Signal Updates Considered Harmful

Posted on | 445 words | ~3 mins

I usually recommend Signal as a simple-to-use and secure form of communication. Signal is primarily known for its mobile app, but there is also a desktop application based on Electron.

The desktop app has a very annoying, long-standing issue which has already been reported on GitHub in 2018: Whenever a new application update is available, the app shows a message box prompting the user to restart Signal. Unfortunately - at least on macOS - Electron message boxes un-minimize the whole application window and show the message box on-top of the application. This behavior can be seen in the Electron source code, and I cannot see a simple way of preventing this from happening.

In my opinion, this behavior poses a serious problem: as long as Signal is running, it can pop to front - even if currently minimized - at random moments. This means that whoever stands next to you in that moment will get a glance at all of your recent contacts and messages. Just imagine your most secret messages are suddenly shown to your boss, the viewers of your presentation, or while you’re sharing your screen.

Keep in mind that Signal is a messenger focused on privacy. Randomly showing the application window sounds like a significant security problem to me.

Now consider this: if the issue was first reported in 2018 (https://github.com/signalapp/Signal-Desktop/issues/2659 ) and it is still unresolved, it surely must be tough to resolve?

On the contrary: it has already been resolved about a month after the initial bug report in this PR .

The user “dosco” has proposed a rational solution: he replaces the message box with a banner, which is another common UI pattern for update notifications.

dosco’s proposed solution

About six weeks later, a GitHub maintainer adds this comment to the PR:

signal team’s answer

On January 7th of this year (2020), the pull request has been closed by the same maintainer.

So, if I get this right, there is an almost two year old security problem in the Signal desktop app, which has not yet been fixed because consistent design has been prioritized over an issue potentially leaking classified information.

To make this worse, it looks like this is not even on a priority list for the designer.

I am not sure why the Signal-team has not given this issue a higher priority. I tried to raise attention to this again by commenting on the original issue, but there was no response yet. Unfortunately, this is a blocking issue for me. Closing the whole application every time someone stands next to me just does not work for me.

Update (April 2nd, 2020): As of April 2020, the issue is fixed. See here for details.