time, calls sound just as good over cellular connections as with Wi-Fi. But when LTE isn't available, or you can only pull down a few bars, calls sometimes drop or fail to connect.

The Price of Security
As I mentioned earlier, Signal on iPhone only allows you to contact and chat with the people in your Contacts who also have Signal installed. That's because Signal encrypts messages end-to-end; only the recipient of your message can read it. Yes, you may have a hard time getting your friends to sign up, but it all but guarantees that no one—not Signal, or any government agency that subpoenas Signal—will be able to read your messages.

The Android version is more capable in this regard. It sends unencrypted SMS messages to users who don't have Signal and encrypted messages to those who do, functioning as a complete and seamless messaging replacement. Google Allo sends SMS messages when the recipient doesn't have Allo installed, but those messages come from seemingly random phone numbers and are difficult to understand.

Messages sent through Signal are secured with the Signal encryption protocol. It's open source, which means that its code is thoroughly picked over for potential problems. That's in sharp contrast to Telegram, which has lots of fun features and end-to-end encryption, but uses a proprietary protocol that hasn't been examined. It might seem like a small distinction, but security experts agree that open source software is generally safer than closed, custom software.

It's worth noting that Apple's Messages app also sends end-to-end encrypted iMessage messages to iPhone users. The Messages app was recently updated with extensive changes, including an integrated app and sticker store, making it perhaps the most capable messaging service out there. It's the only service I've seen that offers features and security, but is locked to Apple hardware. If you send messages to non-Apple users, they receive unencrypted SMS messages. Signal is totally crossplatform, and, unlike Apple, is very open about its technology.

Send a Signal
Signal does not let you do everything. You won't get to send stickers or other frivolous frills. It doesn't work with other social media platforms, so you'll have to convert friends and family to use it. Instead, Signal offers the easiest way to send secure messages. It's easy to use and its protocol is thoroughly tested. And the organization that supports it is run on grant money by volunteers and is disinterested in monetizing Signal's users or their data.

For its excellent experience and transparent security, Signal is an Editors' Choice winner for secure mobile messaging. Add it to your tool kit of messaging services, and reach for it when security is your primary concern.

No comments:

Post a Comment