Recently, while using Signal apps across multiple platforms Security investigators have driven attention towards an interesting finding. In case you and one of your contact reinstall the Signal app or change your device, the Signal safety number between you two may not change consistently.
Safety number is a feature of the app that lets the user verify the security of their calls and messages with their contacts, but it typically changes when either party reinstalls the app or switches to a new device.
Not Always your Safety Number Reset – Signal App
Apps like a signal which are end-to-end encrypted have a security feature called “safety number” or “security code”, several times also represented as QR code.
You and each of your contacts share the same safety number(SN) on the signal that serves as the pair’s biometric and helps both the contacts to verify the protection of their transmission. On opening the signal app both you and your contact can tap on each other’s names. Further on clicking “Verify safety number” will display you the safety number for your pair is.
The safety number is represented in both – human-readable numeric for and a QR code:
In any case, if contact reinstall the messaging app, switch to a new handset, or change their phone numbers, the safety number or the QR code are expected to change.
The Signal app stated as of last month that “The most common scenarios where a safety number advisory is shown are when a user reinstalls the Signal app or switches over a new device. However, if the safety number changes constantly or automatically then there must be something wrong,” mentioned in the Signal’s archived documentation, as of 22nd May 2021.
Also, the investigators discovered, when installing the signal app or transferring their account over, the safety number for their contacts and didn’t change. And, nor the contacts were alerted about any safety changes.
After, the researchers investigate this behavior across various platforms presently supported by Signal, such as Linux, OSX, Android, iOS, and Windows, and said that the safety numbers would not frequently change across these platforms even after deletion and reinstallation of the Signal app, or when switching over to a different device.
In the test by our experts, the reinstallation of the Signal app on Android and iOS devices did reset the safety number, and the contact was alerted of the safety number change.
Know When and Why do Safety Number Change?
To know the concern in a better way, our experts reached out to Signal, specifically asking under what situations do the safety numbers change, and when do they not. Signal has recently told our experts that there have been no changes made to the source code that issues safety numbers.
Jim O’Leary Signal’s VP of Engineering said that any updates made currently were part of normal management updates, and explains why safety numbers may not change constantly in all situations.
The consecutive reverts to researchers reports by Signal provide us a better understanding of how Signal safety number works, when do they change and when not.
Signal’s CEO, Moxie Marlinspike stepped in on Twitter to shed light on the situations when the safety numbers not change:
“One can tried (and reported) reinstalling on a new device using Signal device transfer, and you tried cycling a linked device.”
Marlinspike explained, “These do not outcome in SN change alerts, because the basic key material has not changed, so there is nothing to warn.”
Using “key material,” Researchers are referring to what creates the basis of safety numbers and how they are created, as explained in the previous blogs. Additionally, in the same Twitter conversation, Marlinspike adds that the investigator’s report covers a case of Signal device transmission, followed by the cycling of linked devices.
Had Signal sneakily track any issues explained in the report, being open-source, their GitHub commits history would disclose the changes:
Summering Up
The main aim of safety numbers is to permit the users to verify the protection of their messages and calls with specific contacts.
“Every Signal one-to-one chat has a specific safety number that permits you to verify the protections of your messages and calls with special contacts.” “Safety numbers verifications are the good security practice for crucial information. If the safety number has been marked as verified, any changes must be manually allowed before sending a new message. ”
“This permits the user to check the protection of their transmissions with a contact and helps to protect against any attempted man-in-the-handle attacks.” So, both you and your contact get alerted if the Safety Number gets changed between you, it is a good idea to authenticate that you are transmitting with the intended person.
As Signal explains it, not all cases of app re-installation or transfer may lead to a change in Safety number change, and that is no cause for concern.
