In the Privacy menu, you can enable additional security features, including a screen lock with the timeout of your choice, requiring your Android biometric or code unlock to open it, a screenshot blocker of the kind used to protect against certain types of malware and incognito keyboard mode.
For proper privacy, you should enable that last one, as it prevents learning keyboards such as Google’s Gboard from phoning home with data about what you’ve typed.
Scroll down to the Communication heading, and you’ll be able to relay all voice calls through the Signal server, concealing your IP address at the cost of call quality, disable read receipts and typing indicators so your chat partners can’t tell that you’ve received or are writing a message, and turn off link previews. Signal’s handling of link previews is built with security in mind – Signal says its technical infrastructure never sees the link that is sent.
While most of Signal’s features are reasonably apparent as you browse through its settings, its Sealed Sender technology benefits from a little more explanation: this adds an extra layer of encrypting to the message delivery process, not only encrypting the message and user profile but additionally encrypting the metadata package used to identify the sender so it’s only decrypted on arrival. The intention is to keep correspondents’ identities secure against any potential interception attempts. This is a feature aimed at the very privacy conscious.
Even when your messages are end-to-end encrypted, the text of your communications is only as secure as the device they’re stored on. If your device is compromised, either physically or remotely, you can kiss your privacy – and that of the messages others have sent you – goodbye. Working out if your accounts have been hacked is costly in terms of your time as well as data and privacy.
One potential threat vector that’s gained recent attention, highlighted by technologist Naomi Wu, is that your smartphone’s keyboard app could be compromised. This would negate the security of pretty much every communications app on your phone.
Signal has some internal mitigation for this in the form of its keyboard incognito mode, which prevents keyboard apps from retaining what you type. But if you don’t trust your current keyboard app, or are concerned that it could be compromised, you can install an open-source alternative, which opens the code up to community auditing, at least.
Simple Keyboard, OpenBoard, AnySoftKeyboard and Hacker’s Keyboard, all available via the open source F-Droid app store, are lightweight, low-permissions alternative keyboards with published source code. F-Droid apps don’t auto-update by default, which further helps to prevent supply chain attacks.
As users, we should demand and expect end-to-end encryption for all our messaging, across all platforms and providers. The fact that I might exclusively use my messenger to send shopping lists and cat photos doesn’t mean that my privacy isn’t important.
Fortunately, Signal is simple, approachable and works beautifully as a day-to-day messaging app. But encrypted messaging should never be allowed to become the exclusive domain of a special app that’s treated as both the go-to choice for secure communications and a sign that someone may have something to hide.
Your privacy and security has intrinsic value, and end-to-end encryption needs to become the minimum standard for online communication, not its apex.
More great stories from WIRED
The UK can’t even keep track of its spiralling Covid-19 case numbers
Inside the race to stop the next pandemic
? Gyms are closed so which workout app is better? Apple Fitness+ vs Peloton vs Fiit