What is Signal and is it secure?

Signal has long been a go-to messaging service for users especially concerned about communications secrecy – Copyright AFP Lionel BONAVENTURE

Signal, an end-to-end encrypted messaging app long considered one of the most secure in the world, has recently faced attacks from hackers accused of links to Russia.

Top German officials on Saturday blamed Moscow-backed groups for phishing attacks targeting senior politicians on the messaging app, raising questions about how secure Signal really is.

Similar phishing cases have been reported by Dutch and American users, with Google in February sounding the alarm over cyberattacks from Russia-aligned groups.

But what makes Signal different from other messaging apps, and how could one of the world’s most secure messaging apps be so widely targeted?

– How does it work? –

Signal’s end-to-end encryption means that any sent message travels in a scrambled form and can only be deciphered by the end user. 

Nobody in between — not the company providing the service, not the internet provider, nor hackers intercepting the message — can read the content because they don’t have the keys to unlock it.

Signal is not the only messaging service to do this, but unlike WhatsApp and Apple’s iMessage, the app is controlled by an independent non-profit — not a big tech behemoth motivated by revenue. That has won it more trust with those concerned about privacy.

Signal also goes further than WhatsApp on data privacy, making metadata such as when the message was delivered and its recipient invisible even to the company itself.

And WhatsApp shares information with its parent company Meta and third parties, including phone numbers, mobile device information, and IP addresses.

For these reasons, Signal has long been a go-to messaging service for users particularly concerned about communications secrecy, such as people working in security professions, journalists, and their sources.

– Who owns Signal? –

Founded in 2012, Signal is owned by the Mountain View, California-based Signal Foundation. 

Its history is linked to WhatsApp: the site was founded by cryptographer and entrepreneur Moxie Marlinspike, with an initial $50 million from WhatsApp co-founder Brian Acton.

Both Signal and WhatsApp, which was bought by Mark Zuckerberg in 2014, are based on the same protocol built by Marlinspike.

“We’re not tied to any major tech companies, and we can never be acquired by one either,” Signal’s website reads. Development is mainly supported by grants and donations.

Very outspoken compared to other Silicon Valley bosses, Signal’s president is Meredith Whittaker, who spent years working for Google and is a fierce critic of business models built on the extraction of personal data.

– Was Signal hacked? –

Signal’s encryption itself has not been broken. 

Cyberattackers accused of Russian links did not target the encryption system directly.

Instead, recent attacks relied on phishing — tricking users into handing over access to their accounts.

The attacks work by sending messages purporting to come from Signal support, like fake security alerts or invites to join group chats. 

Once users click on these links or enter sensitive account information, attackers can then gain access to messages and chat groups. 

This means hackers gain access to data shared on Signal and can also impersonate the person whose account was compromised.

Signal did not immediately respond to requests for comment on the recent attacks.