Signal Users' 'Disappearing Messages' Are Saved Indefinitely On macOS

Signal Desktop

According to reports from users, Signal’s “disappearing messages” (self-destructing messages) are not actually disappearing on macOS machines.

Signal’s Disappearing Messages

Signal's developers introduced the disappearing messages feature two years ago, which was a good complement to the app’s end-to-end encryption, leading to increased user privacy.

Signal’s best privacy feature remains end-to-end encryption, because that’s what’s actually keeping the messages private and limited to the people in the conversation. Not even the Signal team can see those messages, nor can anyone who may hack its servers.

Without end-to-end encryption, disappearing messages wouldn’t offer too much privacy, because both the Signal team or malicious parties hacking its servers could get those messages. However, when the two features are used together, the users are first guaranteed that their messages are private, and then that any hacker who may attempt to hack their own devices won’t have too big a window to steal those messages. Disappearing messages can be set from 5 seconds to 1 week.

Why macOS Stores Signal’s Messages

The issue here seems to be related to macOS’ notification system, which copies the messages you get from Signal (and presumably from other messengers, too). That means that even if you set the messages to disappear in one hour or one day, you may still see the messages in the Notification Center several days later, as Alec Muffet, the user who first noticed this issue, claimed happened to him.

The Notification Center was introduced in OS X 10.10 (Yosemite) to help you “catch up on notifications you missed,” as Apple said at the time. Signal, like other messengers, integrates with the Notification Center so that users can see the messages they receive even when their app is not open in the foreground.

This macOS feature essentially nullifies the disappearing messages feature of Signal.

Fixing Signal's Disappearing Messages On macOS

Apple could probably update its Notification Center so that when the user or the app itself deletes the messages, then they also disappear from the Notification Center.

However, in the meantime, Signal's developers should be able to code the same thing into their app, or simply disable the integration with the Notification Center altogether, if nothing else works.

Using the Notification Center for an app such as Signal is also a little risky, because in the future Apple may start syncing those messages to its cloud servers, as it tries to offer more convenience features to users.

At that point, Signal’s end-to-end privacy guarantees would be as weakened as they are in iMessage, where everyone’s messages are uploaded to Apple’s servers by default as “backup.” However, that also means Apple, malicious actors hacking Apple’s servers, or law enforcement can gain access to those messages.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • lperreault21
    yet another reason why not to get a apple
  • Christopher1
    LPERREAULT21, the fact is that this is just a design oversight. Every so often notifications if old should be 'purged' and the OS just was not doing it here.
  • hellwig
    So why are your encrypted messages being sent unencrypted to the OS for inclusion in a notification application? Doesn't that essentially defeat the entire purpose? Sounds like an issue governments could easily exploit. Rather than force Signal to abandon end-to-end encryption, why not just force Apple to install a Notification spy?

    And if you think I'm crazy, forcing companies to store plain-text copies of data has already been proposed by some governments:
  • genz
    Hellwig, I see it similarly to you. Apple were already listed as a 1st tier partner in PRISM since 2012. The likelihood of backdoors to higher level national security (NSA etc) interests is almost guaranteed whether they know about it or not. Its a matter of justification. Nat. Sec. will use it if it justifies the bad rap they would get, or if they know nobody will notice. Backdoors are bad for everyone, as it only takes 1 other to find them and they would be inherently untraceable in their attack.