Signal Messenger: 2026

Signal is the closest thing to a trustworthy commercial messaging app. End-to-end encryption is on by default, the protocol is open and audited, and the organization behind it collects almost nothing about you. But "secure by default" only gets you to the starting line. Out of the box, Signal still leaks your phone number to everyone you talk to, keeps your messages forever, and will happily let someone re-register your number on their own phone if they can intercept one SMS. Fixing that takes about fifteen minutes and a handful of settings.

This guide consolidates and replaces the two older SparkForge Signal posts. Signal's privacy model changed significantly with version 7.0 — usernames, phone-number hiding, and the new encrypted backup system didn't exist when those were written — so treat this as the current reference. Settings paths differ slightly between Android and iOS; where they diverge, it's noted, but the structure is the same on both. Everything starts with your profile icon in the top-left corner, where Settings lives.

Work through the sections in order. Each one explains why it matters, then tells you exactly what to do.

1. Lock Down the Account Itself

This is the single most important section, and the part most people skip. Before touching any privacy toggle, secure the account so nobody can steal it. The PIN protects your saved settings; Registration Lock prevents a SIM swap or an intercepted verification SMS.

Do this:

1. Open Settings → Account.
2. Tap Signal PIN and set one if you don't have it already. Make it a strong alphanumeric PIN, not four digits.
3. Save that PIN in your password manager. Signal cannot reset it for you — there is no recovery.
4. Back in Settings → Account, enable Registration Lock.
5. Set a carrier-level SIM / port-out PIN with your mobile provider for defense in depth against the SIM-swap itself.

Know the trade-off: with Registration Lock on, forgetting your PIN locks you out of your own account for up to seven days. That's by design, and it's the right trade. If you ever get an SMS verification code you didn't request, someone is trying to register your number elsewhere — Registration Lock is what prevents that attempt from succeeding.

2. Hide Your Phone Number and Set a Username

This is the biggest change since the old guides. You no longer have to hand out your phone number to use Signal. Two settings control whether people can see your number and whether they can find you by it; a username gives them another way to reach you that isn't tied to a permanent identifier.

Do this:

1. Open Settings → Privacy → Phone Number.
2. Set "Who can see my number" to "Nobody".
3. Set "Who can find me by my number" to "Nobody".
4. Go to Settings → Profile and tap to create a username. Signal appends at least two digits to keep it unique.
5. Share your username as text, a QR code, or a URL (the URL doesn't contain the username text) — not your phone number.
6. If a username ever gets to the wrong people, return to Settings → Profile and reset it. The old one stops working; your existing conversations are untouched.

Know the caveat: anyone who already has your number saved in their contacts will still see it — they already know it. Hiding your number protects you from new contacts and from people in group chats who don't already have you. A username is not a social-media handle: it isn't your display name, it isn't visible to people you're already chatting with, and exists only to start a conversation without exposing your number.

3. Set Your Privacy Defaults

These controls govern what you broadcast about your activity and how long your messages survive. The goal is to retain less and signal less.

Do this:

1. Open Settings → Privacy.
2. Turn Read Receipts and Typing Indicators off (recommended for operational use — note you'll also stop seeing others').
3. Tap Disappearing Messages and set a default timer for all new chats — a day to a week suits most needs.
4. Open any existing conversation, tap the contact's name, and set its Disappearing Messages timer individually where you want it higher or lower.
5. Under App Security, enable Screen Lock and set a sensible timeout — this requires your device's biometric/passcode to open Signal itself.
6. Enable Screen Security to block screenshots and hide Signal's contents in the app switcher (explicit toggle on Android; iOS blurs the switcher automatically).
7. On Android, enable Incognito Keyboard so your keyboard doesn't learn from what you type in Signal.

Why it matters: data you don't keep can't be subpoenaed, pulled off a seized device, or screenshotted out of a two-year-old thread. Don't retain history you have no reason to retain.

4. Harden Calls and Sender Privacy

These live one level deeper and close two specific leaks: who can reach you under sealed sender, and whether your IP address is exposed when you make a call.

Do this:

1. Open Settings → Privacy → Advanced.
2. For a real lockdown: Under Sealed Sender, turn off "allow from anyone" so Sealed Sender is restricted to your actual contacts. This is restrictive against new people and their ability to find you.
3. Enable Always Relay Calls to route voice and video through Signal's servers instead of connecting peer-to-peer.

Know the trade-off: relaying calls hides your IP from the person you're calling — a raw IP is a geolocation and an ISP subpoena waiting to happen — but it can reduce call quality. Incoming calls from people not in your contacts are relayed regardless.

5. Stop Lock-Screen Leaks

A locked phone still shows notification previews, and "AI" notification summary features will read your message contents aloud to the room. Close that.

Do this:

1. Open Settings → Notifications → Show.
2. Select Name Only, or No Name or Content for the tightest setting.

Why it matters: "No Name or Content" tells you something arrived without putting the sender or the text where a shoulder-surfer — or a meeting full of external parties — can read it off your lock screen.

6. Control Backups and Linked Devices

Signal doesn't back up your chats to anyone's cloud by default, and that's deliberate. Backups and extra linked devices both expand your attack surface, so manage them deliberately.

Do this:

1. If you enable backups, store the recovery key in your password manager — never in a screenshot. (A phishing campaign has specifically targeted Signal recovery keys.)
2. If you'd rather not keep backups, use device transfer when you upgrade phones — it moves messages directly phone-to-phone (same OS only: iOS→iOS, Android→Android).
3. Open Settings → Linked Devices and remove anything you don't recognize or no longer use.
4. Keep linked devices to a minimum — ideally just your phone plus one. Never link Signal on a shared or public machine.

7. Verify Who You're Actually Talking To

Encryption is worthless if you've been encrypting to an impersonator. Safety numbers confirm the person on the other end holds the key you think they hold — but only if you check over a separate, already-trusted channel.

Do this:

1. Open the chat, tap the contact's name, and tap View Safety Number.
2. Compare it with them over a second channel — scan each other's QR code in person, or read the number aloud on a video call where you recognize the person. Do not rely on comparing it inside the same Signal chat you're worried about.
3. Tap Mark as Verified once it matches.
4. If you ever get a safety-number-changed alert, stop and ask the contact why before sending anything sensitive — a reinstall or new phone is the usual benign cause — then re-verify.
5. For high-stakes contacts, agree in advance on what you'll both do if a safety number changes unexpectedly.

8. Secure Your Group Chats

The same retention and privacy logic applies inside groups, with a few group-specific controls. The one non-negotiable is approving new members on any join link.

Do this:

1. Inside the group, tap the group name to open settings.
2. Set a clear name and description so members know the room's purpose and rules.
3. Confirm the group's disappearing-message timer — you rarely want a group accumulating years of history.
4. If you use a Group Link, enable Approve New Members. This is mandatory — without it, anyone with the link walks straight in.
5. Reset the group link periodically (this invalidates the old one) and protect it like a credential.
6. Open Permissions and set who can add members, edit group info, and send messages. Lock "send messages" to admins for an alerts/broadcast channel; loosen "add members" only for a small, trusted group.

A Note on Threat Model

None of this makes Signal magic. It runs on your phone, and a compromised phone — malware, a forensic extraction tool, or someone with your unlocked device — can defeat app-level settings no matter how they're configured. Signal protects messages in transit and reduces what's retained at rest; it does not protect a device that's already owned. If your threat model includes a capable adversary with physical or remote access to the endpoint, the hardening above is necessary but not sufficient; the conversation shifts to device security, OS choice, and operational discipline — a different guide.

Two standing habits close it out: keep Signal and your phone's OS updated, and remember Signal will never ask you for your PIN, recovery key, or a verification code inside a chat or call. Anyone who does is running a social-engineering play.