Signal Messanger Architecture
Introduction
Signal is an end-to-end encrypted communications application for Android and iOS similar to WhatsApp but open source. It uses the TCP/IP (Internet) to send one-to-one and group messages, which can include text, files, voice notes, images and videos, and make one-to-one voice and video calls. For user identification standard cellular mobile numbers are used.
The main system component is the Signal-Server which is maintained by Open Whisper Systems. The source code is available on GitHub (https://github.com/signalapp/Signal-Server) only for audition purposes without providing additional documentation about on premises installations. In the following sections I will provide some information about the system components and their interconnections.
System components
Signal-Server – is the central element of the Signal Messenger ecosystem, being constantly developed by Open Whisper Systems. It manages the registration of new accounts, stores and distributes the public keys of the clients, relays and temporarily stores the end-to end encrypted messages, enforces rate limits in order to avoid denial of service attacks and provides pre-signed URLs to the mobile client for uploading files. Signal-Server is entirely written in Java; source code is available at the following URL: https://github.com/signalapp/Signal-Server . An additional PostgreSQL database and Redis NoSQL object store are needed in order to run the Signal-Server. The configuration is stored in a yml file (at a first glance it seems quite complex) and is passed as a command line argument to the java binaries. Before running Signal-Server the Push-Server must be up and running.
Push-Server – acts as a gateway between Signal-Server and Google Cloud Messaging / Apple Push Notification Service. It is entirely written in Java and the configuration is sored in a yml file which must be passed as an command line argument to the java binaries. Source code is available at https://github.com/signalapp/PushServer . Without the push service the App has to be permanently connected to the Signal-Server in order to receive the messages, thus reducing the battery life of the mobile device or the user hast manually check for new messages by opening the App.
STUN/TURN Server – is a VoIP media traffic NAT traversal server and gateway. It is used for establishing voice and video calls. For this component you can use a standard On-premises or Cloud TURN implementation, such as Linux Coturn (https://github.com/coturn/coturn) which is available as a standard package on the majority of Linux distributions. If you do not need voice/video calls this component can be omitted.
Signal App – is the only visible part to the end user. It is developed and maintained by Open Whisper Systems. At the time of writing there is a Android and an iOS version. A desktop (Linux, Windows, Mac ) version is also available but it lacks registration and calling support, being more like an extension of the mobile App for desktop usage.
Twilio – is a cloud communications platform. In this scenario it allows the Signal-Server to make phone calls and send text messages using its web service APIs. It is used only during the registration phase to confirm the users mobile phone number. Twilio’s services are accessed over HTTP and are billed based on usage.
Amazon S3 (Simple Storage Services) – is a web service offered by Amazon Web Services (AWS). It is used to exchange encrypted files between the Signal clients. In contrast to the text messages which are relayed through the Signal-Server the files are temporarily stored using an external service. The protocol works as follows: the Signal client request an URL from Signal-Server, the server computes a pre-signed URL having a limited validity and sends it to the client, the client uploads the encrypted file to Amazon S3 and then sends the link to its peer. Amazon S3 services are accessed over HTTP and are billed based on usage. If you do not need file transfers this component can be omitted.
Google Cloud Messaging (GCM) – is a mobile notification service developed by Google that enables Signal-Server to send notification data to Signal Apps that target the Android Operating System. GCM is a free service ant it is accessed over HTTP.
Apple Push Notification Service (APNs) – is platform notification service created by Apple Inc. that enables the Signal-Server to send notification data to Signal Apps installed on Apple devices. APNs doesn’t cost anything.
In addition to the end-to-end encryption, the transport between the Signal App and the Signal-Server is secured using TLS and certificate pinning. The Signal-Server implements a API protocol for communicating with the Signal Apps which is available at https://github.com/signalapp/Signal-Server/wiki/API-Protocol (document might be outdated).