Chris Kanich · Secure Messaging

Secure Messaging

I’m Chris Kanich, a Professor of Computer Science at the University of Illinois Chicago. I’ve been doing Cybersecurity research for about 20 years. Based on my own research and experience, and that of my colleagues, here’s what we think you need to know about Signal:

Signal protects:

Your messages: No one (not even Signal or the government) can read your messages or hear your calls that they aren’t on.
Your conversation metadata: Signal doesn’t track who you talk to or when.
Your identity: A Username can hide your phone number but let you interact with others.

There are many apps that advertise themselves as “secure messengers, but most do not actually provide these protections, and none are as well-trusted by cybersecurity professionals as Signal.

Signal can’t stop:

Social engineering: If someone untrustworthy is added to a group chat, they can see and share everything that is said. No app can protect against that.
Physical Access: If someone holds your unlocked phone, they can read your texts. (Use Signal’s Screen Lock).
Screenshots: The person you’re talking to can still copy paste, screenshot, or photograph the conversation.
Malware: If your phone has malware, it can record your screen before Signal encrypts the text. Malware infections are much rarer than they used to be, but it is still possible, especially if you are a high value target.

Beyond Signal, these are my general cybersecurity tips that I tell everyone that will listen:

Use a Password Manager: Using long and unique passwords makes it much harder for hackers to break into your online accounts (but is hard to keep track of manually). Password managers make it easy to use long, unique, random passwords to protect yourself from the most common attacks. Trustworthy password managers can either be standalone programs like 1Password or Bitwarden, or those built into Apple and Google ecosystems (which are free).
Use App-Based 2FA: Turn on Two-Factor Authentication for any account you consider important, especially your primary email. App-based (type in 6 digits from an App) or PassKeys are the best, SMS is better than nothing but worse than those.
Update & Reboot: Install software updates as soon as you can. If you are more likely to be a target of a cyberattack OR if an update is marked as “security related,” install it immediately.
The “Urgency” Test: If a message creates a sense of urgency (“Account locked!”) or asks for money, it’s a scam. Find a different way to contact the person/business (official apps that you have already installed and used are OK for this) to verify the situation.