Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
How are my text messages encrypted?
Signal uses Curve25519, AES-256 and HMAC-SHA256. The security of these algorithms has been tested over many years of use in hundreds of different applications. Signal messages and calls are end-to-end encrypted, which means that they can only be read or heard by your intended recipients. We make it easy for you to verify that you are communicating with the right people and that no man in the middle attack has occurred.
The Signal Protocol is the most advanced cryptographic ratchet available. It ensures that new AES keys are used for every single message, and it provides Signal with both forward secrecy and future secrecy properties. The Signal Protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.
We believe that the Signal Protocol represents the current state of the art in secure messaging.
How are my voice calls encrypted?
The “signaling” messages used to set up Signal voice/video calls (offer/answer SDPs, ICE candidates, etc.) are transmitted over the normal Signal Protocol messaging channel, which binds the security of the call to that existing secure channel.
Can Open Whisper Systems see my text messages or listen to my phone calls?
Absolutely not, and no one else can either. Everything in Signal is always end-to-end encrypted. There are no exceptions.
Can I verify the safety number?
Yes. You can tap on a contact's name in the conversation view to see advanced identity verification options. Support for automatic verification using scanned QR codes is available in this section, and the full safety number is also displayed for manual verification purposes.
Additionally, Signal provides a shortcut to quickly copy your safety number so that it can be included in an email, message, or Tweet. Simply tap on the share icon in the top right corner and choose to copy or share directly through another app.
Who sees what?
Phone calls, messages, and attachments are only visible to you and the other people with whom you are communicating.
What about metadata?
- Because your phone will be connecting to Signal's servers, your cellular carrier can determine whether or not you are using the service. However, your carrier cannot gather any information about the individuals or groups with whom you are communicating.
- Apple's push notification service can theoretically gather metadata about when you are receiving phone calls and messages, but Apple does not have access to any information about their origin or contents.
- Remember, anyone who has your number in their address book can see whether or not you have signed up for the service. You can register using any valid phone number. Please keep this in mind if using encrypted communications has the potential to get you in trouble. You can read more about the state of private contact discovery here.
Are group chats encrypted?
Yes. Group conversations are encrypted too. An in-depth explanation of this process is available on our blog.
Is the data on my device encrypted too?
While no messaging solution can keep you perfectly safe in the event of a full device compromise, Signal has been engineered to be highly resistant to direct physical attacks:
- If you have a passcode on your iPhone (and you should!), all Signal files will be encrypted by the operating system.
- Signal files are completely excluded from iCloud and iTunes backups.
- A second layer of encryption is used for the message database (outside of attachments). The key for this database is stored in the iPhone's hardware keychain. This defense mechanism is useful against an attacker that has filesystem access but is unable to root the device.
Are there any plans to support iOS 7?
No, unfortunately that's not possible. Signal uses APIs that were first introduced in iOS 8 and that are not available in earlier releases. Furthermore, iOS 7 is no longer being supported by Apple at all, and it contains several serious security vulnerabilities. Users are encouraged to upgrade to the latest version of iOS, if they can.
I don't get an SMS verification code, what should I do?
We take verification issues seriously and we are doing our best to make sure Signal works well no matter where you live. Please let us know on the wiki so that we can investigate.