1

Let’s collect past security audits here:

Formal audits

Year Auditor(s) Sponsor App/Component Published Link Last update / extended
2013 iSEC Partners (NCC Group) Open Technology Fund RedPhone and TextSecure :x: Blog post
2014 Frosch et al. German Ministry of Research and Education TextSecure Protocol :white_check_mark: PDF
2016 Schröder et al. Internet Society Key fingerprint verification :white_check_mark: PDF
2016 Cohn-Gordon et al. Various research grants Signal Protocol :white_check_mark: PDF July 2019
2017 Rösler et al. Group chats (legacy/V1) :white_check_mark: PDF
2018 Doyensec LLC. Signal Foundation :x: Form 990
2019 K. Kaczyński Signal Android database :white_check_mark: PDF
2019 J. Alwen, S. Coretti and Y. Dodis European Research Council, NSF Double Ratchet algorithm :white_check_mark: Springer link
2020 J. Bobrysheva and S. Zapechnikov Double Ratchet algorithm (post-quantum security) :white_check_mark: IEEE link
2020 Vatandas et al. Signal Protocol (cryptographic deniability) :white_check_mark: Springer link
2021 F. van der Have X3DH Protocol (proof of security) :white_check_mark: PDF
2021 Martiny et al. Sealed Sender :white_check_mark: PDF
2021 Hagen et al. European Research Council Contact discovery :white_check_mark: PDF
2021 Hashimoto et al. X3DH Protocol (generic construction) :white_check_mark: PDF
2022 Jihun Son et al. Signal Android (forensic analysis) :white_check_mark: Elsevier link
2023 Cas Cremers et al. USENIX Session-Handling :white_check_mark: PDF

Less formal audits

Year Auditor(s) App/Component Issue Fixed Link Last update / extended
2013 Grad students in Matthew Green’s Practical Crypto course RedPhone Users had to verify an authentication string on every single call :white_check_mark: Blog post
2015 thaddeus e. grugq Signal service The server can see which device sent and received messages, at which time, and to whom Non-issue1,2 Blog post
2016 Jean-Philippe Aumasson and Markus Vervier Signal Android The server could add random data to incoming attachments :white_check_mark: Blog post
2018 Leonardo Porpora Signal iOS Someone with access to an unlocked device could bypass the app’s screen lock :white_check_mark: Blog post
2018 Leonardo Porpora Signal Desktop Expired messages could be recovered :white_check_mark: Write-up
2018 x0rz Signal profiles The API can be used to find out which phone numbers are registered Non-issue1 Blog post
2018 Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matthew Bryant Signal Desktop HTML tag injection, RCE :white_check_mark: Blog post, Write-up 1, Write-up 2
2018 Alec Muffett and Patrick Wardle Signal Desktop Disappearing messages would persist in macOS’s notification center :white_check_mark: Blog post
2018 Matt Suiche Signal Desktop Migrating from the deprecated Chrome app to the new standalone desktop app would leave the user’s data unencrypted on disk Non-issue1,3 Blog post
2018 Nathaniel Suchy Signal Desktop The desktop app does not provide at-rest encryption Non-issue1,3 Blog post
2019 Natalie Silvanovich (Project Zero) Signal Android Incoming call could be connected without user interaction :white_check_mark: Bug report
2020 David Wells (Tenable) Signal calls Revealing a Signal user’s DNS server can potentially reveal coarse location :white_check_mark: Blog post
2020 Stephan van Schaik, Andrew Kwong, Daniel Genkin, Yuval Yarom Private Contact Discovery and Secure Value Recovery By using a transient execution attack called SGAxe, a malicious Signal server could a) gain access to the hashed identifiers of users’ contacts,4 and b) gain an unlimited number of attempts to brute force users’ passwords.5 :warning:6 Paper (sections V-B and V-C), Patch
2025 Soatok Cryptography review (message and media encryption, ratcheting protocols, key transparency, zkgroups etc.) None found Not applicable Blog post

Footnotes

# Footnote
1 Signal does not claim to protect this information.
2 Signal is working on solutions.
3 Only affects local data on the device. Can be mitigated by enabling full-disk encryption.
4 Only affects contact phone numbers. Can be mitigated by not granting the contacts permission.
5 Only affects Signal profiles, settings and contacts. Can be mitigated by using a long alphanumeric passphrase.
6 Patched by Intel. Still waiting for an official statement from Signal.
20 Likes
2
1 Like
6

Thanks, I have now added your write-up to the table!

1 Like
7

This affects a lot of Electron apps but Signal is used as an example:

8

Could the audit history be posted in reverse chronological order? Audits from 8 years ago aren’t relevant.

1 Like
9

Is this resource up to date.

Edit: It pretty obviously is.

10

New paper from usenix 2023:
https://www.usenix.org/conference/usenixsecurity23/presentation/cremers-session-handling

Formal Analysis of Session-Handling in Secure Messaging: Lifting Security from Sessions to Conversations
[…]
In this work, we initiate the formal analysis of secure messaging taking the session-handling layer into account, and apply our approach to Sesame, Signal’s session management. We first experimentally show practical scenarios in which PCS can be violated in Signal by a clone attacker, despite its use of the Double Ratchet. We identify how this is enabled by Signal’s session-handling layer. We then design a formal model of the session-handling layer of Signal that is tractable for automated verification with the Tamarin prover, and use this model to rediscover the PCS violation and propose two provably secure mechanisms to offer stronger guarantees.

3 Likes
11

K-Waay: Fast and Deniable Post-Quantum
X3DH without Ring Signatures∗

The Signal protocol and its X3DH key exchange core are regularly used by billions of
people in applications like WhatsApp but are unfortunately not quantum-secure. Thus,
designing an efficient and post-quantum secure X3DH alternative is paramount. Notably,
X3DH supports asynchronicity, as parties can immediately derive keys after uploading them
to a central server, and deniability, allowing parties to plausibly deny having completed key
exchange. To satisfy these constraints, existing post-quantum X3DH proposals use ring
signatures (or equivalently a form of designated-verifier signatures) to provide authentication without compromising deniability as regular signatures would. Existing ring signature
schemes, however, have some drawbacks. Notably, they are not generally proven secure in
the quantum random oracle model (QROM) and so the quantum security of parameters
that are proposed is unclear and likely weaker than claimed. In addition, they are generally
slower than standard primitives like KEMs.

Symmetric ratchets and one-way key chains play a vital role
in numerous important security protocols such as TLS 1.3, DTLS 1.3,
QUIC, Signal, MLS, EDHOC, OSCORE, and Apple PQ3. Despite the
crucial role they play, very little is known about their security properties.
This paper categorizes and examines different ratchet constructions, offering a comprehensive overview of their security. Our analysis reveals
notable distinctions between different types of one-way key chains. Notably, the type of ratchet used by TLS 1.3, Signal, and PQ3 exhibit a
significant number of weak keys, an unexpectedly high rate of key collisions surpassing birthday attack expectations, and a predictable shrinking
key space susceptible to novel Time-Memory Trade-Off (TMTO) attacks
with complexity ≈ N^1/4. Consequently, the security level provided by e.g.,
TLS 1.3 is significantly lower than anticipated. To address these concerns,
we analyze the aforementioned protocols and provide numerous concrete
recommendations for enhancing their security, as well as guidance for
future security protocol design.

3 Likes
12

New paper from RWC 2024 demonstrating an injection attack against signals (on-device/offline) backup:

paper
RWC 2024 talk recording

Signal already fixed this:

Signal acknowledged our vulnerability and have already included hiding
boundaries between ciphertexts in their v1 revision to their
Android backup file format.

6 Likes
13
5 Likes