Locking Down Signal: A Guide for Journalists

Martin Shelton
11 min readNov 9, 2018

--

The encrypted messaging app, Signal, is quickly becoming a newsroom staple for communicating with sources, accepting tips, talking to colleagues, and for regular old voice calls and messages. While it’s a practical tool for anyone concerned with the security and privacy of their conversations, people working in newsrooms are particularly interesting targets, and should benefit from locking down Signal.

(If you’re not yet using it, learn how to get started here.)

Signal makes it easy to have a secure conversation without thinking about it. On its face, it looks and feels identical to your default text messaging app, but security experts so often recommend it because of what it does in the background.

First, Signal offers end-to-end encryption, meaning only conversational participants can read the messages. While regular phone calls or text messages allow your phone company to unscramble your conversations, even the team behind Signal can’t listen to them. You don’t need to take their word for it. Signal is open source, meaning the code is available for anyone to review. This also makes security audits simpler for independent specialists, who have torn apart the code and published findings that everything works as intended. Finally, Signal retains nearly no metadata — information about who spoke to whom, and when. (The developers proved as much in court.)

These are some of the advantages you want in an encrypted messaging app.

Because newsrooms can attract a lot of attention, journalists who already use Signal should consider hardening it against physical access, as well as unwanted remote access and network-based eavesdropping. So let’s talk about how.

Remote access and network eavesdropping

Confirm your connection security with safety numbers

Most messaging apps will not allow you to ensure the security of your connection with your conversational partners. But Signal allows you to verify that your session is encrypted to the right person (and not an eavesdropping third party).

First, open up a conversation with someone you want to talk to. Next, look for their “safety numbers.” These numbers represent the connection between your device and your conversational partner’s device.

iPhone users: Click your partner’s name (at the top of the screen) > View Safety Number
Android users: Click Settings (the “three-dot” menu) > Conversation settings > Verify safety numbers

You’ll see a your safety numbers and a QR code, representing the numbers.

If you and your conversational partner see the same numbers, your session is secure. You should verify your safety numbers over a different channel where you feel confident you’re talking to the right person, such as Twitter, Facebook, or Google Hangouts. If possible, exchange safety numbers in person.

If you and your contact are together in person, one of you can click “Scan code” on the safety number screen. Now, scan the other person’s QR code with your camera.

If you see a mismatch, something is definitely wrong and you shouldn’t talk over this channel. But chances are, your safety numbers will match. If everything looks good, mark your partner as “Verified.”

A screenshot of Google Voice accepting a registration code for Signal.

You won’t need to verify safety numbers again until someone resets the session. For example, when you begin using Signal from a new phone, you will get new safety numbers.

You’ll receive a notification if your safety numbers with a partner have changed. If this happens, use another channel to verify that the session is secured before you continue communicating sensitive information.

Using secondary Signal numbers

Signal treats your phone number like a “username.” But what if you don’t want to share your phone number? Journalists often want to use Signal to chat with sources, but may not want to use a personal phone number.

The good news: As long as no one else has registered it, you can register Signal with any phone number you have access to. If you already registered with a your personal phone number, you can also change the number from your settings.

There are a few ways to get access to an alternative phone number.

For those in the United States, the easiest way to set up a secondary number is with Google Voice. (Your Signal messages go over Signal servers, not Google servers.) First, go to voice.google.com and log in with a Google account.

A screenshot of Google Voice accepting a registration code for Signal.
Signal registration message received in Google Voice. Source: OpenNews

From here, add a phone number you can use for verification. You’ll receive a text message with a verification code. Enter your verification code into Google Voice to complete your registration.

Now, register on Signal using this new phone number. You will receive a Signal registration code in your new Google Voice inbox.

In most countries you can use a secondary SIM card to create another number. Read this post by Jillian York of the Electronic Frontier Foundation to learn more. You can also use an online service called Twilio to create a number for as little as $1 each month. Learn how here.

If you’ve already set up Signal, you can also change your phone number to a new number within your settings.

iPhone users: Click Settings (profile icon at top left) > Account > Change phone number
Android users: Click Settings (profile icon at top left) > Account > Change phone number

Registration lock

Whether it’s your regular phone number or a secondary number, you’ll need to maintain access to this number. Why? If you lose access to the number and someone else re-registers it, now they own the Signal number.

You can lock in the registration for you Signal number, using Registration Lock.

iPhone users: Click Settings > Privacy > Registration Lock > Enabled
Android users: Click Settings > Privacy > Registration Lock > Enabled

Enter your preferred PIN. This PIN will prevent your number from being re-registered from a different device, so write it down or keep it somewhere safe. This might be a physically hidden notebook, or password management software. Signal will occasionally nudge you with a prompt to re-enter your PIN to ensure you still remember it.

Disable link previews

Signal offers the ability to retrieve previews of webpages linked within a conversation. According to the developers, when this feature is enabled Signal makes direct requests to websites to generate these previews. In other words, link previews leak the websites you share in your conversation to those websites.

Confirm link previews are disabled.

iPhone users: Click Settings > Privacy > Send link previews > Disabled
Android users: Click Settings > Privacy > Generate link previews > Disabled

Don’t leak keyboard data

Many phones come with multiple keyboards for different languages and functionalities, and allow you to download customized keyboards. This is useful, but it’s important to note that keyboards can share data with third parties. For example on many Android devices, Google’s keyboard is enabled by default, and unless you customize your keyboard settings, you may unknowingly save keyboard data beyond Signal.

Signal on Android has the option to use an “Incognito” keyboard that will not personalize your keyboard with anything typed in a conversation.
Android users: Settings > Privacy > Incognito keyboard > Enabled

Because your choice in keyboard can affect your privacy within and beyond Signal, make sure you know which keyboard(s) you have enabled. If you don’t trust the developer, consider downloading a keyboard from a developer you trust more in your app store.

iPhone users: iPhone Settings app > General > Keyboards
Android users (may be slightly different, depending on your version): Android Settings app> General management > Language and input > On-screen keyboard

iOS users: Keep your Signal history off iCloud

Signal allows you to see your call history from your regular phone app. This might be convenient, but will also allow your iPhone to sync this call history with iCloud, including who spoke to whom, when, and the call length.

If you use iCloud and you don’t want to share call history on Signal, confirm it’s turned off here: Settings > Privacy > Show Calls in Recents > Disabled.

Why you want disappearing messages

While Signal lets you delete individual messages, these messages will only be deleted on your device, and are still accessible by anyone else in your conversation. Instead, using Signal’s “disappearing messages” feature allows us to remove messages from a conversation automatically, after whatever amount of time you choose. This is particularly important for journalists concerned about messages on a source’s phone.

To turn on disappearing messages, first open a conversation.

iPhone users: Click on your partner’s name at the top of the screen to open the settings menu for this conversation. Click “Disappearing Messages.”

Screenshot of “disappearing messages” setting in Signal for iOS.

Android users: Click the settings (three-dot) icon in the top right corner. Click “Disappearing Messages.”

Screenshot displaying how to turn on Signal’s “disappearing messages” feature in Android.

Set the amount of time you’d like to keep the messages, between 30 seconds to four weeks, or a custom time of your choice. This works both for one-on-one conversations and group chats.

Device security

The weak points in end-to-end encrypted conversations are the “ends” — the physical devices where the messages arrive in human-readable text.

There are a few things you can do to lock down your devices.

Password protect your device

Encryption won’t help with someone who gets access to your unlocked phone, so you’ll want to password protect your device. Exit Signal and turn on a passcode.

iPhone users: Settings app > Face / Touch ID & Passcode
Android users: Settings app > Security > Screen lock

Consider turning on screen lock

A screenshot from Signal, blank except for its logo button that reads, “Unlock Signal.”

Unlocking your phone also means decrypting your messages. You can require one additional step to re-enter your password (or method of choice) before unlocking Signal.

Why might you want to do this?

It doesn’t happen every day, but unlocked phones are stolen in plain sight — while walking down the street, or on the train. Likewise, maybe you allow your son or daughter to entertain themselves on your phone, but you don’t want them to see the bizarre photos from your source.

iPhone users: Click Settings > Privacy > Screen Lock
Android users: Click Settings > Privacy > Screen Lock

Note that this wouldn’t be very helpful in a situation where someone compelled you to unlock your device once (e.g., at an airport). If they can have you enter your password at the operating system lock screen, there’s nothing to stop them from asking for it a second time at the Signal lock screen.

Turn on disk encryption

If your phone is ever lost, stolen, or seized, it’s possible to copy and read any data on the device, including your encrypted messages. The good news: You can easily protect your device with disk encryption.

If you use a modern iPhone, congratulations! Your device is already encrypted.

Many modern Android devices are encrypted by default (e.g., Pixel devices, some phones in the Nexus and Samsung Galaxy lines). Check your Android system settings for disk encryption to make sure disk encryption is enabled. If not, setting up disk encryption is easy.

Hide screen in app switcher

Two screenshots, one displaying messages in the app switcher when screen protection is disabled. The other shows no messages.

Seeing a preview of an app in your app switcher is convenient, but if someone were standing over your shoulder, they’d be able to see your messages just fine. Signal gives you options to prevent a preview from being shown, unless you explicitly open the app.

iPhone users: Click Settings > Privacy > Hide Screen in App Switcher
Android users: Click Settings > Privacy > Screen Security

Notification privacy

Even when your phone is locked with a password, anyone who picks it up can still read the message and sender name from your lock screen.

iPhone users: Settings > Notifications > Show. To receive notifications with no information about the sender or the content of your messages, turn on “No Name or Content.”

Android users: Settings > Notifications > Show. To receive notifications with no information about the sender or content, click “No name or message.”

Updates and defending against malware

You can’t be sure your messages are safe if your device or your partner’s device has malware. For example, many types of malware are designed to send screenshots of your messages, or recordings of conversations to a remote hacker. The single best thing you can do is stay on top of your software updates. Software updates usually include security patches for holes in your software, both for your operating system, Signal, and any other apps you have on your phone.

Older devices that no longer receive security updates are at the greatest risk.

The temptation to delay security updates is real, but updates are among the most powerful defenses we have. You can make it much harder for an attacker to break in by simply updating as soon as possible.

Safest choice: Only use your mobile device

When thinking about how to defend against malware and keep your devices updated, it’s important to understand where you choose to put your Signal messages. Signal offers a desktop application, but it’s safer to keep your messages only on your mobile device.

While your desktop device typically allows applications to talk to one another, ordinary Android or iOS devices deliberately isolate apps. These mobile operating systems require strict permissions for the data apps can access, and when. Compared to a desktop machine, this means malicious apps have a significantly more difficult time compromising your data on an updated mobile device.

Know the limits of end-to-end encryption

Now that you’ve locked down your device, it’s important to know that Signal is closely tied to your device and no one else’s. This is generally a good thing; you don’t want other people to be able to easily recover your Signal number or messages. But if you lose your device or purchase a new one, this might create short-term problems.

For example, only using Signal on your mobile device is a security win, but means you really need to avoid losing the phone. Likewise, the “registration lock” feature prevents others from taking your Signal number, but it would also prevent you from being able to re-register your number.

One reason we like Signal is that it does not hold onto metadata — information about who spoke to whom, when, and for how long. But it’s also not designed to protect against live metadata surveillance, so it doesn’t protect your identity. Likewise, it can’t protect the identity of anyone else you talk to. It’s best to assume you are identifiable to other Signal users.

We’ve spoken about the many ways your messages can be compromised, and what you can do to be safer. But even if you’re practicing great security hygiene, if your conversational partner isn’t also being careful, they can put your messages at greater risk. Encourage others in need to lock down their Signal as well.

For news organizations looking for more hands-on assistance with encrypted messaging tools and practices, please contact us about our training options. If Signal is a service you value, consider donating to support their work.

This article was updated on June 14, 2021.

--

--

Martin Shelton
Martin Shelton

Written by Martin Shelton

Writing about security for journalists, as well as beginners. Principal researcher at @freedomofpress. freedom.press/training