picture alliance via Getty Images
Here’s an irony—as the U.S. and other governments around the world continue to progress a crackdown on secure messaging, there has never been a better time to be a user of one of these platforms. Even as legislation progresses through U.S. Congress that threatens to undermine the security now in place, the messaging technologies themselves are becoming more useable and secure.
And on that note, the millions of iPhone users sending secure messages over the two leading third-party platforms—WhatsApp and Signal—are in for some seriously good news. The two most glaring holes with WhatsApp and Signal are being plugged. The fine balance between usability and security has been the issue in both cases—but finally we have fixes being put into place. If the U.S. government is successful in undermining end-to-end encryption, the industry is clear it won’t be without a fight.
Last month, the news emerged that the latest WhatsApp beta would finally extend end-to-end encryption to iCloud backups, with similar plans for Android also. This has been a massive vulnerability, backing up WhatsApp chats and media to iCloud has simple been storing a decrypted copy of your messaging database. That means Apple has the key, and can provide your data to law enforcement if required. By encrypting those backups in the same way as the messaging transport itself, that no longer becomes possible, the vulnerability is closed.
Current iOS WhatsApp backup is not end-to-end encrypted.
And so to Signal—the most popular security-first messaging platform around. For iPhone users, the main issue with Signal has been the inability to transfer message history to a new phone when you upgrade. For many this has been a deal breaker to using Signal as the go-to messaging platform. With so much information and media contained in our messaging histories, it’s too painful to start over.
Well, not any more. In a blogpost on June 9, Signal announced to iPhone users that “your next upgrade deserves an upgrade.” The platform has finally provided a fully working transfer option to duplicate your messaging history on a new device. And with Signal being Signal, it takes the security of doing so to a whole new level.
“As with every new Signal feature,” the post explains, “the process is end-to-end encrypted and designed to protect your privacy. Transfers also occur over a local connection (similar to AirDrop), so even large migrations can be completed quickly.”
With WhatsApp and the likes of iMessage, iOS users rely on cloud backups or repositories to manage the transfer to a new device. Signal does it differently. There is no cloud transfer, no vulnerability where you lose control over your data. It’s a secured endpoint to secured endpoint transfer.
Simply put, with your new iPhone or iPad in hand, you install Signal on the new device as you’re setting it up. You then verify the phone number by text message, and ideally your two-factor authentication PIN that you really should have set up. This confirms to Signal that this new instance should receive your messages. Then you will be prompted to “Transfer from iOS Device.” You confirm this on the existing device, and then scan the QR code displayed on the new device to get the transfer underway.
Again, with Signal being Signal, once the transfer is complete the old device will wipe its Signal database clean. You’re good to go.
Signal assures that because “your existing device is always in complete control,” and because “the transfer prompt appears on the existing device,” the app can ensure that “the existing device verifies the integrity of the connection before any data is sent, and the existing device has to physically scan the QR code that is displayed on the new device before the transfer can even begin.” All of this is intended to protect you from any form of endpoint compromise. Remember, you can protect your Signal app with two-factor authentication and biometric locks to even open it up.
The QR code does nothing but route data to the new app. So even if someone gets hold of your phone number and verifies a new install of Signal on a new device, there is no way for them to touch your data history without you giving permission. Signal also assures that “the new device verifies the integrity of the transferred data. If any errors are detected, the process is simply aborted and you can try again later.”
Signal already offers superb cross-platform access—something WhatsApp is now testing and is clearly looking to push out as quickly as it can. WhatsApp’s challenge is that it relies on those cloud backups, which are currently insecure. And so its fixing the issue is great news for users, and also an acknowledgement that Signal in particular is a genuine threat on the secure messaging front.
The only downside to Signal’s approach is that if you lose your phone, you lose your data. This new update doesn’t fix that issue, whereas WhatsApp’s approach does. But if security is your primary concern, you don’t want your message history outside of your control. Remember, as the memes say, “there is no cloud, it’s just someone else’s computer.”
Signal is on a mission to lead the way in providing the best secure functionality as users become ever more aware of the security of their devices and their data. We saw this just days ago with its moves to blur photos on request, with the wave of protests around the world in mind.
“This is the first time that upgrading to a new device without losing any information has been possible on iOS,” Signal says of its new upgrade. “We recognize that this feature doesn’t cover every single scenario, but we think it’s a good start. We plan on continuing to make improvements to this functionality in the future.”
WhatsApp will be watching.