Discussion

Because I am often the most paranoid person among my friends and family, I've been asked a lot of questions about @signalapp as of late. Here's the gist:

Yes, it's safe to use. But there are some easy strategies to make it even safer.

https://www.nytimes.com/wirecutter/reviews/signal-secure-messaging-app/

Wirecutter: Reviews for the Real World

Why Signal Is Still Our Favorite Secure Messaging App (And Why No Messaging App Is Perfectly Secure)

Signal’s approach to end-to-end encryption makes it especially safe for sending messages. We have some tips on how to use it, and why no messaging app is perfect.

Max "Buzzworthy" Eddy

@maxeddy@infosec.exchange replied · 3 hours ago

Some additional things I'll tack on:

Personally, I don't love having multiple devices attached to a Signal account. Especially desktop computers.

Multiple devices means multiple opportunities for someone to gain access, and having some of those devices be PCs opens you up to whole other classes of malware that could potentially nab your messages.

Runa Sandvik pointed out how it seems like biometric access on a work computer may have given the FBI access to a WaPo journalist's Signal messages. https://x.com/runasand/status/2017659019251343763?s=20

Multiple clients is great for convenience, but some friction can be a good thing.

X (formerly Twitter)

View

Max "Buzzworthy" Eddy

@maxeddy@infosec.exchange replied · 3 hours ago

As a counter example, it seems like investigators may have been stymied by an iPhone's lockdown mode.

https://www.404media.co/fbi-couldnt-get-into-wapo-reporters-iphone-because-it-had-lockdown-mode-enabled/

I want to stress that this is a very incomplete picture; there could be tools and strategies in use that we can't see. But based on what we know, limiting devices and how those devices can be accessed seems like a good strategy.

404 Media

FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled

Lockdown Mode is a sometimes overlooked feature of Apple devices that broadly make them harder to hack. A court record indicates the feature might be effective at stopping third parties unlocking someone's device. At least for now.

Max "Buzzworthy" Eddy

@maxeddy@infosec.exchange replied · 3 hours ago

I mention in the article that malware could potentially access Signal messages. This is an area where I don't know a lot of specifics, but one thing did pop up recently that I thought was interesting.

NYT and 404Media have reported on new tools purchased by DHS. From NYT:

"One of the tools, which was built by Paragon, an Israeli technology company, lets people take control of phones or remotely hack into them to read messages or track locations."

https://www.nytimes.com/2026/01/30/technology/tech-ice-facial-recognition-palantir.html

Would this include Signal messages? Is this actually in use and working as described? I don't know, but it demonstrates that there are more exotic threats to mobile device privacy.

https://www.nytimes.com

How ICE Already Knows Who Minneapolis Protesters Are

Max "Buzzworthy" Eddy

@maxeddy@infosec.exchange replied · 3 hours ago

Also, just to brag, but I've been using Signal since before it was Signal. Back then it was two apps: RedPhone and TextSecure. I covered my first Black Hat for PCMag with a stock Nexus 5 that only had those apps on it and a prepaid SIM I bought in cash.

Ah, a simpler time.

bytebro

@bytebro@mastodonapp.uk replied · 3 hours ago

@maxeddy

If only it worked reliably on older phones.

@signalapp

Max "Buzzworthy" Eddy

@maxeddy@infosec.exchange replied · 3 hours ago

@bytebro
Honestly, this is why I've never been able to get into the dumb phone/retro phone fad. It's worse for sending secure messages!

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.7 no JS en

Automatic federation enabled