Signal App Safety Numbers Do Not Always Change — Here’s Why

This week, security researchers have steered attention towards an interesting finding while using Signal apps across multiple platforms.

When you or your contact reinstall the Signal app or switch over to a new device, the Signal safety number between you two may not always change.

The safety number is a feature of the app that helps users verify the security of their messages and calls with their contacts, and is typically expected to change when either party reinstalls the app or switches devices.

Signal app does not always reset your safety number

End-to-end encrypted messaging apps like Signal have a security feature called “safety number,” or a “security code,” sometimes represented as a QR code.

You and every contact of yours on Signal share a unique Safety Number (SN) that serves as the pair’s fingerprint and helps both contacts verify the privacy of their communications.

You or your contact can open up the Signal app, and tap each other’s names. Further tapping “Verify safety number” will show you what the safety number for your pair is.

Also Read: Data Protection Officer Singapore | 10 FAQs

The number is represented both in a human-readable numeric form and a QR code:

Should either contact reinstall the messaging app, switch to a new handset, or change phone number, the safety number, and the QR code, are expected to change.

Or, at least that is what Signal’s documentation stated as of last month:

“The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal. However, if a safety number changes frequently or unexpectedly it may be a sign that something is wrong,” read Signal’s archived documentation, as of May 22nd, 2021.

But, security researchers Kelly Kaoudis, John Jackson, Sick Codes, and Robert Willis discovered, when installing Signal on a new device and transferring their account over, the safety number for their contacts and them didn’t change. And, nor were the contacts alerted about any safety number change.

In Kaoudis’ case, the researcher was surprised to learn that the safety number for herself and her contact remained unchanged.

Further, the researchers tested this behavior across multiple platforms currently supported by Signal, including Linux, OSX, Android, iOS, and Windows, and state that the safety numbers would not always change across these upon deletion and reinstallation of the Signal app, or when switching over to a different device.

In tests by BleepingComputer, the uninstallation and reinstallation of Signal app on Android and iOS devices did reset the safety number, and the contacts were notified of the safety number change.

As such, BleepingComputer could not reproduce the issues described in the researchers’ report.

“Mid-May, I got a new phone. At the time I understood that with any change to the device or installation of either party in a chat with message history, the Signal chat safety number changes.”

“This used to be but (following an involved email back-and-forth with the Signal team over the course of a month) is no longer reflected in the Signal support documentation.” says Kaoudis.

Since their report of this issue to Signal, the researchers state that the issue was mysteriously resolved, claiming that Signal rolled out patches that they believe were responsible for resolving the issue.

Note, Signal has since revised their support documentation to read:

“The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal, but these actions don’t always result in a safety number change.“

Also Read: The DNC Singapore: Looking at 2 Sides Better

So when and why do safety numbers change?

To understand the issue better, BleepingComputer reached out to Signal, specifically asking under what circumstances do the safety numbers change, and when do they not.

Signal has told BleepingComputer that there have been no changes made to the source code that concern safety numbers.

Signal’s VP of Engineering, Jim O’Leary further states that any updates made recently were part of normal maintenance updates, and explains why safety numbers may not change in all circumstances.

hi there! signal did not start silently rolling out patches because there is nothing here to patch. friday’s releases were part of our regular cadence of shipping features and improvements to the apps (1/2)

— jimio (@jimio) June 5, 2021

The subsequent responses to researchers’ reports by Signal provide us a better understanding of how Signal safety numbers work, when do they change, and when not.

Signal’s CEO, Moxie Marlinspike stepped in on Twitter to shed light on the circumstances when the safety numbers not change:

“You tried (and reported) installing on a new device using Signal device transfer, and you tried cycling a linked device.”

“These do not result in SN change notifications, because the underlying key material has not changed, so there is nothing to warn,” explained Marlinspike.

By “key material,” Marlinspike is referring to what forms the basis of safety numbers and how they are generated, as explained in his 2016 and 2017 blog posts.

Furthermore, in the same Twitter conversation, Marlinspike adds that the researchers’ report covers a case of Signal device transfer, followed by the cycling of linked devices.

However, when uninstalling or reinstalling Signal on an unlinked device, the Safety Numbers are supposed to change, and that “this is how it always worked and was supposed to work.”

Had Signal sneakily patched any issues described in the report, being open-source, their GitHub commit history would reveal the changes:

In the blog screenshots, you can see the actual SNs are exactly the same. These are just base 10 representations of the underlying identity keys, which are bound into the shared key material of the session. There is no magic, if those don't change the key material didn't change.

— Moxie Marlinspike (@moxie) June 5, 2021

The original purpose of safety numbers is to allow users to verify the security of their messages and calls with specific contacts.

“Each Signal one-to-one chat has a unique safety number that allows you to verify the security of your messages and calls with specific contacts.”

“Verification of safety numbers is a good security practice for sensitive communication. If a safety number has been marked as verified, any change must be manually approved before sending a new message.”

“This allows users to check the privacy of their communication with a contact and helps protect against any attempted man-in-the-middle attacks,” reads Signal’s support docs.

Therefore, if the Safety Number between you and your contact changes and both of you get alerted, it is a good idea to verify that you are communicating with the intended person.

But, as Signal explains it, not all cases of app re-installation or migration may lead to a safety number change, and that is no cause for concern.