Edit July, 2023: A lot of things happened since my writing this post. Nowadays,privilege escalation vulnerabilities do not seem to be quite uncommon. A rather extreme example is CVE-2019-16253 which can be used to launch non-exported activities described here. Although a fix was provided for some versions, older phones still remain vulnerable.

Signal is considered one of the best most secure instant messaging apps, because the protocol, namely Signal protocol, is a very secure protocol. It is also used by its rival, WhatsApp, which is run by Meta. Although this protocol minimizes the amount of metadata needed to transfer a message and ensure forward secrecy, it’s still susceptible to the man-in-the-middle attack if you’re not careful enough to verify the safety number. But who cares about safety number anyway, or how this can be done when you have no other way to communicate to the person you’re contacting to actually verify the safety number, or what prevents the client itself from becoming a man in the middle.

Example of unverfied communication This screenshot is taken from Signal.org's homepage, and even this screenshot does not contain a verified checkmark at the bottom of the user name. (Archive)

Still, using a secure instant messanger is infinitely better than communicating via E-Mail. But this is not today’s topic. Today’s topic is quite simple.

Background

Signal app on Android offers a privacy feature that allows an user to lock the app using the PIN/pattern or fingerprints that they have set to lock the phone itself. This feature can be activated within Signal by navigating to Settings > Privacy > App Security and activating Lock Signal option. With this option activated, the app, once locked, can only be launched by providing the PIN/pattern or fingerprints that was configured in Android settings.

The vulnerability

It turns out the above statement is not entirely true. Signal has a non-exported activity called .PassphraseCreateActivity which can be used to easily bypass this restriction. Now, a non-exported activity means that no apps other than Signal can run this activity without a privileged access such as root or system. So, if you have root, you can easily run this activity by running the following command in any Android terminal:

su -c am start-activity org.thoughtcrime.securesms/.PassphraseCreateActivity

The app, if locked, will be unlocked immediately without asking for any credentials. As of this writing, this is tested in 6.5.6, the latest version of Signal received via OTA.

Is this a critical vulnerability?

No. This feature only locks the Signal app itself, database and preferences are still unencrypted and can be accessible to any entity having a privileged access to the operating system. For these reasons, this is considered a low severity vulnerability. It was reported to Signal by me in 19 September 2022, and I am yet to receive any reply.

An alternative client

Molly, an independent fork of Signal, does not have this vulnerability. Rather, its database is protected with a password, thereby, preventing room for any attacks by an entity with privileged access to the operating system as long as the password remains unknown to them. Note that, this is only the Android client, not the server. So, you will effectively use the Signal servers themselves but on a different client. This is actually better than using Signal client itself because nobody should use a client supplied by the same entity that controls the servers even if it is end-to-end encrypted.

An alternative platform

SimpleX has recently received an independent audit from Trail of Bits. Although the audit did not cover the Android client, the library itself is reported to be secure. This protocol does not require any fixed identity such as phone number or username, therefore, no extra verification step is needed (however, I do think this to be one of the major drawback since the corporations have, so far, prevented identity verification to become normalised, and we’re used to a permanent identity such as phone number or username). The app itself, though having an UI appropriate for iOS rather than Android, is quite usable.