• United States



Security made simple: RedPhone and TextSecure rolled into Signal for Android

Nov 03, 20154 mins
AndroidData and Information SecurityMobile Apps

If you like your privacy and encryption made easy, then consider Signal, a Snowden-endorsed app for secure texting and calls.

If you want to make free, worldwide encrypted calls, then you should consider using Signal; it supports encrypted texting too.

While iPhone users have had the option to use Signal since last year, yesterday Open Whisper Systems founder Moxie Marlinspike announced that TextSecure and RedPhone have been rolled into one Signal for Android app.

Signal is so super easy to use, even your granny can make private calls and send private texts. Cryptography researcher Matt Blaze previously tweeted about overhearing an elderly gentleman explaining how to install Signal; Blaze called it a “turning point.”

Yet installing Signal is not a complicated process for people of any age, and using it is “just as straightforward as normal calling and texting.” Wired called the combination of RedPhone and TextSecure into one app “a milestone” in “privacy programs’ idiot-proof interface.”

The private messaging side of Signal allows users to send messages, pictures, and videos messages to groups as well as individuals. Open Whisper Systems explained, “We cannot read your messages, and no one else can either. Everything is always end-to-end encrypted and painstakingly engineered in order to keep your communication safe.”

“Privacy is possible, Signal makes it easy,” wrote Marlinspike.

As always, Signal uses your existing phone number and address book. There are no separate logins, usernames, passwords, or PINs to manage or lose.

We cannot hear your conversations or see your messages, and no one else can either. Everything in Signal is always end-to-end encrypted, and painstakingly engineered in order to keep your communication safe.

Security expert Bruce Schneier is quoted as saying, “I am regularly impressed with the thought and care put into both the security and the usability of this app. It’s my first choice for an encrypted conversation.”

Cryptographer Matt Green also delivered high praise, saying, “After reading the code, I literally discovered a line of drool running down my face. It’s really nice.”

Even Edward Snowden endorsed Signal, claiming to use it daily.

Although Snowden loves Signal, a user on the subreddit NetSec posted the following public service announcement: “Signal for Android (replaced RedPhone+TextSecure yesterday) currently comments out ZRTP key continuity code. Verify the SAS at the start of every call!”

After placing a call, users have long been advised to read the Short Authentication String (SAS) to each other in order to ensure there is no man-in-the-middle attack occurring. When two people are using Signal for a call, two words are displayed on each of their screens. They should say the words to make sure they match; if the words don’t match, then it indicates a man-in-the-middle attack.

Android TextSecure users should expect a new update which will rename the app as Signal. It has the same messaging functionality as TextSecure, but adds the ability to make private calls as well. Android RedPhone users will be notified to install Signal instead; users with both Signal and RedPhone installed can simply uninstall RedPhone.

Android Signal app permissions

Unless you have Android 6.0 Marshmallow, which allows you to fine-tune and turn-off permissions, then Android’s app permission ecosystem is still a nightmare. If you choose to use Signal on an older Android platform, then expect Signal to ask for access to:

Device & app history: read sensitive log data.

Identity: find accounts on the device, modify your own contact card, read your own contact card.

Calendar: add or modify calendar events and send email to guests without owners’ knowledge, read calendar events plus confidential information.

Contacts: read your contacts, modify your contacts.

Location: precise location (GPS and network-based), approximate location (network-based).

SMS: edit your text messages (SMS or MMS), receive text messages (SMS), send SMS messages, read your text messages (SMS or MMS), receive text messages (MMS).

Phone: write call log, read call log, modify phone state, directly call phone numbers, reroute outgoing calls, directly call any phone numbers.

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage.

Camera: take pictures and videos.

Microphone: record audio.

Wi-Fi connection information: view Wi-Fi connections.

Device ID & call information: read phone status and identity.

Other: receive data from Internet, send WAP-PUSH-received broadcast, control vibration, run at startup, use accounts on the device, pair with Bluetooth devices, send sticky broadcast, connect and disconnect from Wi-Fi, create accounts and set passwords, change network connectivity, prevent device from sleeping, set wallpaper, disable your screen lock, read sync settings, toggle sync on and off, view network connections, change your audio settings, full network access.

If that sort of freaks you out and you want to poke around, Open Whisper Systems posted its free, open source code on GitHub. If you are inclined to install the new Signal Android app, you can find it in the Google Play store.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.