Signal is considered the gold standard in mobile encrypted messaging by governments and dissidents alike. The app, which is completely open-source, allows its users to securely text, call, and videochat each other. Signal has become ubiquitous among privacy enthusiasts and journalists, and derives much of its popularity from its frequent inclusion in "surveillance survival guides," guide-like articles usually published around the time of protests and leaks.

While there is no doubt that Signal is an effective tool for circumventing passive dragnet surveillance conducted by the likes of the NSA and GCHQ, every tool is imperfect—and Signal is no exception. Like all apps, Signal is only as secure as the phone on which it is used. If your phone is compromised—either by a foreign government or a determined independent hacker—so are all your apps.


When WikiLeaks published the Vault 7 leaks, Signal was listed among the list of possibly compromised technologies. On analyzing the leaked CIA documents, however, many journalists discovered that Signal was never even mentioned. However, WikiLeaks' claims were not wholly untrue: the leaks revealed a series of mobile-phone exploits which could be used to compromise an entire phone, and, by consequence, Signal. While it is true that the exploits did not explicitly target Signal, they would still render the app insecure. Still, many journalists refuted WikiLeaks' Signal claims, denouncing them as misleading if not incorrect.

This criticism was only partly called for: WikiLeaks' claims were misleading, yes, but they reminded the world that Signal is not infallible. This is often forgotten by those who promote the app, who incorrectly tout Signal as a perfectly-secure communication platform. Perhaps this is done out of a sort of internalized hope—the prospect of being unable to evade state surveillance is indeed haunting—or maybe purely out of ignorance. But the consequence is that many people believe Signal is perfectly secure, a dangerous misconception that leaves them unaware of Signal's weak point (i.e. the phone on which it resides), and therefore unable to properly protect themselves.


In today's privacy-scarce world, a proper understanding of cryptographic tools is as important to security as the existence of the tools themselves.