Getting started with Signal and other encrypted messaging apps
- 11 March, 2021 22:00
Right now. That’s always the best answer to the question, “When is it a good time to start using an encrypted messaging app like Signal?” Ever since Edward Snowden became the world’s most famous whistle blower, concerns about digital privacy have been front and center, and apps like Signal can help protect the wary. But what is Signal and other encrypted messaging apps, and how do they work?
How Signal provides secure messaging
There are several end-to-end encrypted messaging apps for both Android and iOS. The one we’ll focus on here is Signal, which is developed by Signal Messenger LLC and funded by the Signal Technology Foundation, a non-profit foundation.
Another option is WhatsApp, which is now owned by Facebook, and uses the same basic encryption scheme that was developed for Signal. Telegram is another popular choice with an optional encrypted messaging feature. This app started life in Russia, though Telegram now operates from the United Kingdom and its operations center is in Dubai.
The common thread to all these apps? It’s encryption, which just means your digital correspondence is scrambled to be indecipherable to third parties. The key selling point for these apps is that they use end-to-end encryption, which means the messages are encrypted on one device and then decrypted on another.
Once encrypted, the message travels across the Internet, and only the person you’re sending the message to can unscramble it. Even the servers that transmit those messages have no ability to see what they actually say. That is not the case with regular text messages, for example, or even regular email.
Encrypted communication can be anything digital such as an email, a text, an image, a voice call, or a video chat.
The other thing to note is that both sides of the transmission need to be using the same app. For example, you cannot send a message from WhatsApp and receive it in Signal. WhatsApp users communicate with other WhatsApp users and the same goes for Signal users. And so on.
Why use encrypted messaging?
Few of us are spies, political activists, or journalists working on high-stakes stories, so why would we want to use encrypted messaging in the first place? Well, despite claims to the contrary, the right to keep your own private business completely private is foundational to a free society. By extension, the ability to communicate with others without being spied on is critical for sharing personal views and ideas (whatever the subject) with others.
It may not seem like you have anything critical to hide. But if you look through your texts and emails, you’ll likely come across a lot of information that you wouldn’t want others to know about. This can include meeting locations with friends, controversial opinions, your health status, vacation plans, and maybe even a credit card number or account password.
Encrypted messaging: It’s all about the keys
Encrypted messaging uses a tool called “keys”—essentially long strings of letters and numbers. In their most basic form, these keys come in pairs: a public key and a private key. The public key is something that everyone can see and know about. A computer can then use this public key along with an encryption algorithm (fancy math!) to garble the message.
Once it’s garbled, the only way to read an encrypted message is to use the private key. Then when you respond to the encrypted message, the same thing happens in reverse. You use your friend’s public key to encrypt a message, and when they receive the garbled text, they use their private key to unscramble it.
The encryption schemes for messaging apps are now much more advanced than the original public-private key scheme. Signal’s protocol, for example, uses a combination of permanent and temporary keys. The temporary keys are regenerated on a per-message basis to limit how much information would be exposed should the keys ever leak. On top of that, the temporary and permanent keys are combined (along with more fancy algorithms) to create additional shared secret keys between the two people communicating. With so many permanent, temporary, and shared keys required to read a single message, it becomes much harder for a third party to read these messages without direct access to one of the user’s phones.
So, that’s how Signal does it. WhatsApp also uses Signal’s encryption protocol for its messaging. Telegram, meanwhile, uses a proprietary encryption scheme.
Even though encryption is far more complicated than it used to be, modern encryption apps are very easy to use. In the past, using encryption required at least some familiarity with the command line, and it often took several tries to work properly. And that was before you started managing your private key and figuring out how to use the encryptions keys with your email client. Then you had the additional problem of finding or convincing other people to go through this rigmarole, using complementary encryption tools on their end.
With modern messaging apps, you may still need to convince your friends and family to begin using them, but that’s the hardest part. There’s no playing around with the command line and managing your keys manually because the app handles all the heavy lifting in the background. That simplicity, however, means that you must trust the app to behave as it claims (though that’s true of all software).
We’ll use Signal to walk through the installation process, but the steps aren’t that different for both WhatsApp and Telegram. The first step is to download and install the app from Apple’s App Store or Google Play.
Next, when you open the app for the first time, it will ask for permission to access your contacts and media. Signal needs your contacts to see who among your friends uses Signal already, and the same goes for WhatsApp and Telegram. You can read about how Signal handles your contacts on its help pages, but in short Signal says it doesn’t upload your actual contact names but rather “hashes” a string of letters and numbers that it uses to match with its other users. WhatsApp also uses hashing, while Telegram uploads your contacts but allows you to delete these records from its servers.
Signal also asks for access your media and files so that you can send photos and files to your contacts.
Next, Signal asks you to input your phone number, and then a text message is sent to your phone with a confirmation code to verify the phone number is yours.
Then you’re asked to create a user name (usually just your real name) and you can add an image if you like. Finally, you create a PIN for extra privacy, and that’s it. Signal is ready to use.
To send your first message, tap the pencil icon on the main screen, and if any of your contacts are using Signal their names will pop up in an alphabetized list. Select your contact and send them a text or start a voice call just as you would with any other messaging platform.
In addition to one-on-one chats, Signal and WhatsApp support group text chats, voice calls, and video calls. Telegram supports voice calls and video calls, but its group text chats are not end-to-end encrypted.
Understanding the limits of encrypted messaging
Encrypted messaging apps are a good first step for securing your communications, but they’re not a perfect solution. First, your messages are readable on your device, meaning if someone else has access to your unlocked phone, they will be able to see your messages.
There are steps you can take to improve this. Signal, Telegram, and WhatsApp can all be set to require a fingerprint scan before allowing access to the app (assuming your phone has a fingerprint scanner).
Another option is to regularly delete your messages, or at least the sensitive ones, to prevent them from being read. That only covers your end though, as your contacts will still have the conversation saved on their phone. Signal, WhatsApp, and Telegram also have a feature that automatically deletes messages on both ends. Automatic deletion does not, however, stop anyone from taking a screenshot of a conversation before it disappears.
Potential security issues don’t end there, either. Your phone itself can present security holes for keeping messages safe, especially on Android. This forum discussion, for example, noted that phones with specialized third-party keyboards may not be secure, as the keyboards themselves could be compromised by a government or malicious actor. While that isn’t a problem with Signal itself, it is a potential loophole that could expose communications to bad actors, despite the use of a secure messaging app. Signal also has a support article about this issue.
For WhatsApp, there’s also the question of using a platform controlled by Facebook. The recent brouhaha over WhatsApp’s terms of service changes turned out to be not quite what was feared. Nevertheless, there’s still the chance that more and more information from WhatsApp will be turned over to Facebook in the coming years. To see what information is currently shared with Facebook from WhatsApp, check out this FAQ on the WhatsApp site.
While there are downsides, most people can benefit from apps like Signal, WhatsApp, and others. Encrypted messaging services are a great way to keep private information private with apps that are very easy to use.