What Is Signal and Why Is It Considered So Secure?

With over 40 million monthly active users, what is Signal and why is it considered as one of the most secure messaging apps and private messaging apps? It’s used by privacy advocates, activists, international NGOs, and more. Unlike many messaging apps and services that often prioritize profit over privacy, Signal messenger — developed by Open Whisper Systems — is built on open-source code, meaning its source code is publicly available for independent review. The Signal Foundation’s stated goal is “making private communication accessible, secure and ubiquitous”.

Most popular messaging apps collect and sell user data. By contrast, the Signal app minimizes data collection and safeguards a user’s digital footprint. Its encryption protocol, known as the Signal Protocol, has been adopted by major platforms such as WhatsApp and Skype. In times of uncertainty and unrest, Signal downloads have been known to spike, as was the case in Hong Kong during the 2020 protests and in 2021 following events like the storming of the US Capitol and the death of George Floyd.

In this article, we discuss what Signal is, why its architecture sets it apart, how its end-to-end encryption works, and what makes it one of the most secure messaging platforms available for private communication.

The Evolution of Signal Messenger

In 2010, security researcher Moxie Marlinspike and roboticist Stuart Anderson founded Whisper Systems, a company that developed TextSecure for encrypted messaging and RedPhone for secure voice calls on mobile phones. Twitter acquired Whisper Systems in 2011 to enhance its own security capabilities.

Later, in 2013, Marlinspike established Open Whisper Systems as a collaborative open-source project. This project led to several technical breakthroughs; in 2014, Open Whisper Systems introduced end-to-end encrypted group chat capabilities and launched Signal as an iOS counterpart to RedPhone. By November 2015, the Android versions of TextSecure and RedPhone merged to become Signal for Android, with subsequent releases even including BlackBerry Android–compatible versions.

In 2018, WhatsApp co-founder Brian Acton joined Marlinspike to form the Signal Foundation — a 501(c)(3) non-profit organization — thereby reinforcing Signal’s commitment to user privacy rather than commercial interests or strict intellectual property rights.

Signal’s Security Architecture

Signal’s security architecture is the foundation of its reputation as a secure messaging app. At its core, Signal messenger implements advanced end-to-end encryption powered by the Signal Protocol, which combines multiple cryptographic components. This includes the Double Ratchet Algorithm, prekeys, and a triple Elliptic-curve Diffie-Hellman handshake, along with cryptographic primitives such as Curve25519, AES-256, and HMAC-SHA256. The protocol’s design has undergone rigorous academic evaluation, including reviews at events like the IEEE European Symposium on Security and Privacy, ensuring robust protection for digital communication. The protocol has undergone rigorous academic analysis, with researchers from Oxford, Queensland University of Technology, and McMaster University confirming its cryptographic soundness.

Data security is further enhanced by storing all information in an SQLite database encrypted with SQLCipher. The encryption key for this database is held in the operating system’s key store — using the Android Keystore for Android phones and Keychain for iOS — so that even if a device is compromised, the message history, contact list, address book, and membership lists remain protected. Additionally, Signal supports features such as automatic message deletion and an optional mode that deletes messages by default, which provides further privacy for both bulk messaging and basic messaging alike.

Beyond its encryption protocol, the Signal app offers enhanced security for everyday communication. The app supports secure voice messages, voice notes, video calls, video chat, and phone calls, thereby delivering a comprehensive suite of instant messaging capabilities. Signal also employs push tokens and authentication tokens to securely manage message delivery and offers Two-factor authentication via a 6-digit verification code sent as code via SMS text. This multi-layered approach ensures that every chat function and chat protocol within Signal remains robust against various security concerns and law enforcement pressures.

Signal vs. Other Messaging Apps

Signal’s encryption protocol has become an industry benchmark. Other messaging platforms — including Facebook Messenger’s Secret Conversations, Google Chat and Google Meet’s secure features, and Microsoft’s Skype private messaging — have incorporated elements of the Signal Protocol into their systems. However, unlike many popular messaging apps, Signal collects only minimal data (retaining only the account creation date and last connection time), thereby reducing its digital footprint and protecting privacy rights. In contrast, services like WhatsApp gather extensive information such as phone numbers, IP addresses, and device data, which raises concerns about data sharing with third-party services and law enforcement.

Advantages over Traditional SMS

Signal surpasses traditional SMS by offering a full range of communication features that include not only basic messaging but also secure voice messages, video calls, video chat, and file transfers. Users benefit from enhanced multimedia capabilities without carrier-imposed fees, while its encryption ensures that message interception and metadata collection are effectively prevented. This makes Signal an ideal messaging platform for private communication, whether used for individual chats or active group chat sessions.

Real-World Impact and Adoption

Signal’s real-world impact is evident in its adoption patterns. Its user base has expanded significantly during periods of social unrest and heightened privacy concerns. For example, after the death of George Floyd in May 2020, Signal’s weekly downloads surged dramatically, and installations increased by 1,000% in Hong Kong during periods of increased surveillance by repressive regimes. Organizations such as The Washington Post and The Guardian have adopted Signal for secure communication, and even the European Union directs its staff to use Signal for private messaging. These developments underscore Signal’s role as a benchmark in secure messaging services and its ongoing commitment to protecting privacy rights.

Response to Government Requests

Signal’s commitment to privacy extends to its legal practices. When subpoenaed by the Eastern District of Virginia — and in subsequent cases from regions like Santa Clara County and Luxembourg — Signal has provided only two data points: the account creation date and last connection time. This minimal data retention policy serves to protect the message history, contact list, and membership lists from unnecessary disclosure. Signal’s president, Meredith Whittaker, told The Guardian in June 2024, “You cannot do mass surveillance privately, full stop.” She further emphasized that Signal would not comply with mandates requiring backdoors or scanning of messages, even if such measures were demanded by law enforcement.

Impact on Privacy Legislation

Signal’s influence extends beyond its own user base, actively shaping debates on privacy rights and digital communication. The platform engages with regulators and policymakers to advocate for strong encryption standards and to resist proposals that would force compromises in security. In 2023, Signal made headlines by declaring that it would “absolutely, 100% walk” from the UK rather than comply with any legislation that undermines its encryption. This stance reinforces the balance between security concerns and the need to protect private messaging and communication between users, a principle that resonates with both privacy advocates and the broader public.

Conclusion

In summary, Signal is a secure messaging app that combines advanced encryption protocols with a steadfast commitment to user privacy. From its origins with Whisper Systems and the pioneering work of Moxie Marlinspike and Stuart Anderson to its evolution under the Signal Foundation, Signal has continually set the standard for secure digital communication. With features ranging from secure voice messages, video calls, and video chat to support for two-factor authentication and optional automatic message deletion, Signal remains a robust messaging platform that caters to both basic messaging needs and advanced security requirements on mobile phones and desktops alike.

Key Takeaways:

• Open-Source Transparency: Signal’s open-source code enables independent verification of its encryption protocol and overall security.
• Advanced Encryption: The integration of the Signal Protocol, including the Double Ratchet Algorithm, prekeys, and a triple Elliptic-curve Diffie-Hellman handshake, ensures secure messaging.
• Comprehensive Features: Signal supports voice messages, video calls, video chat, phone calls, and offers additional features like automatic message deletion and an optional mode.
• Minimal Data Retention: By retaining only essential data (e.g., account creation date and last connection time), Signal minimizes its digital footprint and exposure to law enforcement requests.
• Advocacy and Influence: As a 501(c)(3) non-profit organization, the Signal Foundation actively influences privacy legislation and maintains robust privacy rights for its user base.

Frequently Asked Questions