Signal Sucks: Here's why

I wasn't intending on producing a series of articles on messaging apps, but it seems that's what's happening. I recently posted an article explaining why Signal is a trustworthy messaging app, but I would be remiss to ignore its issues. In this article I discuss why Signal sucks.

Related articles:

Signal is en end-to-end encrypted secure messenger, and a direct competitor to WhatsApp and Telegram. Without going too much detail, Signal is a well-designed, secure communication platform that ensures a high level of privacy. See my article on Signal for more information on Signal's merits, because in this article I will only be discussing why Signal sucks. There are four main reasons Signal sucks, which I will be explaining in descending order of practical importance.

By default, sealed sender only applies to contacts

Sealed sender is a feature Signal uses to prevent metadata leaks. It does this by encrypting the sender. This ensures that while Signal's servers can know when you receive a message, their servers cannot know when you send a message. What this does is it prevents metadata from leaking who you talk to, and when. However, since it only applies to contacts by default, a malicious server could still know who you talk to. They could not know when or how often you talk to them, but they can know that you talked to them. They can also know when the first time was that you talked to them.

While Signal has a strong policy of not collecting user data, and this policy has even been proven in court, any exception to Signal's zero-trust security model is potentially problematic. Sealed sender can be enabled manually for non-contacts, at the risk of receiving increased spam. Enabling sealed sender for non-contacts will mitigate this risk.

Signal requires a phone number

Signal requires a phone number to use. Depending on who you are, this may not seem like an issue, but it isn't negligible. Signal's requirement of a phone number is a partial exception to their zero-trust design. It allows Signal to know who uses their service, and who doesn't. This does not allow them to track who you talk to, except as mentioned in the previous point. While it is possible to use Signal with a fake phone number, buying physical burner phones is not possible in some countries, and using online services such as Twilio can have its own privacy issues.

Signal requires GSF

Signal's app is reliant on GSF. GSF, otherwise known as Google Services Framework, is required for many apps to serve push notifications to users. This allows apps to receive notifications without needing to check periodically, and therefore saves battery live and increases device performance.

The issue with GSF is it relies on Google servers. Many people who use Signal don't like that Google spies on users en masse, and uses the collected data for targeted advertising, as well as other purposes we might now know about. While Google officially states that they don't sell user data, it's widely known that the tech giant uses various loopholes to profit off the data they don't technically sell. As we know, whenever you see the word “technically” it's not a good sign. They shouldn't be not technically selling data. They should be not selling data.

Anyway, now that I've completed my tangent, I hope it's clear now why Signal relying on GSF is an issue. On the bright side, Google never gets access to message contents or metadata. Only the fact that you received a message is revealed.

As a side note, Google can also use GSF to tell when your device is connected to the internet.

While it's possible to use Signal without GSF, this doesn't work on all devices. On these devices, using Signal without GSF requires a nonstandard build of the Signal app.

Signal is centralized, and doesn't allow third-party clients

This is the biggest long-term issue with Signal, but provides the smallest immediate concern. The issue is of user freedom and long-term trust. In disallowing third-party clients, Signal reduces user freedom and violates the principals of free software (free as in freedom). As a more practical concern, Signal's centralization could allow Signal to eventually start collecting user data. As we've already seen with existing communication apps, the network effect will prevent people from moving to a better service, if this time ever comes.

All original non-code/non-software content is committed to the public domain, except where otherwise explicitly stated. Code/software is licensed under the BSD 3-clause license, except where otherwise explicitly stated. Content not originally created by Serpent Security may be subject to separate licensing terms.