A Neighborly Blog

Signal: Overview of Security Issues

by

Alan Buddug
in

Recently, the Trump administration blundered idiotically yet again by adding a journalist to a Signal conversation about a military strike against the Houthis. As a result, there’s a lot of confusing or faulty information in the mainstream media regarding Signal. To be fair, these are complex issues, so here is a summary of Signal’s various security issues.

Signal is still the most secure messaging app available, but that doesn’t mean that the security of your messages is guaranteed when you use it.

Signal messages are end-to-end encrypted, meaning that a message is encrypted by the sender’s Signal app, and then it is not decrypted until it is received by the recipient. Even Signal cannot decrypt your messages; only the recipient can.

Signal supports both real-time communication (i.e., voice and video calls) as well as text-style communication (sending text messages with or without media attachments). Both types of communication are end-to-end encrypted; however, real-time communications travel directly to the other people in the conversation (i.e., they are “peer-to-peer”) rather than going through Signal’s servers. As a result, real-time communications could allow an attacker to map connections between individuals. Messages that travel through Signal’s servers are deleted from the server as soon as the recipient(s) receives them. If there is a delay in the recipient receiving a message, it will be held by the server for no more than 45 days.

Any attachment sent via Signal in a voice chat is end-to-end encrypted just like the text portion. Attachments are encrypted separately and uploaded to Signal’s Content Delivery Network (CDN), after which an attachment pointer is added to the message itself. If the message text is longer than 2048 bytes, it is sent as an attachment as well, although the initial 2048 bytes may be sent in the message itself as well. (source)

Signal’s data is also encrypted while it is on your phone. A hacker would not be able to retrieve this data. However, a file that is stored outside of Signal and then sent via Signal is still stored outside of Signal and, therefore, not protected by Signal.

If an attacker has control of your phone to the extent that they can see your screen then they will also see Signal when it is on your screen. This is true of all messaging apps.

If you add a person to a chat group, they will be able to see all the messages sent to that group after they were added, so you should be careful who you add to a chat group (obviously). They will not see messages sent to that group before they were added to it. Similarly, if you add your Signal account to a secondary device, you will not be able to see messages you received before you added your account to that device. If you replace a device, the new device will not see your old Signal messages. There is a procedure for backing up and restoring messages, but this is something that does not happen automatically, and it isn’t particularly easy. For the sake of security, I recommend that you do not back up Signal messages; you should treat them as impermanent, and you should not treat Signal as a method of storing data.

Your account is based on your phone number, and your primary Signal device must have a phone number (typically, it would be a cell phone with a SIM card). However, you can add additional devices to your account, including desktop computers, which is nice if you prefer to type messages on a physical keyboard. For your protection, if you do not use a secondary device with Signal for an extended period, you will be forced to re-link the secondary device to your account. If your secondary device does not require you to authenticate before using it, then an attacker would not have to authenticate to gain access to your Signal messages.

You can check your linked devices periodically from your primary device to verify that no attackers have somehow added a rogue device. This is potentially a real problem because Russian hackers have been “crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance” (PC Mag, March 25, 2025). This is a phishing attack, meaning that you can avoid the attack by simply not scanning weird QR codes with your Signal app.

Though your account is always linked to your phone number, you can also assigned it a username that you can share with others without giving them your phone number. This is in the Profile settings on your primary Signal device.

Signal has a disappearing messages function which automatically erases messages sent to a chat after a period of time. The time period is customizable. Generally, a week is a good setting for disappearing messages. Setting it shorter than that is more secure, but most people find that to be very inconvenient. This setting can be different for every chat group. If someone else in a group chat changes this setting, then new messages sent to the chat will comply with the new setting, but the old messages will comply with the old setting.

If you are a member of most governments, including the US federal government, then you are required to retain work-related messages, so using Signal’s disappearing messages function would be illegal (this applies to the recent Trump administration conversation regarding the attack on the Houthis). Project 2025 (the blueprint the current Trump administration is using) specifically encourages MAGA politicians to break the law by using Signal’s disappearing messages function.

Disappearing messages removes the content of a conversation, but it does not remove who is a part of the conversation. Famously, the US government was able to prove that the Oathkeepers and the Three Percenter militia group were in cahoots with each other by examining the content of a Signal chat that included members of both organizations even though no actual chat text was available due to disappearing messages. In addition, if you have deleted a chat on your phone, another member of that chat may not have deleted it, and it will still exist on their phone as a result.

If an attacker has control of your unlocked phone, the attacker can open Signal just as easily as you could. For the average person, the most likely scenario is that TSA (Transportation Security Administration) could tell you that you will not be allowed to fly unless you unlock your phone for them; however, any interaction with law enforcement could include them pressuring you to unlock your phone for them. If you are using Signal, make sure you have your phone set to automatically lock. If you use only your face or fingerprint to unlock your phone, an attacker could unlock your phone if they have the phone and have control of your body.

The Signal app allows you to rename the app and give it a different icon so it is slightly more difficult for an attacker (e.g., TSA) to find your Signal app.

If you set Signal to produce notifications, and your notifications are set to appear on your lock screen, then a person who has control of your locked phone can see those messages as your device receives them. To avoid this problem, you can turn off Signal notifications (in Signal), turn off all lock screen notifications (in your device’s OS), or turn off the “Show content” option for Signal specifically (in the “Lock screen notifications” section of your device OS).

Your account has a “safety number” that you can use to confirm your identity with another person. You must be physically with the other person, and then you can show them your safety number QR code and they can scan it to confirm that the Signal contact they have for you really is you (and not an imposter). The safety number will change when you replace your primary device.

If you follow a link in a Signal chat, an attacker on your network may be able to see that you went to the website, but this is not the fault of Signal. Similarly, an attacker on your network may be able to see that you are using Signal because they can observe the network traffic going from your device to the Signal servers.

Signal’s Security FAQ is located here. Support for English-speaking Signal users is located here.

You can donate to Signal in-app (look in Signal Settings). Unless something dramatic changes, we can expect Signal to continue to be the most secure way to communicate electronically, and the load on Signal’s servers will continue to increase. “Your contribution helps pay for the servers, bandwidth, and continued development of an app that is used by millions of people every day for secure, free, and instantaneous communication anywhere in the world.”

More details about how Signal works are available here.