Signal users rejoice! Desktop app gets long-awaited security fix
Signal, a privacy-centric messaging app, has announced plans to bolster the security of its desktop client, by modifying how it stores plain text encryption keys for data storage. The decision comes in response to public criticism and follows years of downplaying the issue since it was first reported in 2018. The company's desktop version for Windows or Mac uses an encrypted SQLite database to store user messages, which are encrypted via a key generated by the program without user input.
Encryption key vulnerability sparks concern
The encryption key, stored as plain text in a local file, is accessible to any user/program running on the computer. This accessibility compromises the security of the encrypted database. Nathaniel Suchy, who discovered this flaw, proposed encrypting the local database with a password supplied by the user that is never stored anywhere. This method mirrors practices used by web browsers, cloud backup software, password managers, and cryptocurrency wallets.
Response to encryption key flaw criticized
Despite being alerted about this flaw in 2018, Signal did not respond. A Signal Support Manager later addressed a user's concerns on their forum, stating, "The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide." In 2024, Elon Musk tweeted about known vulnerabilities with Signal that were not being addressed, without specifying what these vulnerabilities were.
Signal's security weakness highlighted by mobile security researchers
Last week, mobile security researchers Talal Haj Bakry and Tommy Mysk, warned against using Signal Desktop due to its security weakness. They pointed out that photos and apps sent via the app are not stored securely, and that the encryption key for the message store, is still kept in plain text on the system. In response, Signal President Meredith Whittaker downplayed the flaw, claiming that if an attacker gains full access to a device, Signal cannot fully protect the data.
Signal implements support for Electron's safeStorage
In April, developer Tom Plant proposed a solution to secure Signal's data store from offline attacks, using Electron's safeStorage API. This API provides extra methods to secure the encryption key utilized to encrypt data stored locally on a device. However, this solution was not fully effective for Windows, as it only secures encryption key against other users on the same device. Last week, Signal announced that it had implemented Electron's safeStorage support, which would be offered in a beta update.
