← Messaging Apps
C

Signal

Notable issues
Signal Technology Foundation · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: org.thoughtcrime.securesms
Manufacturer: Signal Technology Foundation

The bottom line

Signal is the most private messenger available — but it still requires your real phone number to sign up. In August 2022, a breach at Twilio (Signal's SMS verification provider) exposed the phone numbers of approximately 1,900 Signal users. An attacker re-registered at least one victim's account. The phone number requirement means a single breach at a third-party company can compromise the identity of users of the most secure messenger on Earth. Signal's desktop app stored your encryption keys in a plaintext file for six years. Any malware could read them. Signal said it wasn't a real problem — then quietly fixed it after the story went viral.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use Signal instead
Subpoenaed twice, could only produce two timestamps
See report →
10Contradictions
0Critical
4High
5Medium
7Sources
Findings by concern
Spying 2/4 MODERATE 2 findings
⚡ highfirmware analysis vs policy claims
Signal's desktop app stored your encryption keys in a plaintext file for six years. Any malware could read them. Signal said it wasn't a real problem — then quietly fixed it after the story went viral.

What they claim: Signal provides E2E encryption across all platforms, keeping data secure.

What we found: Signal Desktop stored SQLite encryption key as plaintext in config.json for 6 years (2018-2024). Any process could read it. Signal's president dismissed concerns. Fixed only after Elon Musk amplified the issue on X (July 2024).

⚫ mediumfirmware analysis vs policy claims
Signal upgraded its group system for reliability but the new version leaks more information to servers — group sizes, when you access the group, and which IPs belong to admins.

What they claim: Signal groups provide encrypted, private communication.

What we found: Groups V2 moved group state to server (encrypted but with metadata exposure). Server observes: group size, IP addresses, admin identification, timing patterns. V1 stored nothing server-side — V2 was a privacy downgrade.

Data Sharing 3/4 HIGH 2 findings
⚫ mediumpolicy claims vs regulatory findings
Signal was originally built with money from a US government broadcasting agency with Cold War roots. It's now funded by donations, but needs about twice what it currently brings in.

What they claim: Signal is an independent privacy tool developed without government influence.

What we found: Signal received $2,955,000+ from Open Technology Fund (2013-2016). OTF was a program of Radio Free Asia (US government). Revenue ($25.8M in 2024) falls short of ~$50M needed annually.

⚫ mediumfirmware analysis vs regulatory findings
Signal barely has any data to hand over, but it's still a single US company running the whole network. One secret court order could theoretically force a bad update to everyone.

What they claim: Signal's architecture protects against government overreach.

What we found: Signal Foundation is in Mountain View, CA — subject to NSLs, FISA Section 215, subpoenas. Single point of compulsion. No federation. Signal outages (2024) affected all users globally. Countries have blocked Signal.

Security 4/4 EXTREME 4 findings
⚡ highpolicy claims vs app permissions
Signal is the most private messenger available — but it still requires your real phone number to sign up. In August 2022, a breach at Twilio (Signal's SMS verification provider) exposed the phone numbers of approximately 1,900 Signal users. An attacker re-registered at least one victim's account. The phone number requirement means a single breach at a third-party company can compromise the identity of users of the most secure messenger on Earth.

What they claim: Signal is the ultimate privacy messenger. 'We can't read your messages or listen to your calls, and no one else can either.'

What we found: A phone number — a government-issued, SIM-registered identifier — is required to create an account. Usernames (2024) hide the number but registration requirement remains. Twilio breach (2022) exposed 1,900 numbers.

⚫ mediumfirmware analysis vs regulatory findings
Signal stored recovery data in Intel's secure chips, but researchers keep cracking those chips. Signal upgraded to spread risk across three chip makers — better but still hardware-dependent.

What they claim: PIN-protected profile recovery keeps data secure in hardware-protected enclaves.

What we found: SVR2 relied on Intel SGX with catastrophic vulnerabilities (PlunderVolt, LVI, SGAxe). US government could compel Intel to provide signing keys. SVR3 distributes trust across 3 vendors — significant improvement but fundamental risk remains.

⚫ mediumapp permissions vs firmware analysis
A hack at Signal's text message provider exposed phone numbers and let an attacker take over one account. Russian hackers tricked people into linking Signal to spy devices.

What they claim: Signal maintains robust security against third-party attacks.

What we found: Twilio breach (2022): 1,900 phone numbers exposed, one account re-registered. Russian QR code phishing (Feb 2025) abused linked devices. CVE-2023-24069/24068: Desktop attachment cleanup failures. 15 total CVEs on record.

✔️ lowpolicy claims vs firmware analysis
The most powerful people in the US government used Signal for classified war plans — and the only breach was adding the wrong person. The encryption was never broken.

What they claim: Signal is the gold standard for private communication.

What we found: Signalgate (March 2025): Trump NSA advisor accidentally added The Atlantic's editor to a classified Signal group chat. Encryption worked perfectly — failure was purely human error. Validates Signal's technical model.

Honesty 2/4 MODERATE 2 findings
⚡ highfirmware analysis vs policy claims
Signal says even they can't see who you're messaging. Researchers proved that by watching the timing of automatic delivery receipts, they can figure out exactly who's talking to whom.

What they claim: Sealed sender hides who is messaging whom: 'no one will be able to know, not even Signal.'

What we found: Academic research (NDSS 2021, IEEE S&P 2023) demonstrates delivery receipts — which cannot be disabled — create timing correlations that deanonymize communicating pairs. Signal acknowledges it is 'an incremental step.'

⚡ highpolicy claims vs regulatory findings
Signal's founder Moxie Marlinspike had a personal financial stake in MobileCoin, the cryptocurrency Signal integrated into the app in 2021. MobileCoin's price shot up 450% in anticipation of the announcement. The world's most trusted privacy app promoted a cryptocurrency its creator had a financial interest in. Signal's board eventually removed the feature after persistent criticism, but the conflict of interest was never adequately addressed.

What they claim: Signal Foundation is an independent nonprofit serving user privacy above all else.

What we found: Moxie Marlinspike was listed as CTO of MobileCoin. He was a paid advisor. MOB token rallied ~450% before Signal's integration. MobileCoin CEO: 'I started MobileCoin to fund Signal.' Bruce Schneier: 'An incredibly bad idea.' Payments still active.

Sources