Signal is at the centre of a fierce debate over its use by US government officials, bringing the encrypted messaging app’s limitations into sharp focus.
In a shocking debacle, The Atlantic’s editor-in-chief, Jeffrey Goldberg, became privy to highly sensitive discussions among top national security officials in the US after he was mistakenly added to a group chat on the Signal app comprising US Defense Secretary Pete Hegseth and other top defence officials in the Trump administration
The group members reportedly discussed upcoming military strikes targeting locations of Houthi terrorists in conflict-ridden Yemen. The discussions continued for six days before Goldberg left the group on his own while other members still seemed to be unaware of his presence in the chat, according to the report by The Atlantic.
The incident raised serious questions over the unauthorised use of Signal to share classified information. A 2023 memo by the US Department of Defence (DoD) includes Signal among examples of apps that are not authorised for classified information. As the fallout from the security breach spread, the strength of Signal’s encryption and its security architecture also came under scrutiny. This piece examines where Signal’s limitations actually lie.
Can anyone read your messages on Signal?
Signal is a pioneer of encrypted communications and is regarded as one of the most secure messaging apps currently available on the market.
It is widely considered to be a leading easy-to-use, encrypted messaging service among cybersecurity experts, since there are no public reports of hackers intercepting users’ messages in-transit by cracking the platform’s end-to-end encryption protocol.
The app is also a favourite of privacy and digital rights activists as it collects minimal user data and offers robust privacy features such as the option to hide your phone number and display a username instead.
Story continues below this ad
Unlike Telegram, end-to-end encryption is enabled by default for all messages and voice calls on Signal. In January 2025, Signal announced a new feature that would give users the choice to transfer their chat history and media from the last 45 days to other Android and iOS devices or start fresh.
Signal’s end-to-end encryption technology is open-source, meaning that developers can take a look under the hood and verify its security. In addition, the encryption protocol forms the basis of the security offered by other messaging apps like WhatsApp.
I wouldn’t say that Will and I are battling but I do disagree. Because there are big differences between Signal and WhatsApp.
Signal is the gold standard in private comms. We’re open source, nonprofit, and we develop and apply e2ee and privacy preserving tech across our system… https://t.co/ZU60z2vVHy
— Meredith Whittaker (@mer__edith) March 25, 2025
https://platform.twitter.com/widgets.js
Since 2023, Signal has been upgrading its encryption technology so that it remains secure against the future, hypothetical threat of quantum computers.
If Signal is so secure, why did ‘Signalgate’ happen?
When a user sends a text message on Signal, the information is encrypted and only the recipient of the message can decrypt it with specific cryptographic keys stored locally on the devices of the sender and receiver. This ensures that not even the service provider has access to the encrypted data.
Story continues below this ad
It is impossible for law enforcement authorities or hackers to intercept a Signal message in-transit. Last year, the Federal Bureau of Investigation (FBI) recommended that American citizens use encrypted messaging apps like Signal to keep their messages private. The recommendation was made after Chinese hackers reportedly compromised US-based telecom networks to access conventional SMS text messages.
However, Signal is only as secure as the security of a device. Encrypted messages can be leaked if an attacker gains access to an unlocked device, installs spyware, or tricks a user into linking their account to a malicious device.
Similarly, a participant in your group chat can take screenshots of your conversation and share it elsewhere. They could also potentially hand over their device to another person who will be able to simply read your decrypted messages.
The bottom line is that Signal is not infallible against human error.
Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications.
One piece of misinfo we need to address is the…
— Signal (@signalapp) March 25, 2025
https://platform.twitter.com/widgets.js
Story continues below this ad
Experts noted that the recent US national security leak happened because someone — whether intentionally or by mistake — added an outsider to the chat. In its response to the ‘Signalgate’ scandal, the non-profit entity behind the app said that the claim that there are ‘vulnerabilities’ in Signal isn’t accurate.
Does Signal protect against all forms of security threats?
No, Signal does not offer ironclad protection from all forms of snooping. For instance, users on the platform could still fall for scams or phishing attacks.
Last month, Google’s cybersecurity arm, Mandiant, released a report stating that Russian intelligence officials were trying to trick Ukrainian users on Signal into sharing their personal information and handing over access to their accounts on the platform.
However, the report did not mention if any Signal accounts were actually compromised.
Story continues below this ad
“In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events,” Signal said in a post on X.
“We also constantly monitor security@signal.org for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards,” it added.
End-to-end encryption is also useless if a device has been infected with spyware like Pegasus, as threat actors can directly access the messages and files on the device without the user knowing.
How can you use Signal more securely?
While it is not possible to fully remove the risks associated with encrypted chat apps like Signal, here are a few ways you can minimise them:
Story continues below this ad
– Use audio and video calls over Signal to avoid written records of what you discussed.
– Enable ‘Always Relay Calls’ on Signals so that your IP address remains private while making phone calls to others.
– Use your personal phone or laptop while communicating through Signal, as opposed to using work devices.
– Avoid connecting your personal devices to untrusted networks to prevent monitoring.
– Enable disappearing messages in Settings > Privacy > Disappearing Messages to automatically delete chats after a set time.
