Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Signal App Safety Numbers Do Not Always Change — Here’s Why

Signal App Safety Numbers Do Not Always Change — Here’s Why

This week, security researchers have steered attention towards an interesting finding while using Signal apps across multiple platforms.

When you or your contact reinstall the Signal app or switch over to a new device, the Signal safety number between you two may not always change.

The safety number is a feature of the app that helps users verify the security of their messages and calls with their contacts, and is typically expected to change when either party reinstalls the app or switches devices.

Signal app does not always reset your safety number

End-to-end encrypted messaging apps like Signal have a security feature called “safety number,” or a “security code,” sometimes represented as a QR code.

You and every contact of yours on Signal share a unique Safety Number (SN) that serves as the pair’s fingerprint and helps both contacts verify the privacy of their communications.

You or your contact can open up the Signal app, and tap each other’s names. Further tapping “Verify safety number” will show you what the safety number for your pair is.

Also Read: Data Protection Officer Singapore | 10 FAQs

The number is represented both in a human-readable numeric form and a QR code:

Signal safety number
Your Signal safety number is unique for every contact of yours (Signal)

Should either contact reinstall the messaging app, switch to a new handset, or change phone number, the safety number, and the QR code, are expected to change.

Or, at least that is what Signal’s documentation stated as of last month:

The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal. However, if a safety number changes frequently or unexpectedly it may be a sign that something is wrong,” read Signal’s archived documentation, as of May 22nd, 2021.

But, security researchers Kelly KaoudisJohn JacksonSick Codes, and Robert Willis discovered, when installing Signal on a new device and transferring their account over, the safety number for their contacts and them didn’t change. And, nor were the contacts alerted about any safety number change.

In Kaoudis’ case, the researcher was surprised to learn that the safety number for herself and her contact remained unchanged.

Further, the researchers tested this behavior across multiple platforms currently supported by Signal, including Linux, OSX, Android, iOS, and Windows, and state that the safety numbers would not always change across these upon deletion and reinstallation of the Signal app, or when switching over to a different device.

In tests by BleepingComputer, the uninstallation and reinstallation of Signal app on Android and iOS devices did reset the safety number, and the contacts were notified of the safety number change.

As such, BleepingComputer could not reproduce the issues described in the researchers’ report.

“Mid-May, I got a new phone. At the time I understood that with any change to the device or installation of either party in a chat with message history, the Signal chat safety number changes.”

“This used to be but (following an involved email back-and-forth with the Signal team over the course of a month) is no longer reflected in the Signal support documentation.” says Kaoudis.

Since their report of this issue to Signal, the researchers state that the issue was mysteriously resolved, claiming that Signal rolled out patches that they believe were responsible for resolving the issue.

Note, Signal has since revised their support documentation to read:

“The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal, but these actions don’t always result in a safety number change.

Also Read: The DNC Singapore: Looking at 2 Sides Better

So when and why do safety numbers change?

To understand the issue better, BleepingComputer reached out to Signal, specifically asking under what circumstances do the safety numbers change, and when do they not.

Signal has told BleepingComputer that there have been no changes made to the source code that concern safety numbers.

Signal’s VP of Engineering, Jim O’Leary further states that any updates made recently were part of normal maintenance updates, and explains why safety numbers may not change in all circumstances.

The subsequent responses to researchers’ reports by Signal provide us a better understanding of how Signal safety numbers work, when do they change, and when not.

Signal’s CEO, Moxie Marlinspike stepped in on Twitter to shed light on the circumstances when the safety numbers not change:

“You tried (and reported) installing on a new device using Signal device transfer, and you tried cycling a linked device.”

“These do not result in SN change notifications, because the underlying key material has not changed, so there is nothing to warn,” explained Marlinspike.

By “key material,” Marlinspike is referring to what forms the basis of safety numbers and how they are generated, as explained in his 2016 and 2017 blog posts.

Furthermore, in the same Twitter conversation, Marlinspike adds that the researchers’ report covers a case of Signal device transfer, followed by the cycling of linked devices.

However, when uninstalling or reinstalling Signal on an unlinked device, the Safety Numbers are supposed to change, and that “this is how it always worked and was supposed to work.”

Had Signal sneakily patched any issues described in the report, being open-source, their GitHub commit history would reveal the changes:

The original purpose of safety numbers is to allow users to verify the security of their messages and calls with specific contacts.

“Each Signal one-to-one chat has a unique safety number that allows you to verify the security of your messages and calls with specific contacts.”

“Verification of safety numbers is a good security practice for sensitive communication. If a safety number has been marked as verified, any change must be manually approved before sending a new message.”

“This allows users to check the privacy of their communication with a contact and helps protect against any attempted man-in-the-middle attacks,” reads Signal’s support docs.

Therefore, if the Safety Number between you and your contact changes and both of you get alerted, it is a good idea to verify that you are communicating with the intended person.

But, as Signal explains it, not all cases of app re-installation or migration may lead to a safety number change, and that is no cause for concern.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us