Allow users to password protect the Signal app

[runasand]

I frequently talk to journalists who say that it would be great if Signal allowed users to password protect the app, similar to what you can do with TextSecure on Android.

[FredericJacobs]

I'm trying to understand the thread model here. I think it does make sense if you don't want your toddler than plays a game (on your unlocked phone) to send messages to your Signal contacts.

What would be the advantage of password-locking Signal if you already have password locked your iPhone with a strong alpha-numerical passphrase?

Password protection was implemented on Android because Android didn't have widely supported media partition encryption back then. But on iOS, if you have a long alphanumerical password on your lockscreen your data is already encrypted by the operating system (Signal integrates the NSFileProtectionClasses to achieve that). So what's the point of asking the user another time for his password? I do understand how it can be useful in some specific cases but I'm wondering if it's worth the engineering effort.

[runasand]

While you and I may have strong alpha-numerical passphrases on our phones, most users stick with short, numerical ones. An attacker who is able to guess or learn the passphrase, or force the user to unlock her device, can then easily see what the user has been up to.

We should be teaching users to create stronger passwords. In addition, it would be great if Signal gave the user the option to password protect the app with a strong alpha-numerical passphrase (and not just a simple numerical one).

[FredericJacobs]

But what would be the advantage of this? If an adversary is able to force a user to unlock her device, he could also ask her to unlock the TextSecure app, right?

So it's not a solution to that threat case. Unless we have a hidden volume kind of solution, but that requires more engineering effort than we're able to put on this currently.

[runasand]

In the scenario that I linked to in my previous comment, it was clear that she had to unlock her phone and open a few apps before she could board a flight to the U.S. If her phone had been taken away from her at that point, the adversary would have had the access required to pull all sorts of information from it. If she had Signal install and also password protected that app, her communications would have remained safe even if the unlocked phone was taken away from her.

I have asked a few journalist friends to comment and elaborate on why password protecting the app itself would be beneficial.

[TheStash]

@FredericJacobs in an oppressive government the local police asks you to unlock your phone when you are just a suspect, there is no court order or whatever... you are just asked to unlock it and if you didn't you'll see the consequences... there is torture and everything you would like not to see, all this while you are just a suspect with nothing held against you. This is also why we also asked that there should be a way to send self destructive messages (ex: https://support.silentcircle.com/customer/portal/articles/1645090-what-is-the-%E2%80%98burn-notice%E2%80%99-and-how-do-i-use-it-) because sometimes people who communicate something which talks about the government wrong doing is held because a previous message that he has no control on after sending... there should be a way that senders control what they have communicated or willing to communicate under certain circumstances.

[TheStash]

I agree to @runasand last comment and would like to point out that Local police may be less technical and might only accept that you unlocked your device, on the other hand a forensic lab using something like Cellebrite or similar forensic tools would have to do another job decrypting your password/passphrase encrypted chats... having those kinds of feature would differentiate Signal in comparison to WhatsApp and Telegram and all other apps that claim to be "secure" because the more apps communicating in their marketing that they are "secure" there is no tangible way for less technical users to differentiate between one "secure" and another, so a tangible features like those would help increase adoption then.

[Alfinger]

I also would like to have separate password protection because many already use fingerprint to unlock their phones. And I have read that police in US can force you to unlock you phone this way but legally cannot immediately force you to unlock by code. But I also think that maybe the first argument which Fred brought himself is more valid than most others. Prevent your toddler (friend, partner, boss) from accessing your secret chats even if they spied your phone password (maybe not your toddler). And its really easy to spy 4-digit numerical pw which most people use.

[danielschonfeld]

@Alfinger +1 - Fingerprints, being a physical detail and not a memorized one are not protected by the 5th amendment. Meaning the police can come knocking on your door forcing you to give your fingerprint which will unlock your iPhone or any iDevice that supports that. If you have a sensitive conversation, it might end up being used against you.

Should you have had the option of protecting with a password, you could not be by the virtue of the 5th amendment be compelled to divulge it and therefore self incriminate yourself by being forced to open your iPhone.

cc @FredericJacobs - the above is an example of being forced to open your iPhone but not being forced to open Signal.

I'll even go a step further. There might be room to enhance protection for people operating in extremely sensitive regions by allowing them to record an extra password that would wipe all previous conversations and history. So you could in the presence of a hostile interrogation input the wrong password, be told that its wrong but behind the scenes it would clear all data from Signal and then introduce the correct password to appease your interrogators.

[michaelkirk-signal]

Signal on iOS has since added a lockscreen (for a while now).