This article is out of date. Check here for more recent information about Signal. There are dozens of messaging apps for iPhone and Android, but one in particular continues to stand out in the crowd. Signal is easy to use, works on both iOS and Android, and encrypts communications so that only the sender and recipient can decipher them. It also has open source code, meaning it can be inspected to verify security. You can download Signal from the Android Play Store and the iPhone App Store. Although Signal is well-designed, there are extra steps you must take if you want to maximize the security for your most sensitive conversations — the ones that could be misinterpreted by an employer, client, or airport security screener; might be of interest to a snooping government, whether at home or abroad; or could allow a thief or hacker to blackmail you or steal your identity. I discuss these steps at length below, in order of importance. If you wish to jump ahead to a specific section, you can click the appropriate link: Lock down your phone

Hide Signal messages on your lock screen

Verify that you’re talking to the right person via Phone via Text

Archive and delete messages Lock Down Your Phone Signal uses strong end-to-end encryption, which, when properly used, ensures that no one involved in facilitating your conversation can see what you’re saying — not the makers of Signal, not your cellphone or broadband provider, and not the NSA or another spy agency that collects internet traffic in bulk. But Signal’s encryption scheme can’t stop someone from picking up your phone and opening the app to read through your conversations. You have to take additional precautions. If you’re using Android: Set up screen lock , which requires you to draw a pattern, type a numeric PIN, or type a password to unlock your phone. You can do this from the Settings app under Security > “Screen lock.” Try to make it random, and avoid using anything obvious such as birthdates. Don’t tell anyone how to unlock your phone unless you’re OK with them reading all of your encrypted messages.

, which requires you to draw a pattern, type a numeric PIN, or type a password to unlock your phone. You can do this from the Settings app under Security > “Screen lock.” Try to make it random, and avoid using anything obvious such as birthdates. Don’t tell anyone how to unlock your phone unless you’re OK with them reading all of your encrypted messages. Encrypt your phone’s storage . A screen lock is not much use if a thief can copy your phone’s data to a different device. Encrypting the flash memory on your phone blocks such an attack by scrambling your data so that it can only be unlocked using the same pattern, PIN, or password used to unlock your phone. You can do this from the Settings app under Security > “Encrypt phone.” Note that you need to have a full battery before Android lets you encrypt your phone, and you may have to wait up to an hour while your phone is encrypting.

. A screen lock is not much use if a thief can copy your phone’s data to a different device. Encrypting the flash memory on your phone blocks such an attack by scrambling your data so that it can only be unlocked using the same pattern, PIN, or password used to unlock your phone. You can do this from the Settings app under Security > “Encrypt phone.” Note that you need to have a full battery before Android lets you encrypt your phone, and you may have to wait up to an hour while your phone is encrypting. Install all updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for Android updates by opening the Settings app, and under System tap “About phone” > “System updates.” You should also update all of your apps from the Play Store promptly. If you’re using an iPhone: Set a strong passcode . iPhones automatically have encrypted storage, but this encryption only protects your data if you lock your device with a passcode. Everyone should use at least a six-digit passcode, and you should up that to 11 digits if you’re concerned that your phone might fall into the hands of a powerful attacker like a government. Avoid using anything obvious such as birthdates. I wrote about this in detail in February — skip to the bottom of that article for instructions on changing your passcode, and for considerations about using Touch ID.

. iPhones automatically have encrypted storage, but this encryption only protects your data if you lock your device with a passcode. Everyone should use at least a six-digit passcode, and you should up that to 11 digits if you’re concerned that your phone might fall into the hands of a powerful attacker like a government. Avoid using anything obvious such as birthdates. I wrote about this in detail in February — skip to the bottom of that article for instructions on changing your passcode, and for considerations about using Touch ID. Install updates promptly. Updates fix security bugs, so every day you haven’t installed them is a day you’re vulnerable to attack. You can check for iPhone updates in the Settings app under General > Software Update. You should also update all of your apps in the App Store app under the Updates tab. Hide Signal Messages on Your Lock Screen Signal’s powerful encryption won’t necessarily help you if other people can see incoming Signal messages displayed on your lock screen. Displaying messages on the lock screen is Signal’s default behavior, but you should change this if your phone is frequently in physical proximity to people who shouldn’t see your Signal messages — roommates, coworkers, or airport screeners, for example.

Here’s how to lock down your Signal notifications. If you’re using Android: Open the Settings app, and under “Device” > “Sound & notification” select “When device is locked.”

The options are “Show all notification content,” “Hide sensitive notification content,” or “Don’t show notifications at all.” I recommend you choose “Hide sensitive information content” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says. If you’re using an iPhone: Open the Signal app and click the gear icon in the top-left to get to Signal’s settings. Under “Notifications” > “Background Notifications,” tap “Show.”

The options are “Sender name & message,” “Sender name only,” or “No name or message.” I recommend you choose “No name or message” — this way you’ll still be notified when you get a Signal message, but you’ll have to unlock your phone to see who it’s from and what it says.

To completely remove Signal notifications from your iPhone’s lock screen, open the Settings app, tap “Notifications,” scroll down to the list of apps, and tap Signal. From here you can turn off “Show on Lock Screen.”

Verify That You’re Talking to the Right Person I said earlier that Signal ensures your communications stay private when it is properly used. Using Signal properly involves verifying that your communications are not subject to a “man-in-the-middle attack.” A man-in-the-middle attack is where two parties (Romeo and Juliet, for example) think they’re speaking directly to each other, but instead, Romeo is speaking to an attacker, Juliet is speaking to the same attacker, and the attacker is connecting the two, spying on everything along the way. In order to fully safeguard your communications, you have to take extra steps to verify that you’re encrypting directly to your friends and not to impostors. Most messaging apps don’t provide any way to do this sort of verification. Signal provides two: one for verifying voice calls and one for verifying text conversations. Verify Your Phone Contacts It’s easy to verify the security of phone calls on Signal, but you have to verify every call. For each call, the Signal app displays two words on the callers’ phone screens. In the screen shot below, for example, each screen shows the words “shamrock paragon.” Juliet and Romeo read these words to one another; if the words are the same, and they recognize one another’s voices, the call is secure. If the words are different, someone is attacking the encryption in the call and you should hang up and try calling again, but this time from a different internet connection. It’s not required, but a popular convention is for the receiver to answer the phone by reading the first word, as in, “Shamrock?” And the caller to respond with the second word, as in, “Paragon.”

I admit that this sounds like magic, but I assure you that it’s only mathematics. Here’s how it works: When Juliet calls Romeo using Signal, her app communicates with his app and comes up with a shared secret that no one else can possibly learn, even if they’re spying on this exchange — watch this five-minute video if you want to get some information about how this works. The Signal app on each phone takes this shared secret and converts it into the two-word authentication string. As long as the shared secret is exactly the same, the authentication string will be exactly the same as well. Verify Your Text Contacts It’s more complicated to verify the security of Signal text chats, but once you’ve verified a text chat correspondent, you won’t have to re-verify them again until they get a new phone or re-install Signal. Each person you text with in Signal has something called an identity key. When Juliet sends Romeo a message for the first time, her Signal app downloads a copy of his identity key and stores it on her phone and visa versa. So long as these identity keys are valid — the key that Juliet has stored for Romeo is actually Romeo’s real key and not some attacker’s key — then the messages they send to each other are secure. Because it’s unlikely that anyone is trying to attack your encrypted messages the very first time you send a contact a message, Signal automatically trusts the identity key that it downloads. This makes Signal easy to use: All you need to do to have an encrypted conversation is send someone a message, and that’s it. But if you discuss anything sensitive, you still might want to confirm. To verify the identity key, you first navigate to the verification screen. If you’re using Android: Open the Signal app and tap on a conversation to open it

Tap the contact’s name and phone number at the top of the screen

Tap “Verify identity” If you’re using an iPhone: Open the Signal app and tap on a conversation to open it

Long-press the contact’s name at the top of the screen until the verification screen appears