Signal is private messenger service provider just like whatsapp but with lot more security and privacy features.
Signal App history
As per wikipedia, Signal is a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger. It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos. It can also be used to make one-to-one and group voice and video calls and the Android version can optionally function as an SMS app.
Signal uses standard cellular telephone numbers as identifiers and secures all communications to other Signal users with end-to-end encryption. The apps include mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel
Signal’s software is free and open-source. Its clients are published under the GPLv3 license,while the server code is published under the AGPLv3 license. The Android app also includes third-party components which are closed-source.[self-published source] The non-profit Signal Foundation was launched in February 2018 with initial funding of $50 million from Brian Acton Signal has more than 10 million downloads on Android.
When was signal app originated ?
Signal is the successor of the RedPhone encrypted voice calling app and the TextSecure encrypted texting program. The beta versions of RedPhone and TextSecure were first launched in May 2010 by Whisper Systems a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson.Whisper Systems also produced a firewall and tools for encrypting other forms of data. All of these were proprietary enterprise mobile security software and were only available for Android.
In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company The acquisition was done “primarily so that Mr. Marlinspike could help the then-startup improve its security”.] Shortly after the acquisition, Whisper Systems’ RedPhone service was made unavailable. Some criticized the removal, arguing that the software was “specifically targeted people under repressive regimes” and that it left people like the Egyptians in “a dangerous position” during the events of the Egyptian revolution of 2011.
Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.RedPhone was also released under the same license in July 2012. Marlinspike later left Twitter and founded Open Whisper Systems as a collaborative Open Source project for the continued development of TextSecure and RedPhone.
2013–2018: Open Whisper Systems
Open Whisper Systems’ website was launched in January 2013.
In February 2014, Open Whisper Systems introduced the second version of their TextSecure Protocol (now Signal Protocol), which added end-to-end encrypted group chat and instant messaging capabilities to TextSecure. Toward the end of July 2014, they announced plans to merge the RedPhone and TextSecure applications as Signal.This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client. Signal was the first iOS app to enable end-to-end encrypted voice calls for free. TextSecure compatibility was added to the iOS application in March 2015.
In March 2017, Open Whisper Systems transitioned Signal’s calling system from RedPhone to WebRTC, also adding the ability to make video calls with the mobile apps.
2018–present: Signal Messenger
On February 21, 2018, Moxie Marlinspike and WhatsApp co-founder Brian Acton announced the formation of the Signal Foundation, a 501(c)(3) nonprofit organization whose mission is “to support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous”.The foundation was started with an initial $50 million in funding from Acton, who had left WhatsApp’s parent company Facebook in September 2017. According to the announcement, Acton is the foundation’s executive chairman and Marlinspike continues as the CEO of Signal Messenger. By 2020, Signal runs totally on donations, as a nonprofit.
Between November 2019 and February 2020, Signal added support for iPads, view-once images and videos, stickers, and reactions. They also announced plans for a new group messaging system and an “experimental method for storing encrypted contacts in the cloud.”
Signal was reportedly popularized in the United States during the George Floyd protests. As U.S. protests gained momentum, on June 3, Twitter CEO Jack Dorsey tweeted a recommendation for users to download Signal Messenger. Heightened awareness of police monitoring led protesters to use the app to communicate. Black Lives Matter organizers had used the app “for several years”. During the first week of June, the encrypted messaging app was downloaded over five times more than it had been during the week prior to the death of George Floyd. In June 2020, Signal Foundation announced a new feature that enables users to blur faces in photos, in response to increased federal efforts to monitor protesters.
Signal allows users to make one-to-one and group voice and video calls to other Signal users on iOS, Android, and desktop. Group calls support up to 5 people with further plans to expand. All calls are made over a Wi-Fi or data connection and (with the exception of data fees) are free of charge, including long distance and international. Signal also allows users to send text messages, files, voice notes, pictures, GIFs, and video messages over a Wi-Fi or data connection to other Signal users on iOS, Android and a desktop app. The app also supports group messaging.
All communications between Signal users are automatically end-to-end encrypted. The keys that are used to encrypt the user’s communications are generated and stored at the endpoints (i.e. by users, not by servers). To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band. The app employs a trust-on-first-use mechanism in order to notify the user if a correspondent’s key changes.
On Android, users can opt into making Signal the default SMS/MMS application, allowing them to send and receive unencrypted SMS messages in addition to the standard end-to-end encrypted Signal messages. Users can then use the same application to communicate with contacts who do not have Signal. Sending a message unencrypted is also available as an override between Signal users.
TextSecure allowed the user to set a passphrase that encrypted the local message database and the user’s encryption keys. This did not encrypt the user’s contact database or message timestamps. The Signal applications on Android and iOS can be locked with the phone’s pin, passphrase, or biometric authentication. The user can define a “screen lock timeout” interval, providing an additional protection mechanism in case the phone is lost or stolen.
Signal also allows users to set timers to messages. After a specified time interval, the messages will be deleted from both the sender’s and the receivers’ devices. The time interval can be between five seconds and one week long, and the timer begins for each recipient once they have read their copy of the message. The developers have stressed that this is meant to be “a collaborative feature for conversations where all participants want to automate minimalist data hygiene, not for situations where your contact is your adversary”.
Signal excludes users’ messages from non-encrypted cloud backups by default.
Signal has support for read receipts and typing indicators, both of which can be disabled.
Signal allows users to automatically blur faces of people in photos to protect their identities.
Signal requires that the user provides a phone number for verification eliminating the need for user names or passwords and facilitating contact discovery (see below). The number does not have to be the same as on the device’s SIM card; it can also be a VoIP number or a landline as long as the user can receive the verification code and have a separate device to set up the software. A number can only be registered on one mobile device at a time.
This mandatory connection to a phone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a “major issue” for privacy-conscious users who are not comfortable with giving out their private phone number. A workaround is to use a secondary phone number. The option to choose a public, changeable username instead of sharing one’s phone number with everyone they message (or share a group with) is a widely requested feature, which as of June 2020 has not yet been implemented.
Signal in 2019 announced plans to implement this feature, overcoming the challenges associated with storing users’ social graphs by using what they called Secure Value Recovery (SVR). This allows users to client-side encrypt their Signal contacts with an alphanumeric passphrase (which Signal calls a PIN) and uses Intel SGX to limit the number of passphrase guesses, alleviating the risk of server-side brute-force attempts.
Cryptography expert Matthew D. Green described this method as “sophisticated work”, but also expressed concerns that the data the system was protecting should not rely on the security of SGX, which has been repeatedly broken.
Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number. This can be mitigated by enabling an optional Registration Lock PIN in Signal’s privacy settings.
Setting up Signal’s desktop app requires that the user first install Signal on an Android or iOS based smartphone with an Internet connection.Once the desktop app has been linked to the user’s account, it will function as an independent client; the mobile app does not need to be present or online.Users can link up to 5 desktop apps to their account.
In July 2016, the Internet Society published a user study that assessed the ability of Signal users to detect and deter man-in-the-middle attacks. The study concluded that 21 out of 28 participants failed to correctly compare public key fingerprints in order to verify the identity of other Signal users, and that the majority of these users still believed they had succeeded, while in reality they failed. Four months later, Signal’s user interface was updated to make verifying the identity of other Signal users simpler.
Before version 4.17, the Signal Android client could only make plain text-only backups of the message history, i.e. without media messages.On February 26, 2018, Signal added support for “full backup/restore to SD card”, and as of version 4.17, users are able to restore their entire message history when switching to a new Android phone. On June 09, 2020, the Signal iOS client added the ability to transfer all Signal information from an old iOS device to a new one. The transfer is done wirelessly over a local connection between the two devices and is end-to-end encrypted.
The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and multicast encryption. In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership.
In October 2014, researchers from Ruhr University Bochum published an analysis of the Signal Protocol. Among other findings, they presented an unknown key-share attack on the protocol, but in general, they found that it was secure. In October 2016, researchers from UK’s University of Oxford, Queensland University of Technology in Australia, and Canada’s McMaster University published a formal analysis of the protocol. They concluded that the protocol was cryptographically sound.
In July 2017, researchers from Ruhr University Bochum found during another analysis of group messengers a purely theoretic attack against the group protocol of Signal: A user who knows the secret group ID of a group (due to having been a group member previously or stealing it from a member’s device) can become a member of the group. Since the group ID cannot be guessed and such member changes are displayed to the remaining members, this attack is likely to be difficult to carry out without being detected.
As of August 2018, the Signal Protocol has been implemented into WhatsApp, Facebook Messenger, Skype, and Google Allo, making it possible for the conversations of “more than a billion people worldwide” to be end-to-end encrypted.In Google Allo, Skype and Facebook Messenger, conversations are not encrypted with the Signal Protocol by default; they only offer end-to-end encryption in an optional mode
Up until March 2017, Signal’s voice calls were encrypted with SRTP and the ZRTP key-agreement protocol, which was developed by Phil Zimmermann. As of March 2017, Signal’s voice and video calling functionalities use the app’s Signal Protocol channel for authentication instead of ZRTP.
To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band. The app employs a trust on first use mechanism in order to notify the user if a correspondent’s key changes.
Once the messages are received and decrypted on a user’s device, they are stored locally in a SQLite database that is encrypted with SQLCipher. The key to decrypt this database is also stored locally on the user’s device and can be accessed if the device is unlocked.In December 2020, Cellebrite published a blog post announcing that one of their products could now access this key and use it to “decrypt the Signal app”. Technology reporters later published articles about how Cellebrite had claimed to have the ability to “break into the Signal app” and “crack Signal’s encryption”.This latter interpretation was rejected by several experts, as well as representatives from Signal, who said the original post by Cellebrite had been about accessing data on “an unlocked Android phone in their physical possession” and that they “could have just opened the app to look at the messages”.
Signal relies on centralized servers that are maintained by Signal Messenger. In addition to routing Signal’s messages, the servers also facilitate the discovery of contacts who are also registered Signal users and the automatic exchange of users’ public keys. By default, Signal’s voice and video calls are peer-to-peer. If the caller is not in the receiver’s address book, the call is routed through a server in order to hide the users’ IP addresses.
The servers store registered users’ phone numbers, public key material and push tokens which are necessary for setting up calls and transmitting messages. In order to determine which contacts are also Signal users, cryptographic hashes of the user’s contact numbers are periodically transmitted to the server. The server then checks to see if those match any of the SHA256 hashes of registered users and tells the client if any matches are found.
The hashed numbers are thereafter discarded from the server. In 2014, Moxie Marlinspike wrote that it is easy to calculate a map of all possible hash inputs to hash outputs and reverse the mapping because of the limited preimage space (the set of all possible hash inputs) of phone numbers, and that a “practical privacy preserving contact discovery remains an unsolved problem.”
In September 2017, Signal’s developers announced that they were working on a way for the Signal client applications to “efficiently and scalably determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service.”
All client-server communications are protected by TLS. In October 2018, Signal deployed a “Sealed Sender” feature which encrypts the sender’s information using the sender and recipient identity keys, and includes it inside the message.
The group messaging mechanism is designed so that the servers do not have access to the membership list, group title, or group icon.Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered.
Signal’s server architecture was federated between December 2013 and February 2016. In December 2013, it was announced that the messaging protocol Signal uses had successfully been integrated into the Android-based open-source operating system CyanogenMod.Since CyanogenMod 11.0, the client logic was contained in a system app called WhisperPush.
According to Signal’s developers, the Cyanogen team ran their own Signal messaging server for WhisperPush clients, which federated with the main server, so that both clients could exchange messages with each other. The WhisperPush source code was available under the GPLv3 license. In February 2016, the CyanogenMod team discontinued WhisperPush and recommended that its users switch to Signal. In May 2016, Moxie Marlinspike wrote that federation with the CyanogenMod servers had degraded the user experience and held back development, and that their servers will probably not federate with other servers again.
In May 2016, Moxie Marlinspike requested that a third-party client called LibreSignal not use the Signal service or the Signal name. As a result, on 24 May 2016 the LibreSignal project posted that the project was “abandoned”. The functionality provided by LibreSignal was subsequently incorporated into Signal by Marlinspike.
The complete source code of the Signal clients for Android, iOS and desktop is available on GitHub under a free software license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by Signal Messenger. In March 2016, Moxie Marlinspike wrote that, apart from some shared libraries that are not compiled with the project build due to a lack of Gradle NDK support, Signal for Android is reproducible. Signal’s servers are also open source.
Distribution of signal app
Signal is officially distributed through the Google Play store, Apple’s App Store, and the official website. Applications distributed via Google Play are signed by the developer of the application, and the Android operating system checks that updates are signed with the same key, preventing others from distributing updates that the developer themselves did not sign
The same applies to iOS applications that are distributed via Apple’s App Store. As of March 2017, the Android version of Signal can also be downloaded as a separate APK package binary from Signal Messenger’s website.
On December 28, 2014, Der Spiegel published slides from an internal NSA presentation dating to June 2012 in which the NSA deemed Signal’s encrypted voice calling component (RedPhone) on its own as a “major threat” to its mission, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as “catastrophic”, leading to a “near-total loss/lack of insight to target communications, presence
Former NSA contractor Edward Snowden has endorsed Signal on multiple occasions.In his keynote speech at SXSW in March 2014, he praised Signal’s predecessors (TextSecure and RedPhone) for their ease of use.
During an interview with The New Yorker in October 2014, he recommended using “anything from Moxie Marlinspike and Open Whisper Systems”. During a remote appearance at an event hosted by Ryerson University and Canadian Journalists for Free Expression in March 2015, Snowden said that Signal is “very good” and that he knew the security model. Asked about encrypted messaging apps during a Reddit AMA in May 2015, he recommended Signal
In November 2015, Snowden tweeted that he used Signal “every day”.
In September 2015, the American Civil Liberties Union called on officials at the U.S. Capitol to ensure that lawmakers and staff members have secure communications technology. One of the applications that the ACLU recommended in their letter to the Senate Sergeant at Arms and to the House Sergeant at Arms was Signal, writing:
In March 2017, Signal was approved by the Sergeant at Arms of the U.S. Senate for use by senators and their staff
Following the 2016 Democratic National Committee email leak, Vanity Fair reported that Marc Elias, the general counsel for Hillary Clinton’s presidential campaign, had instructed DNC staffers to exclusively use Signal when saying anything “remotely contentious or disparaging” about Republican presidential nominee Donald Trump.
In February 2020, the European Commission recommended that its staff use Signal. Concurrently with the George Floyd protests, Signal was downloaded 121,000 times in the United States between 25 May and 4 June 2020. ] Twitter CEO Jack Dorsey advised the public to download Signal as protests spread in the US.
In July 2020, Signal became the most downloaded app in Hong Kong on both Apple’s App Store and Google’s Play Store after the passage of the Hong Kong national security law.
As of 2020, Signal is one of the contact methods to securely provide tips to major news outlets such as The Washington Post, The Guardian, The New York Times, and The Wall Street Journal.
Countries where Signal’s domain fronting is enabled by default
Countries where Signal is blocked (January 2018)
In December 2016, Egypt blocked access to Signal.] In response, Signal’s developers added domain fronting to their service. This allows Signal users in a specific country to circumvent censorship by making it look like they are connecting to a different internet-based service. As of October 2017, Signal’s domain fronting is enabled by default in Egypt, the United Arab Emirates, Oman and Qatar.
As of January 2018, Signal was blocked in Iran.. Signal’s domain fronting feature relies on the Google App Engine service.This does not work in Iran because Google has blocked Iranian access to GAE in order to comply with U.S. sanctions.
In early 2018, Google App Engine made an internal change to stop domain fronting for all countries. Due to this issue, Signal made a public change to use Amazon CloudFront for domain fronting. However, AWS also announced that they would be making changes to their service to prevent domain fronting. As a result, Signal said that they would start investigating new methods/approaches.
Signal switched from AWS back to Google in April 2019.
funding of signal app
The development of Signal and its predecessors at Open Whisper Systems was funded by a combination of consulting contracts, donations and grants.The Freedom of the Press Foundation acted as Signal’s fiscal sponsor.
Between 2013 and 2016, the project received grants from the Knight Foundation,the Shuttleworth Foundation, and almost $3 million from the US government–sponsored Open Technology Fund.
Signal is developed by Signal Messenger LLC, a software company founded by Moxie Marlinspike and Brian Acton in 2018, which is wholly owned by a tax-exempt nonprofit corporation called the Signal Technology Foundation, also created by them in 2018. The Foundation was funded with an initial loan of $50 million from Acton, “to support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous”. All of the organization’s products are published as free and open-source software.