Signal Encryption Key Vulnerability Finally Being Fixed for Desktop Apps
A long-standing vulnerability in Signal’s encryption key for its desktop apps is finally being addressed. The fix will fully secure the Mac app, but a compromise solution will be offered for the Windows version.
The Signal desktop apps store messages in an encrypted SQLite database with an automatically generated key, stored in a local plain text file on the machine. This has left the key vulnerable to malware that can read unencrypted local files and decrypt messages.
Security researchers have been highlighting this issue for six years, advocating for the database to be encrypted with a user password. Despite initial dismissals from Signal, recent pressure from researchers and developers has led to a solution.
In response to a merge request from developer Tom Plant, Signal has implemented support for Electron’s safeStorage API. This will secure the encryption key using Keychain on Mac and a similar method on Windows, offering improved security for both versions of the desktop app.
With these changes, Signal users can expect a more secure messaging experience on their desktop devices, protecting their data from potential threats.
Photo by Erik Mclean on Unsplash
FTC: We use income earning auto affiliate links. More.
