Encrypted communications app Signal received an update yesterday that enabled video calling for the first time, but the latest version also brings CallKit support to the platform, which may leave some privacy-conscious users wary.
Introduced in iOS 10, the CallKit SDK allows incoming calls from third-party VoIP apps to appear on the iOS lock screen and recent calls list, just like standard cellular IDs do. The concern among the privacy community is that their call data – including who they called and how long they spoke for – could be synced to iCloud.
In a blog post announcing the new beta features, Signal developers Open Whisper Systems noted that like video calling, CallKit integration is optional, and those concerned about data leakage can turn the support off in settings (Settings -> Advanced -> Use CallKit). The developers also told Wired that in the future, CallKit might only display "Signal users" in an iPhone's call log, to prevent the disclosure of identifying information.
Back in August, Russian security firm Elcomsoft discovered that iPhones automatically send a user's call history to the company's servers if iCloud is enabled, but the data gets uploaded in many instances without any user notification. The fear among privacy-minded users is that state actors could theoretically gain access to this information through cooperation with Apple, or that hackers could crack iCloud passwords and break into accounts.
More recently Elcomsoft revealed that when iPhone and iPad users permanently deleted their Safari browser history off their devices, iCloud had been storing that history for several months to over a year, before Apple reportedly fixed the issue. Concerned users are advised to turn off iCloud backups to keep their browsing history private, and be sure to check out the MacRumors Safari privacy guide for more useful information regarding browser settings on iOS devices.
Signal Private Messenger is a free download [Direct Link] for iPhone and iPad available on the App Store.
Top Rated Comments
"Call Blocking & Identification", the setting referred to here that can be set up through Apple's CallKit API, is always optional and needs to be explicitly turned on by the user as it is off as default. This is because Apple built it that way and not because Signal did something extra.
Yes, and I have that off because I'm a bit of a privacy whack-a-doodle. I'd like control over iCloud extended into other areas though as well such as forbidding Safari history from synching or eliminating iMessage from backups. Ideally I'd like individual encryption keys on iCloud backup altogether (opt-in and warning us that if we lose the key the backup becomes useless as even Apple would not be able to decrypt the data) so I would feel comfortable using the service; currently I only backup locally to media I control and use encryption solely in my possession.