There’s been a lot of concern in the past few days about Signal being compromised in light of the WikiLeaps CIA dump, but the bottom line is that any compromise is likely within your phone itself and has nothing to do with your secure messaging app, the encryption it uses, or the messaging company’s servers.
From the New York Times:
Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files in the cache. (Using automated tools to search the whole database, as security researchers subsequently did, turned up no hits.) More important, the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps — at least not in the sense of “bypass” that had seemed so alarming. Indeed, if anything, the C.I.A. documents in the cache confirm the strength of encryption technologies…
In other words, the cache reminds us that if your phone is hacked, the Signal or WhatsApp messages on it are not secure. This should not come as a surprise. If an intelligence agency, or a nosy sibling, can get you to install, say, a “key logger” on your phone, either one can bypass the encrypted communication app. But so can someone looking over your shoulder while you use your phone. That is about the vulnerability of your device. It has nothing to do with the security of the apps.