What is WhatsApp and Signal?

Like the vast majority of people over the age of 16, you’re either reading this on your mobile phone, or have it within arm’s reach. That’s not an accusation, just the reality of modern life, and we all find ourselves in the same boat. If you are concerned or confused as to why the FBI and CISA (the Cybersecurity and Infrastructure Security Agency) are recommending that you use the Signal messaging application, the information below may help inform your decision, or at least provide some context for these recommendations.

Apples and Oranges – Green and Blue Text Bubbles

Apple iOS and Google Android are your only real choices of operating system on a mobile phone. Both Google Messages and iOS iMessage encrypt calls and texts, but only between the same operating system.

Apple iOS users benefit from automatic end-to-end encryption within their iOS ecosystem. Android Users who are sending messages within Google Messages may use Rich Communication Services (“RCS”) to send encrypted messages. However, this requires both devices to have RCS enabled, which requires some level of forward planning.

Once venturing outside of their native ecosystem, when messages are sent between these two different operating systems, they revert to the SMS (Short Message Service) or Multimedia Messaging Service (MMS) protocols, which are both completely unencrypted. This lack of encryption allows SMS and MMS messages to be intercepted over insecure networks.

How is Signal different?

Signal is a messaging application for iOS, Android, and even desktop programs for Windows, MacOS and Linux (though desktop registration requires the user have an iOS or Android device). Signal is a non-profit organization founded by WhatsApp confounder Brian Acton in February 2018, and utilizes their own open source “Signal Protocol” for automatic end-to-end encryption for all messages on either platform.

Signal’s encryption keys are both generated and stored on the devices, and users can verify the other’s identity by comparing key fingerprints (or scanning QR codes). This comparison is accomplished by using out-of-band data, which is a data stream kept separate from the messages themselves. Once the keys have been exchanged, Signal notifies senders if that key subsequently changes, and then prompts users to verify that the identifier is authentic.

Why are US Agencies Recommending Signal?

In December 2024, the FBI and CISA recommended the use of encrypted messaging applications. These recommendations largely result as a response to a Chinese hacking group known as “Salt Typhoon,” that has infiltrated AT&T, Verizon, and Lumen Technologies, resulting in the compromise of untold volumes of unencrypted messages. This marks a notable shift from the agency’s prior stance, where such encryption mechanisms have previously been seen as hindering their investigative capabilities. A Senate Commerce committee is set to hold a hearing on these issues on December 11, where further guidance may become available.

Best Practice

Encryption is not a panacea; all security measures have their limitations. Though Signal’s messaging database is encrypted, the decryption key is stored on the same phone. Physical access to an unlocked or compromised device would allow a sophisticated threat actor to access the Signal message database.

Employing best practices, such as enabling strong multi-factor authentication methods, timely updates to operating systems, anti-phishing and employee training can help mitigate these concerns. Invariably, the responsibility remains with us, the users, to ensure the physical security of our own devices.