For over ten years, Signal Messenger has been widely recognized as one of the very best secure messaging apps due to its powerful encryption and privacy features.
However, recent controversies surrounding the use of the messaging app by senior White House officials inadvertently added an unauthorized party to a Signal group chat. This ‘Signalgate’ controversy has raised questions as to whether this is the best option for private communication.
In this guide, we’ll explore the history of the Signal messaging app, as well as how its security features compare to the likes of WhatsApp and Telegram.
What is Signal Messenger?
Signal is the successor to ‘TextSecure’ – an Android app designed by Whisper Systems to send secure, end-to-end encrypted messages.
Signal itself was founded in 2014 by famed cryptographer and Whisper Systems co-owner Matthew Rosenfeld (better known by his online pseudonym ‘Moxie Marlinspike’).
In 2018, Moxie created the non-profit Signal Foundation with WhatsApp co-founder Brian Acton, who provided initial funding of $50 million.
Users must have an iOS or Android device to create a Signal account, as a cell phone number is required for registration. However, there are also desktop versions of Signal for Windows, macOS, and most Linux distributions.
As of early 2025 Signal has been downloaded 220 million times, and has around 70 million active users.
After the Atlantic broke the ‘Signalgate’ scandal in late March 2025, Signal downloads on both iOS and Google Play jumped 28% from the daily average compared to the previous month. In the USA alone, Signal downloads spiked by 45%.
How Signal encryption works
Signal uses the ‘Signal protocol’. This was originally developed in 2013 by Open Whisper Systems and used in TextSecure before being included in the modern Signal app.
The protocol has gone through various versions but the current release has been extensively audited by experts and found to be cryptographically sound.
Features of the Signal Protocol
End-to-end encryption (E2EE)
This lies at the heart of Signal’s security. The protocol can create separate encryption keys to encode and decode communications. The ‘private’ key used to decrypt data like messages never leaves your device.
This means that only the sender and the recipient can access the contents of a message. Even if a hacker or disgruntled employee were to access Signal’s servers, they’d only see the encrypted data.
Perfect Forward Secrecy (PFS)
The Signal Protocol uses the ‘Double Ratchet Algorithm’ to create and manage ‘ephemeral’ encryption keys. In plain English, this means that if the encryption keys for one session are compromised, these can’t be used to decrypt past messages.
Minimal metadata
Even using PFS and E2EE, someone monitoring conversations may be able to glean useful metadata, like who was talking and the time chats took place. Moxie Marlinspike has explained that Signal only keeps minimal metadata on communications, namely the day on which a user last connected to its servers.
In 2018, Signal also introduced a feature named ‘sealed sender’. This feature can further obscure metadata by encrypting certain sender IDs. This makes it much harder for bad actors to prove that two specific contacts have exchanged messages.
Open-source approach
Both the Signal client app and the Signal protocol itself are open-source. This means the code is available for public review, so cryptography experts can check it for security flaws. This also makes it much less likely that the app can contain a coded ‘backdoor’, as some governments like the UK have tried to force on other platforms.
What makes Signal’s encryption different from WhatsApp and other messengers?
In theory, WhatsApp uses the Signal Protocol so communications like messages should provide the same level of security as Signal itself. Meta also claims that Facebook Messenger’s “Secret Conversations” feature secures messages using the protocol.
In reality, both WhatsApp and Facebook Messenger are proprietary software. Although Moxie Marlinspike correctly implemented the Signal Protocol in WhatsApp in 2014, there’s no easy way for independent experts to verify that the protocol is still working correctly in such closed-source apps.
This is why we recommend open-source software like Signal for secure communications. Unlike popular alternatives like WhatsApp, Signal’s developers also try to collect only minimal amounts of metadata, further protecting your privacy.
Signal’s security features
Besides implementing the Signal protocol and logging minimal metadata, Signal has several key features to boost message security:
Disappearing messages
This feature will erase Signal messages from all your devices after a specified amount of time. It can be accessed via Signal’s Privacy settings. Default periods are supported e.g. 1 hour or you can set a custom time.
Group chat security
Unlike other popular secure messaging solutions like Telegram, Signal group chats are protected using end-to-end encryption. It distributes the ‘Sender Key’ component of the Signal Protocol to group members to do this, in the same way as WhatsApp. Naturally, all members can see group chat messages, which is why it’s so important to only add authorized contacts.
Safety numbers
If you’re exchanging secure, E2EE messages with a contact, your Signal chat is assigned a unique safety number. This feature protects against MITM (man-in-the-middle) attacks, whereby a rogue device sits between you and your contact. If this happens, they can exchange encrypted messages with you, decode them and then forward them between you and the recipient.
If a contact seems to be using a new device or a different version of Signal than before, the safety number will change. By checking that their safety numbers match, users can be sure that their conversations are fully encrypted end-to-end.
Screen lock
One of the easiest ways to break end-to-end encryption is to compromise one of the ends. This means if your device is seized or stolen, bad actors can try to access Signal messages stored on your device.
Fortunately, Signal’s Privacy settings support ‘Screen Lock’, whereby you can lock the app when not in use after a specified amount of time e.g. one minute. Users can also hide Signal from the App Switcher on iOS devices.
Why do people use Signal?
The main reason people use Signal is due to its features, which emphasize privacy and security.
Experts like NSA whistleblower Edward Snowden and tech guru Elon Musk have repeatedly recommended using the app.
Others who regularly use Signal include:
Journalists
Atlantic Editor-in-Chief Jeffrey Goldberg has a Signal account, which is how he was accidentally added to a Signal group chat discussing USA war strategies in Yemen. Other journalists, particularly those in conflict zones, find Signal useful for secure communications as messages can’t be decrypted in transit.
Human rights groups
While the ‘Houthi PC small group’ in Signal was set up and maintained by White House officials, the app is also used by NGOs like human rights groups. It’s particularly useful in oppressive regimes, as Signal can securely record and transmit evidence of human rights abuses. If a country practices extensive Internet censorship, it’s also very difficult to decode messages or identify senders by their metadata.
Government officials
Although Signal isn’t authorized for discussion of classified data in the US, the Department of Homeland Security released in guide in 2024 recommending the app to senior officials as a way to stay safe from foreign hackers.
Members of other governments like the UK sometimes use Signal, though once again the app isn’t allowed for sharing sensitive information.
Handling sensitive communications
The reluctance of government employees to use Signal for discussing information like war plans or other national security issues doesn’t speak to the security of the app itself.
It’s just that personal devices are generally not considered to be secure, as it’s relatively easy to infect them with malware.
Instead, most governments require sensitive communications of this kind to take place on official, government-secured phones or by using devices in a SCIF (Sensitive Compartmented Information Facility). These structures contain extra security features like Faraday cages to block remote transmissions and spying.
Recent Signal security concerns and controversies
Cryptography experts generally agree that Signal offers very robust online security. However, it can still be undermined by being used improperly and/or if the device on which the app is installed is compromised.
Some recent notable security incidents involving Signal include:
The Twilio incident (2022)
In Summer 2022, a company that provided Signal with phone number verification services was the victim of a phishing attack. This was quickly shut down by Twilio but not before the numbers of around 1900 Signal users were exposed. The users were quickly informed and prompted to re-register Signal on their devices.
The hackers had no access to users’ message histories, contacts, or profile information. However, during the short window that the user details were exposed bad actors could have tried to hijack the SMS verification to register a Signal account to another device. In that case, sensitive user information could have been exposed.
Signal users can prevent attacks like this in the future by enabling ‘registration lock‘. This feature prevents Signal accounts from being used on a new device for seven days.
Linked devices exploit (2025)
In February 2025, the NSA released documents warning about Russian hacking groups that were attempting to exploit the ‘linked devices’ feature of Signal.
Signal responded to this, pointing out that the supposed vulnerability wasn’t fundamental to the software’s core tech but was a sophisticated phishing attack.
For instance, Russian threat actors were allegedly attempting to trick Ukrainian soldiers with fake QR codes containing supposed Signal chat invites. In reality, the QR code is to link another device to the target’s Signal account. This would allow bad actors to spy on a user’s messages.
Signal addresses this by introducing a feature to warn users when they’re adding a new device, then prompts them at random intervals to confirm that they still want to link it to their account. Users must also now provide authentication e.g. Face ID to link new devices.
Signalgate (2025)
Perhaps the best-known Signal scandal of all time. From 03/11/25 – 03/15/25, US national security leaders used a Signal group chat to discuss imminent military operations against Houthi rebels in Yemen.
This conversation was leaked when National Security Advisor Mike Walz or one of his aides accidentally added Jeffrey Goldberg, the editor-in-chief of the American magazine The Atlantic, to the group.
Goldberg published a redacted transcript of the conversation on 03/24/25. President Trump later acknowledged that Signal was the “best technology for the moment“, although it isn’t specifically authorized for discussing classified information.
Initially, Mike Walz tried to claim that Goldberg had added himself to the group chat, but later publicly took full responsibility for what happened, as the journalist had been in his Signal contacts.
Just as with the Russian hacking groups targeting people in phishing attacks, Signalgate didn’t reveal any vulnerabilities in the software’s core security. As with any secure messaging app, group chat admins must make sure that only authorized members are added if they want to keep their conversations private.
Signal’s effectiveness in real-life scenarios
While Signal is one of the most secure messaging apps available, it isn’t infallible.
As Mike Walz found out the hard way, end-to-end encryption and minimal metadata can’t protect sensitive information if you accidentally send it to the wrong contact, or in this case add the wrong person to a group chat.
If your device is remotely hacked and/or compromised by spyware, bad actors can carry out exploits like logging your key presses or recording screenshots to monitor private chats.
This vulnerability isn’t specific to Signal but to all personal devices like cell phones and laptops.
This is why government agencies usually insist that sensitive communications are carried out on dedicated, vetted hardware.
Signal vs. other messengers
While there are many supposedly secure messaging apps available, Signal’s most popular rivals are WhatsApp and Telegram. The three platforms differ in important ways:
Data handling and user privacy
Signal stands out when it comes to managing data compared to other messaging platforms.
For example, Telegram’s privacy policy states that it can store information like your IP address, username history, and apps you’ve used for up to 12 months. Telegram has also agreed to provide sensitive user information like IP addresses in response to ‘legitimate’ requests from law enforcement.
Signal’s privacy policy, by contrast, states that it only retains the minimal amount of technical information on users that is necessary to maintain the platform. It proved its bona fides in 2021 in response to a US search warrant. Although the warrant stipulated information like the user’s IP address and chat history, Signal only provided the information it had: the date the account was created and when it had connected to the platform.
Signal still requires a phone number capable of receiving SMS messages upon registration. Users can also create a dedicated username to make it easier for others to find them and start conversations.
This is also a great way to keep your phone number private, as unlike WhatsApp and Telegram your phone number isn’t visible to all users by default. You can also provide your username instead of your phone number to allow others to contact you on Signal.
Signal Messenger’s transparency and trust
One of the principal reasons that cybersecurity experts around the world trust Signal is due to its use of open-source code.
This allows experts to conduct independent audits, as well as make suggestions on how to improve the code to remove security bugs.
As the Signal Foundation is run on a not-for-profit basis, it also goes against the creators’ mission to monetize user’s data for profit. This is in juxtaposition to for-profit companies like Meta that focus on profiting from software like WhatsApp.
Despite Signal’s commitment to open-source, it has recently closed off part of its server code. This relates to spam detection. Signal has explained this is necessary to prevent bad actors from sending unwanted messages.
In practice, even if the server code was fully closed-source, it wouldn’t affect the security of the Signal protocol. Similarly, even if the entire Signal server source code was published, there’d be no easy way to verify that the version online is the same software being run on Signal’s servers.
In terms of transparency, the most important aspect is that the Signal client’s source code is publicly available. This means it’s easy to see that end-to-end encryption is being implemented correctly.
Potential risks and vulnerabilities
As we’ve learned, if your device is compromised then your Signal data could be exposed. Other risks in using Signal include:
Unauthorized parties accessing Signal groups
Any messages or media sent to a Signal group chats are automatically sent to all members. This means if an unauthorized party is added by accident, (as was the case for Jeffrey Goldberg), the chat could be leaked.
Remote hacking
Although it’s unlikely that a hacker will target you specifically, a skilled bad actor could technically try to trace your device via its IP address and then try to access it remotely. You can mitigate the risk of this by using a trusted VPN service like hide.me to hide your IP address.
No cloud backups
Unlike WhatsApp, Signal doesn’t currently support saving data like your chat history to the cloud. This means if your device is lost, stolen, or wiped then you may lose your account information. You can backup and restore messages locally though.
Should you still trust Signal Messenger?
Security experts like Bruce Schneier have pointed out that using apps like Signal on personal devices like commercial smartphones isn’t a safe way to exchange sensitive government communications.
Still, the very fact that US government officials felt safe Signal is a great endorsement of its security – even if it was breached by human error.
The Signal community maintains an extensive list of security audits – both of the app itself and its underlying technology like the ‘Double Ratchet’ algorithm. This also includes an independent audit of the Android version of Signal, which detailed that forensic examination of devices failed when the ‘screen lock’ feature was correctly set up.
Privacy-focused organizations like the EFF (Electronic Frontier Foundation) also regularly endorse Signal as a secure messaging solution. The EFF’s most recent Signal guide was updated on 03/26/25 and includes how to tweak app settings for maximum security e.g. by disabling sending link previews.
Privacy-minded users need to pay careful attention to settings like these, particularly when it comes to adding members to group chats and linking additional devices to a Signal account.
Above all, remember that while alternatives like WhatsApp might have additional features, Signal is the top choice when it comes to protecting your privacy.
FAQ
Yes. Signal is widely recognized by security experts to be an excellent choice for secure messaging, due to its use of open-source end-to-end encryption protocols and minimal collection of metadata.
Signal stores very little data about users like when an account last connected. Sensitive information like chat history is stored locally on devices. This means that even if a server was breached, it would reveal very little user information.
The Signal protocol itself is considered to be very secure, meaning even governments can’t break the encryption on messages by analyzing data traffic. However, if a state actor compromises your device they may be able to access Signal data like chat history.
Yes. It adopts an open-source approach to its implementation of the Signal encryption protocol so the code can be reviewed for vulnerabilities. The Signal Foundation is not-for-profit so doesn’t try to monetize user data. The app also sends only minimal metadata to Signal’s servers.
When you first register a Signal account, you’ll need a phone number that can receive an SMS verification code. You can use a ‘burner’ number e.g. from Google Voice if you wish. Once your account is set up, you can choose a Signal username. You can give this to others instead of your number so they can find you on the platform.
Yes. When you use a reliable VPN service like hide.me your device establishes an encrypted connection to the VPN server. As all traffic is encrypted, this means that anyone monitoring your connection won’t detect you’re using Signal. Connecting via the VPN server also masks your device’s IP address, making it much harder for bad actors to trace your location.
We love bringing you this content and hope it helps keep you safe and secure online. Feel free to share it with your friends, too.
Here at hide.me we are all about internet freedom, and we are happy to be in a position to bring that to everyone. That is why we give you a 30-day money-back guarantee on our Premium plan. No questions asked and no logs recorded.
If you have any questions, please feel to contact our 24/7 support team either at support@hide.me or via live chat.
