An article discussing the use of Signal and its configuration.

I am terrified of writing. I wrestle myself over each sentence, I use the backspace key more than any letter key. Regardless, I am so darn passionate and mindful of personal privacy and security I am writing about the Signal messaging application. It feels like such an effective first step for an average user, and I’m hopeful that in configuring it, a new user will learn more about security and privacy principles. The benefit of it being simple to utilize and implement is rewarding. Before Signal, you were once a noob sending important information through Facebook messenger and SMS. After installing and configuring Signal, you become James Bond.

By using Signal, you can avoid identity fraud, hackers, thieves, big brother, nearly any threat actor you can think of. However, we are only as secure as our weakest link. The only attack surface left is the security of the device of the person you’re messaging. Use random pins and passwords, and bio-metrics (FaceID or fingerprints) for your phone please!

I am not sponsored by Signal, I do not get paid to advertise for them. It is developed by a non profit company, the Signal Foundation, and they received 25% of their funding from donations in 2023. The application is free and open source. This means the code of the application can be openly read and audited by whoever. A lot of us cannot read code, but it has been independently audited by third party security teams and proven to have no back-doors. Because of their non-profit and free and open source nature, Signal Foundation’s motives are a lot different than Meta, Google, or any SMS carrier. Signal’s ideals are clear and plain. Meta is known to be nefarious in their actions, their code is private, and they make all of their money from advertising. Signal makes no money from advertising. Should we really talk to each other through an advertising platform?

When it comes to configurations, even for the average person, I recommend hardening our security specifically for this app. It’s easy, it’s pretty painless, and still leaves us with a very functional and easy to use app. Its also good practice and may inspire someone who hasn’t paid attention to security features before to start considering using them on other apps and end devices. You can leave your other messaging and social apps as they are, but we’re at least going to have a very safe and secure Signal. This creates a true safe space for anyone who wants to talk to you. I highly recommend this for couples.

Configurations

Account

Pin

Set a pin, and make sure to not use a crappy one. Humans are bad at creating random strings of words or numbers, and we make predictable passwords and pins. Utilize a random number generator, or password generator online to create a good pin. No “1234”, “0000”, or “1984” allowed. Setting a pin allows for local encryption which is important. Please also keep the PIN Reminders on and follow the in app prompts on your home screen to practice your pin. I also recommend FaceID or other biometrics such as a fingerprint.

Registration Lock

Make sure this is on. This protects against attacks where your phone or phone number is compromised.

Chats

Generate Link Previews

This should be off. Links can contain malicious payloads and should be avoided. You shouldn’t open a link unless you’ve verified the Safety Number (more on that later).

Share Contact with iOS

This should be on. While you really shouldn’t let Google or Facebook see your contacts, it’s safe to let Signal to, as we know they won’t sell our data, as a non-profit organization that’s focused on privacy. iOS is considered to be generally secure.

Use Phone Contact Photos

This should be on. It pulls contact photos locally from your device to display on your Signal chat. No contact photo is uploaded to Signal. You can upload a contact photo to Signal but I don’t really think its necessary. However it’s safe to do so.

Stories

You should turn this off, but it won’t hurt to leave it on. Again, this is a preferred platform for sharing stuff with friends, as we know exactly who we’re sharing it with and we know it isn’t being used for advertising or training large language models.

Notifications

Notification Content

Show Name Only

This is an essential setting. Leaving this on “name content and actions” seriously undermines any security we’ve gained by using this app. If I get access to your locked phone, and someone thought they could message you privately, they would be wrong because the message contents are free to be seen on the lock screen. Please set this to “name only” to greatly increase our security posture.

Notify when Contact joins Signal

I like this on.

Privacy

Who can see my number

Nobody

This ensures your number isn’t found by anybody who you haven’t given it to explicitly.

Who can find me by my number

Everybody

This greatly improves ease of use of switching to Signal and is generally secure enough.

Disappearing Messages

This is completely optional, I believe everybody has the right to leave this setting to whatever they prefer. This simply sets a default for new conversations, and can be configured on a per chat basis. I prefer to set my default to one week, I think everybody should a least set it to 4 weeks, but if you want to keep your messages forever, that is your right. If you’re an activist, drug dealer, or a generally paranoid person, I would make this down to 5 min for any sensitive conversations.

Hide Screen in app switcher

This should be on. It makes little difference to the user and lessens our chance of data leaking.

Screen Lock

While optional, for people who use face ID or thumbprint, I recommend turning this on. I have mine set to every 30 min. It just one more layer of protection if an attacker got past your locked phone.

Payments Lock

This should be on.

Verify Safety Number

The safety number is way to verify, with full certainty, who you’re talking to. The safety number is a long string of digits, made up of two keys from each contact’s devices. It’s created when you start a conversation with someone. So lets say I start a conversation with Jerry. Signal will take my key, and take Jerry’s key, and combine them to create an identical safety number. So when I see Jerry in real life, I can ask to view his safety number and verify its the same as the one on my device. I can also use the QR code scanner to make this easier. Once verified, if Jerry ever gets a new phone, or deletes Signal and re-installs it on the same phone, I’ll get a notification in my chat saying the safety number has changed. This is important because now I know someone else could be impersonating Jerry by by stealing his phone number or identity. I’ll need to verify again in real life the safety number, and until then I shouldn’t trust anything from that chat.

This is an optional step, but an important one. I urge you at least verify safety numbers with your spouse or partner, and whoever else you get the chance to see in real life. Do not verify numbers through the app, this defeats the purpose. You could do it through other verified and encrypted channels, but I do not recommend this. You can be 99% certain you’re actually talking to Jerry, but you won’t know its really him until you’ve verified his safety number in real life. This will take your certainty to 100%. I verify contacts whenever I can.

Congratulations! You now have a secure and private means to communicate with whomever you like, free of any data mining or surveillance. You can now speak freely and securely. Email and SMS are insecure for private conversations! Use Signal instead!