---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Hardening Signal'
version: '1.0'
number: '22-002'
TLP: 'WHITE'
date: '03-03-2022'
numbersections: yes
toc: yes
---

*History:*

- *03/03/2022 - v1.0 - Initial publication*.

# Introduction

Signal is a well-known, secure, encrypted instant messaging service developed by the non-profit [Signal Technology Foundation and Signal Messenger LLC](https://signalfoundation.org/). It uses standard cellular telephone numbers as identifiers and all communications between Signal users are secured with [end-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption).

Staff of public and private organisations, including senior management, may be using Signal sometimes to quickly coordinate and exchange information on work-related matters. Signal groups may also have been set up for business continuity reasons in case corporate instant messaging tools become unavailable.

The following document provides clear and pragmatic recommendations for hardening the configuration of Signal apps. If you have suggestions that could help improve it, contact us at <services@cert.europa.eu>. We always appreciate constructive feedback.

# Scope and audience

This document provides guidance for hardening Signal apps.

The audience of this document are all staff using Signal for work-related matters.

# Hardening recommendations

## Use the official websites and stores to download the Signal apps

Only download the Signal apps from the official websites and stores:

- [Apple iOS devices](https://apps.apple.com/us/app/signal-private-messenger/id874139669).
- [Android devices](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en&gl=US).
- [Desktop applications](https://signal.org/download/).

## Use auto-update or regularly update your apps

Update regularly your applications and choose auto-update whenever possible:

- On iOS devices, go to `Settings > App Store` and check `App Updates`. Refer also to Apple's [How to manually update apps on your Apple device](https://support.apple.com/en-us/HT202180).

![Signal iOS Updates](/static/security-guidance/img-Signal-iOSUpdates.png)

- On Android devices, refer to Google's [How to update the Play Store & apps on Android](https://support.google.com/googleplay/answer/113412?hl=en).
- On Desktop applications go to `Preferences > General` and check `Automatically download updates`.

![Desktop Automatic Updates](/static/security-guidance/img-Signal-Updates-Desktop.png)

## Customise your profile

We recommend you use your real name and provide a short bio. You may also customise your picture's profile to your liking, using preferably a real picture:

1. Tap your profile icon/picture on the top left corner of the application, then select `Settings`.
2. Select the first area where your current profile icon/picture is and customise the picture/bio.

## Verify the identify of your contacts

Do not accept contact requests from numbers that are not registered in your contacts without proper verification.

If a person contacts you for the first time on Signal, using a name that should be known to you but for which you don't have a corresponding phone number in your contact list, or if the person is not already a member of one of your trusted Signal groups:

1. Note down their phone number.
2. Contact the person they pretend to be using **another** trusted means of communication (e.g. by contacting them using your corporate chat platform or by sending them an email using their corporate email address) and ask them if they have tried to initiate a conversation with you on Signal. Provide the phone number you noted down in the first step.
3. If they confirm, you may accept the conversation.
4. If they refute, block the impersonator on Signal and **report this immediately** to your security officers.

You may also want to verify the identity of your contacts by checking their Safety Number:

1. For each contact, select the conversation you have with them, then tap on their profile icon/picture and select `View Safety Number`.
2. Screeshot the QR code or note down the safety number and use another trusted means of communication (e.g. by contacting them using your corporate chat platform or by sending them an email using their corporate email address) to ask them to confirm the number. You can also use the “sharing option” of your device to send them the safety number on your corporate chat platform or by email.
3. Once they confirm the number matches on their side, you can make the contact “trusted” by clicking on `Mark as verified` in Signal.
4. If the contact uses a device other than the one you just approved, Signal will tell you so. In this case, perform the previous steps again to reverify their safety number.

![Safety Number](/static/security-guidance/img-Signal-SafetyNumber.jpeg)

## Enable Registration Lock

Your Signal account is linked to your phone number. If someone gets access to it, they can impersonate you, using for example a [SIM swapping attack](https://en.wikipedia.org/wiki/SIM_swap_scam). To avoid this, you must activate Registration Lock:

1. Tap your profile icon/picture on the top left corner of the application, then select `Settings`.
2. Select `Account` then activate `Registration Lock`.

![Registration Lock](/static/security-guidance/img-Signal-RegistrationLock.jpeg)

When you activate this option, Signal will ask you to create a PIN that will be required for account registration, in addition to standard SMS-based verification. **We strongly encourage you to choose an alphanumeric PIN** and to record it in a safe, secure place (e.g. your corporate password manager).

## Make sure your account is only synchronised on devices you trust

Only synchronise your account on secured and trusted devices. If one device is compromised, this will allow the attackers to see all the content of your conversations:

1. Tap your profile icon/picture on the top left corner of the application, then select `Settings`.
2. Select `Linked Devices`.
3. Check that you recognise all the devices listed there if any.
4. If there is a suspicious device in the list, **report it immediately** to your security officers providing:
    a. its name as it appears in the list,
    b. the date at which it was linked (`Linked dd/mm/yyyy`),
    c. the last active date (`Last active dd/mm/yyyy`).
5. Then select `Edit` from the right top corner of the app, press the “deletion” sign on the left-hand side of the suspicious device and select `Unlink`.

## Activate the screen lock

Activate the screen lock:

1. Tap your profile icon/picture on the top left corner of the application, then select `Settings`.
2. Select `Privacy` and toggle `Screen Lock` under App Security.
3. Choose a sensible timeout (e.g. 5 minutes).

![Screen Lock](/static/security-guidance/img-Signal-ScreenLock.png)

## Enable notification privacy

Even when your device is locked, anyone could pick it up and read messages and sender names from your lock screen. This is particularly easy during meetings with external parties.

We recommend that you configure Signal in a way that only the sender's name is displayed when your device is locked:

1. Tap your profile icon/picture on the top left corner of the application, then select `Settings`.
2. Select `Notifications` then `Show` under Notification Content.
3. Select `Name only`.

You can also prevent the sender's name from being displayed altogether by selecting `No Name or Content` instead of `Name only` in the last step.

![Notifications](/static/security-guidance/img-Signal-Notif.jpeg)

## Make your messages disappear

Use Signal’s “disappearing messages” feature to remove messages from a conversation automatically after a certain time:

1. Tap your profile icon/picture on the top left corner of the application, then select `Settings`.
2. Select `Privacy` then `Default Timer for New Chats` under Disappearing Messages.
3. Choose a sensible default timer (e.g. 1 week).

![Disappearing Messages - Global](/static/security-guidance/img-Signal-TempMessages.jpeg)

On existing conversations:

1. Tap on the profile icon/picture of your correspondent/group.
2. Select `Disappearing Messages`.
3. Choose a sensible default timer (e.g. 1 week).

![Disappearing Messages - Each Conversation](/static/security-guidance/img-Signal-Timer.png)

## Reboot your phone regularly

**Reboot your phone at least once a day**. While this will not prevent your device from being compromised, a reboot would get rid of non-persistent malicious implants that may have been surreptitiously installed on it.

# References

- [Signal Official Website](https://signal.org/en/)