As a mobile device forensics expert, I was intrigued by the Trump administration snafu of inviting a reporter on a cell phone text group using the Signal app. I won't go into it here but there has been a long history of cell phone devices and apps that marketed "secure" communications with some of those targeting, let's say the not so above-board groups of individuals. At least one of those was infiltrated by the FBI who was able to read all of those "secured" messages. More on that perhaps later.

If you read my blog on WhatsApp, you will know that I found unencrypted message information in the SDCARD folder which is not even protected by system level access protocols.

So, I was curious where Signal stored its messages on the phone. I installed Signal on two Android phones and sent various types of messages back and forth including text, voice memo, photo and video.

I connected my rooted phone to my computer and ran ADB Shell commands to try to copy the /data/data directory onto my PC. To my surprise the whole directory was now encrypted, not just Signal related data. Below is a screen shot of the return on the ADB Shell ls command. Normally I would see the filenames and folders in the directory, but the image below shows that it is all encrypted.

Based on some research it seems that Signal encrypts the data using SQLCipher at the filesystem level. I then uninstalled Signal and checked the data/data directory again and the encryption was gone along with any Signal related data.

If you are deciding whether to use Signal or WhatsApp and you are concerned with privacy the obvious choice is Signal. However, there is always the possibility that some government organization has created a backdoor.

One other interesting note is that it encrypted the entire data/data directory. Whether you use Signal or not and Signal is loaded on your phone all the information in this directory is encrypted adding another level of privacy. I do not believe Cellebrite or Graykey has the ability to obtain the encryption key and decrypt this data.