Apropos of nothing in particular….

Signal is well-reputed as a messaging platform that is more secure than, say, Telegram, but less secure than, say, Briar. Signal does not run their own servers and doing a quick ss -atp | grep signal on my computer with the desktop client open, I found Signal making connections to these servers:

Typical ss output:

ESTAB      0      0      192.168.100.51:49930       13.248.212.111:https       users:(("Signal-desktop",pid=1333428,fd=38))
ESTAB      0      0      192.168.100.51:49916       13.248.212.111:https       users:(("Signal-desktop",pid=1333428,fd=27))
ESTAB      0      0      192.168.100.51:47174         3.165.206.17:https       users:(("Signal-desktop",pid=1333428,fd=84))

Doing lookups (from a previous connection, the servers change a bit depending on when you connect) I found:

76.223.92.165:https AS16509 Amazon.com, Inc. 47.6043, -122.3321
34.117.136.13:https AS396982 Google LLC 39.0997, -94.5786
13.248.212.111:https AS16509 Amazon.com, Inc. 47.6275, -122.3462

Google and Amazon know who’s talking to whom, when, from where, and how much data they’re sending (but probably not the actual message contents). It is possible one would have to request the connection logs to the Signal services running in both the Google and AWS clouds to build a full metadata path, but that hardly seems daunting.

Wireshark lets you monitor communication as it moves across the link and this is what anyone on the Google/AWS end of a Signal com link also has visibility into, this is data from outside the app boundary, where messages are encoded and protected, but messages going across the public interwebs still must contain meta-information necessary for routing and network handling which can be, itself, a major security risk depending on one’s adversary model.

Time            Source          Destination     Protocol Length Info 
4.920825221	192.168.100.51	13.248.212.111	TLSv1.2	 2157	Application Data

I included detailed metadata for a sample Application Data Transfer between Signal desktop and a Signal server below.  Note that the contents of the messages are encrypted, that’s the TLS Encrypted Payload of the message and I myself have no way of decrypting it.  Moxie’s crypto is well reputed, well reviewed, and well vetted.  I’m fairly confident there’s no straight-forward flaw that would render the Encrypted Application Data to plaintext, which is fine and comforting as far as that goes. However, one needs to keep in mind that while this capture from my computer only shows that my computer 192.168.100.51 94:57:a5:xx:xx:xx  is talking through the Huwawei gateway (yikes! so the PLA also knows all of this too) at MAC dc:99:14:57:52:95 and that I’m talking to the Signal server at 13.248.212.111, that server, the one at 13.248.212.111, has to know where the other end of this chat is connected to and anyone sniffing all the traffic coming and going to the Signal server, as whoever is hosting the server (AWS or Google) can easily do, can therefore correlate the TLS encrypted payloads and other metadata to reconstruct the conversations: who’s talking to whom, exactly when, how much data they’re sending each other, and where they are talking from (yes, using a VPN might obfuscate that source IP information).

Imagine a salacious, non-national security scenario: someone suspects their spouse has untoward plans with another: would not their chat logs showing everyone they messaged, including, say, some ex and the file sizes being transmitted, generally indicating graphic media, the times those messages are sent and the location from which they are being sent potentially be admissible in divorce court?

It is useful to note that this raw network data does not seem to have any obvious user identifier data—nothing that I have the skillz to extract from the wireshark data at least—but the IP data that is visible can be easily enough correlated to actual user names with a trivial additional subpoena to Google or AWS by identified IP as their data centers absolutely host either owned and operated services like gMail or Amazon.com that would contain login information, address data, probably phone numbers and user pictures for the IPs in the chat streams. That is you connect to a google hosted Signal server with the Signal app on a device that also runs any Google service you’re logged in to and Google has a very high degree of confidence that data streaming from the same endpoint to the Signal server, which we’re somewhat optimistically assuming they do not have visibility into, is coming from the same user at the same endpoint who is simultaneously logged into the google service thus de-anonymizing the user.

So, for example, we might start with a request for all traffic connecting to the Signal servers as observed at the ISP – that’s all incoming and outgoing data for everyone using Signal with all of the detailed metadata shown below.  Then, by correlating the Encrypted TLS payload data as a message identifier identifier as it goes in to and then out of the Signal server from sender to recipient(s), we can build a connection map of all Signal users during the capture window; that is a network map all the chat connections with time and date and size. We might filter for IPs of interest—for example all USG IPs, then extract that subset and build a tractable set of IPs of interest and then demand all user data held by the company hosting the server for those IPs, whether related to Signal or any other service hosted in the same facility.  Thus a large hosting facility like AWS or Google becomes a one stop shop for comprehensive user data. While Signal.org might be reluctant to give up user data or claim they have no further insight, the correlated user data from a major data warehouse like Alphabet or AWS is all the data needed to unmask Signal users and monitor communications frequency and correspondent & group mapping, and track message frequency. This data is as useful as watching troop movements from a persistent satellite to get insight into activities and planning, but all collected with just a few quick requests to entities that are required to support lawful data requests. The assumption that only lawful requests might be served is predicated on an optimistic assumption of incorruptibility that should be questioned if the data is sufficiently sensitive to warrant.

Anyhoo, good to remember what you’re exposing when you think you’re being sneaky. 🕵️

---

Details

Frame 24: 2157 bytes on wire (17256 bits), 2157 bytes captured (17256 bits) on interface enp0s25, id 0
    Interface id: 0 (enp0s25)
        Interface name: enp0s25
    Encapsulation type: Ethernet (1)
    Arrival Time: Mar 26, 2025 17:25:10.954150575 +03
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1742999110.954150575 seconds
    [Time delta from previous captured frame: 0.555192927 seconds]
    [Time delta from previous displayed frame: 0.555192927 seconds]
    [Time since reference or first frame: 4.920825221 seconds]
    Frame Number: 24
    Frame Length: 2157 bytes (17256 bits)
    Capture Length: 2157 bytes (17256 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: HewlettP_xx:xx:xx (94:57:a5:xx:xx:xx), Dst: HuaweiTe_57:52:95 (dc:99:14:57:52:95)
    Destination: HuaweiTe_57:52:95 (dc:99:14:57:52:95)
        Address: HuaweiTe_57:52:95 (dc:99:14:57:52:95)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: HewlettP_xx:xx:xx (94:57:a5:xx:xx:xx)
        Address: HewlettP_xx:xx:xx (94:57:a5:xx:xx:xx)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.100.51, Dst: 13.248.212.111
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 2143
    Identification: 0x99f7 (39415)
    Flags: 0x40, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x915e [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.100.51
    Destination Address: 13.248.212.111
Transmission Control Protocol, Src Port: 52168, Dst Port: 443, Seq: 2094, Ack: 159, Len: 2091
    Source Port: 52168
    Destination Port: 443
    [Stream index: 2]
    [Conversation completeness: Incomplete (12)]
    [TCP Segment Len: 2091]
    Sequence Number: 2094    (relative sequence number)
    Sequence Number (raw): 3525513438
    [Next Sequence Number: 4185    (relative sequence number)]
    Acknowledgment Number: 159    (relative ack number)
    Acknowledgment number (raw): 4205312576
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 501
    [Calculated window size: 501]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x0f95 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 2613226080, TSecr 761373603
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2613226080
            Timestamp echo reply: 761373603
    [Timestamps]
        [Time since first frame in this TCP stream: 3.484784717 seconds]
        [Time since previous frame in this TCP stream: 3.147971607 seconds]
    [SEQ/ACK analysis]
        [Bytes in flight: 2091]
        [Bytes sent since last PSH flag: 2091]
    TCP payload (2091 bytes)
Transport Layer Security
    TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
        Content Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 2086
        Encrypted Application Data: bb229f3df6e870cc08909e190031ac9de35a79f008d706a15a61c38649db551895748703…
        [Application Data Protocol: http-over-tls]

The TLS encyrpted payload looks like this (typical example).  I do not think it is decodable without a quantum computer or if you happen to know that the TLS key space has been reduced enough to make brute force tractable.

0000   bb 22 9f 3d f6 e8 70 cc 08 90 9e 19 00 31 ac 9d
0010   e3 5a 79 f0 08 d7 06 a1 5a 61 c3 86 49 db 55 18
0020   95 74 87 03 94 57 ec f5 e4 51 ca 83 5c d8 f3 ef
0030   5d e8 51 e8 e7 5d 60 fd 37 1c 33 d0 5a 65 44 aa
0040   77 13 3d ec 3e 18 48 30 50 b1 26 04 d1 5b 0c 25
0050   4c 02 4b 15 44 a1 9f e9 b3 8d 22 b1 05 23 be c8
0060   a8 18 84 8d 38 02 43 06 5e c9 75 23 8c 67 50 9d
0070   1c b2 23 a2 e8 24 f4 be dc 23 c1 ee ca b8 fc 22
0080   f8 56 1a b9 1c c0 ab c5 8d f3 a2 c9 5f d1 e4 ae
0090   43 d8 a1 19 df d3 91 87 ac e0 f2 19 1a 12 a0 32
00a0   b7 2e 18 b7 6b d1 aa 7e 7d e8 20 06 0b b3 02 a7
00b0   c3 7e ed 80 ed d0 cd fb 1a 65 06 a0 86 cd a5 d1
00c0   77 ce 4f 7f 56 d1 1b f1 d4 dd be 8b 14 fe c8 f8
00d0   87 55 03 2f 55 63 28 f2 e5 a3 0d 31 93 16 9c cd
00e0   2f 2f 12 37 ef f3 95 bc 73 72 d4 59 5f e6 ac dd
00f0   fd d8 cf 74 e9 e7 25 49 17 82 94 a5 8a 14 04 2f
0100   61 71 5f fa 89 57 18 e9 b4 17 70 fa 77 1b 65 07
0110   f6 f5 fb 0a 46 8a 25 8d 00 7b eb e4 1f 1d 3d 94
0120   3f a0 c5 23 1b ce 50 54 d8 65 30 61 57 76 3c 31
0130   53 66 e0 69 40 8b ca 99 2e 41 31 71 0a 98 64 91
0140   fd d7 ce ee 99 8c de a6 d7 9d ee 6f a1 66 96 5d
0150   02 15 f7 53 b4 be 61 b6 da 40 7e 1c c7 5f 06 eb
0160   5e 9b f4 13 19 30 46 06 29 66 5d d9 02 72 9e 1f
0170   74 be 96 9f 9c 02 0b c3 ac cf 89 8f 68 8c 99 33
0180   43 83 20 62 d5 4e 6c e5 81 da 05 be e7 51 10 ec
0190   3d be 23 06 9a 1b 76 17 c5 51 a8 34 28 58 92 ea
01a0   4a 6f 44 e9 c0 96 a9 25 a5 d3 b0 bc 9d dd 6b f3
01b0   53 28 3c d5 ce b2 2c 49 38 4f e3 ca c0 7b a7 c9
01c0   45 88 32 2d 6d 7c d7 e3 94 06 be 17 b8 ca 58 90
01d0   51 20 13 6f e6 91 1e 12 35 6b 16 d1 39 77 81 bf
01e0   04 db 42 75 a8 ca 7a 67 ac 4b d8 d5 7b c3 97 28
01f0   bf f7 34 a9 99 c8 89 73 d1 39 20 d0 cc 4d e4 af
0200   72 72 b8 5c 4b bc 33 9d fd 04 0f 83 1d f8 b6 1e
0210   35 b5 f8 4d 80 43 c1 31 51 64 64 10 1e be 77 ab
0220   94 36 d2 9b 2b 6a 87 e5 ff c1 21 67 46 fc 3e cf
0230   e4 8c cc dd d2 3f b6 39 fe 94 40 90 4e c2 c4 cb
0240   06 e4 58 4a 72 ef a0 30 8d 17 10 a0 b3 bc 3d f1
0250   02 9d 65 95 73 27 79 8b f4 33 c8 ea 33 42 c5 e6
0260   b8 bb 86 d6 a1 90 4b 1e 0e 37 0d 48 e9 ac 22 7b
0270   03 cb 0b 20 50 30 d7 6b 3d 90 20 30 9b af e6 b1
0280   d1 26 44 8f c8 62 64 33 bf a3 5c 16 09 eb e3 d2
0290   63 79 76 93 e0 5c be 15 77 fa 0e 93 51 64 5c e7
02a0   61 bf 9b 01 4b af b4 33 7b 29 b1 79 01 52 e2 a6
02b0   6f 58 44 9c aa 37 a6 27 96 90 30 a8 0a 25 36 25
02c0   52 f4 33 c4 b2 3e 7c 4f 64 52 e1 7d 09 0f 23 ab
02d0   da 48 f8 f9 23 99 35 7c 22 6c 4e d7 0a 4b b3 0b
02e0   7c 77 6e 3d 2c c5 4e 98 2e e4 35 97 ac 77 1a 22
02f0   65 98 59 0d 72 bb eb 72 10 4c c0 d0 11 f2 9a 52
0300   9f 71 83 8c 08 48 38 9b d3 e2 75 b3 3d 44 52 42
0310   22 78 17 87 ca c2 43 24 07 f2 7a 31 cb 1a 36 de
0320   1f 05 1c 9d 7a 66 93 5a 8f a8 a2 d9 80 e1 e5 ea
0330   f7 22 16 32 7e 39 f8 78 70 b9 87 d6 77 4b 31 86
0340   a5 ce db c8 4e 5a 6a 43 3f 4d dc 7e cd 23 d4 22
0350   50 d2 0b 44 8c 13 69 49 29 9a 92 ff 61 f3 49 da
0360   d2 0d d3 b9 be 91 90 b0 e9 e3 02 e2 18 4e e1 93
0370   67 94 c3 a5 97 f2 da e0 c9 99 e8 5e 4e e4 93 6c
0380   75 e6 96 70 4d bc 47 2d 0f c4 53 21 f1 fb 43 ff
0390   f8 fe 5a 6f 37 c2 3e 68 4b 80 d2 9c a5 1f 0e 0a
03a0   a7 46 50 b5 fe f2 fb 60 fe e7 ca 56 88 fa 85 7d
03b0   15 d0 5f 25 70 ce 5e 5e 50 e1 fa 2c 29 b4 5c 01
03c0   2a 73 df 1b 12 4e 45 ea 68 ee d1 ee 66 bf 56 7a
03d0   6c af 46 c2 10 23 e4 b0 99 b6 f6 f2 2f 07 b1 c3
03e0   a0 13 ed 36 5a 23 e6 cb d5 bf ed eb 35 2d c7 49
03f0   4a cd 50 32 5f f3 46 9b 67 9f 7c 5b 98 68 21 5b
0400   55 ed ed 89 e7 26 5d 3a 41 6e 4e a7 b9 0f 25 a6
0410   5c b7 84 e7 6a 7a d9 ea 6e f7 4c 70 cc 95 2c 5a
0420   69 e4 05 3e 99 b6 7f cd 6a a6 7a 06 f5 a3 e1 2d
0430   54 b1 fe d5 c6 18 75 16 6a 62 07 f4 36 a0 a3 cc
0440   d3 79 7b 89 96 fe 16 7c 1f 22 e6 73 1a 41 42 39
0450   8a ed b6 85 8e 66 79 7f e7 57 bb ac 10 ca 6e ac
0460   fd 1b 5f 4c d8 eb 9e 92 a3 51 c8 3d 93 70 9e 86
0470   48 8d 19 23 cf c1 0a 22 ce 76 1b 68 ec 0d 7b b7
0480   8e dc 85 62 5f f4 55 88 83 95 e1 48 2d 13 e8 42
0490   e3 b4 e6 f5 28 a4 c2 ef db 9e 98 69 cd 0e 73 a9
04a0   f8 39 1e 8a f0 11 a9 df db 1a 62 a6 ab f0 2d 2f
04b0   96 e2 0b 0c 9c e1 80 a7 9d 5a ef 95 d1 f4 92 a0
04c0   60 61 37 17 2d 3e dd d6 97 7d 46 be e2 b7 87 4f
04d0   93 19 3a 81 3b d7 3e b3 67 b5 ee b6 33 67 be 53
04e0   85 eb ac 43 34 75 11 b3 3e d1 fa c7 00 28 2b d8
04f0   a3 a7 de 5c ac 7f 4b 2f 56 28 ab fd 81 b6 e2 40
0500   aa 0a fe b7 7b cc d0 77 b9 43 57 4a b9 6d 3a 7b
0510   bc 83 81 79 6c ac 37 02 88 69 ae 47 cc 5f 7c 06
0520   90 b7 d0 73 98 f4 8c 79 1c cf cb d2 ef d0 3d 34
0530   9d 3a 7e 18 ce ef ac e3 a6 59 69 83 a5 2e b6 18
0540   e4 10 e6 12 2c 2f 1e 8d f0 5b e5 0b 43 40 75 aa
0550   e8 bf a3 f2 9a a5 7d 16 b0 f5 b5 4f 7f c0 b8 d2
0560   91 e7 ff 63 8b df a5 56 53 d4 14 bb 72 a5 a8 d9
0570   fa 94 8a 39 cb 3d ce 8f 1a a7 d7 fd 64 54 2a 84
0580   5e d4 24 cc dc 69 c0 20 69 65 0c d1 28 7d b7 7f
0590   54 40 b2 c3 5b 0d 20 46 7e b6 f4 c3 74 97 bd b7
05a0   d1 ab 0c 0b 65 03 79 36 0b 06 14 d6 c4 27 65 af
05b0   17 87 8c 92 f9 8a 59 ea df 0d 8b 79 26 8d ff 8b
05c0   1b d9 ad ce 65 0e 00 05 71 9d 21 b8 33 48 b1 73
05d0   0c 97 98 aa 1b 6a 4b 55 f7 0e 02 55 60 d3 52 73
05e0   85 0b 8d 0b c8 b6 8b a8 20 29 aa 98 f4 c1 c7 19
05f0   e7 87 3e f5 70 d8 97 79 c1 7e 69 19 ca 8b 66 0d
0600   fd cc f3 a7 cf ed e8 f5 f4 4f 63 ec 43 e8 2a a0
0610   01 31 90 fc 8e d2 75 ea d2 ec 0e e2 c7 45 63 2a
0620   42 ad 72 51 19 b2 af 47 d2 2b 43 2a d1 2b 30 7f
0630   91 cc 51 1b ff 5f e6 dd 2b 98 a5 d7 98 db bb 0c
0640   02 72 8e f6 9a 03 57 04 5d 0e ab d5 3d 89 85 53
0650   18 09 15 b0 05 b7 70 ab 29 a0 9a 5c 4f 97 79 b8
0660   f4 a1 b4 f5 28 f5 4e fd 87 70 61 15 b6 5c 10 c9
0670   d2 df 44 13 71 f8 c7 8c f5 fa 9f 82 0c f9 66 7b
0680   39 8d 23 f4 ba fc 29 17 5e 96 04 08 09 80 2b b7
0690   a4 c8 e8 6d aa 86 53 44 ba 06 4f 13 7d 30 a7 b8
06a0   e5 91 1c 38 ce e6 b9 05 2a 18 9e ba f1 9c 2e 26
06b0   04 67 f0 61 7b 90 e0 af ff 0d 60 d0 96 6a 82 e8
06c0   2a a1 fc 89 21 6f 2f f6 c5 25 50 22 85 ce 24 66
06d0   f6 ce ef 1e f5 21 33 d2 6e 2b 55 c5 db 9d 12 07
06e0   26 3a f6 c0 23 5a 1d 7a 16 64 62 71 0c a1 81 b1
06f0   4b 02 42 c4 a7 c7 8f 01 ae 99 36 57 fb e6 cb d3
0700   ed 2a 68 05 ec d7 e6 c4 61 f2 c0 5e fd 42 63 51
0710   a0 9f 2b b4 6a a4 be 7a c9 dc d2 03 26 b6 bd 34
0720   ef 86 be a2 45 ea 5a a0 fa f3 b4 f6 cb 97 3f 9d
0730   0d a2 47 24 46 c1 3f 88 ff f7 b0 c1 c4 36 7b 49
0740   46 01 a7 2a 1e 8d f2 89 86 b6 8a 06 91 74 9a 35
0750   99 3c 17 9d c4 db 33 fd fc f7 08 80 ae d7 cb 67
0760   7a c9 aa f3 da bf 79 bc dd 2e d7 b9 e4 1b d8 5c
0770   bd ff f8 49 fa 95 ae ea b1 26 c4 65 f8 cb 6d ab
0780   a9 d0 a7 bf 91 f5 72 e0 3c 3b 96 ff 8c 6b f0 00
0790   a7 49 ad 33 fc d0 7d 63 d4 41 5e fe 31 79 72 b5
07a0   46 e2 43 4a 56 b2 08 3b 81 94 c0 d2 61 45 2f 17
07b0   7d 09 6d 18 90 87 36 e3 94 6c 76 c9 6b db cf ee
07c0   bd 55 ea eb 52 30 fc 0f 45 88 be 31 63 2a 6d 16
07d0   0a 91 79 da 8f 1e c3 1f 95 08 59 2a c3 8e bc 9d
07e0   1b 88 8f 10 df ea dd 22 46 1b 03 7c 78 cc 50 47
07f0   36 61 c9 c0 4b eb 2f 94 cc 75 34 27 96 98 42 b3
0800   9a ec 97 58 9e 1e 36 76 a2 85 26 3e 7a 0c a8 4a
0810   c4 81 b1 2e b1 79 3c 15 de 88 8f 18 0b 98 fa ef
0820   d9 4d 20 37 20 59

A closing note about chat security problems and solutions

Most people run chat apps on their phones and that’s intrinsically insecure.  Your phone, whether Android or iOS-based is fundamentally insecure and effectively unsecurable.  The nature of the underlying operating system, the scale of use, and the number of people attempting to find flaws guarantees that there are in the wild, “zero day” hacks floating around.  These are quite valuable to people trying to monitor high value targets and so probably won’t be wasted on you if you’re not such a target, but the risk is non-zero and if you’re not careful and diligent about updating, your phone is insecure, guaranteed.  That’s what all those patches are for, fixing hacks that people found that gave them access: when those stop coming, your phone is insecure the next day.

If you’re not a high level threat, it is unlikely that your phone itself will be targeted by a crack for which there is no patch – that is if you keep your device updated to protect against the already exposed (and therefore low value) hacks, you’re unlikely to be picked as a target for a zero day (undiscovered, and therefore extremely high value, like $1,500,000 each value) hack.

This accounting is far less valid at core services which are global jackpot targets.  Each individual on such a service themselves might be nearly worthless, but in aggregate all users of a service like Signal or Gmail or whatever are absolute bank and where there’s money to be made, there are people working hard to make it.  It is not paranoid to consider your own vulnerabilities to traffic analysis as described above – and note we’re not assuming any flaws in the cryptography or security of either the Signal app or the Signal servers, we’re just considering the data leaked intrinsically by connecting to a “cloud” end point, especially one with a high degree of network visibility, such as a major provider like AWS or Google.

So it is worth considering the balance of ease of use vs. security.  It is my opinion that Signal has an excellent balance of ease of use vs. security for most casual users of chat.  It is good enough for individually private data where the threat model is another individual.  It is not remotely sufficient for a state-sponsored antagonist, having zero resistance to traffic analysis at the server and end-device compromise (e.g. a high value phone hack like Pegasus, say).

I know of at least one chat service that provides far better protection against traffic analysis and would not be vulnerable to the attack outlined above: Briar, and two phone platforms that provide better security than iOS or Android: Linux phones and a specialty phone designed purely for secure messaging, the Sotera SecurePhone.

Briar’s special sauce is that it is a peer-to-peer chat tool that uses either local comms (no interwebs required) over LAN or Bluetooth or peer to peer connections over Tor. It is a pain in the butt in that it is tied to a single device, no desktop client, lose the device and you lose the chat and your address book.  And it is more than a little challenge to build that address book.  Plus, for messages to move, you generally need to have both the sender and receiver on and connected at the same time, no store-and-forward. But it is about as secure as chat from a mobile device can get (assuming no flaws in the cryptography).

There are two phone platform one could make that would provide significantly enhanced security, though neither is going to come with a lot of hardware diversity like Android users love (and iOS people clearly just want to show off the logo): either a Linux-based phone, which is going to have security through obscurity because nobody uses Linux phones like the PinePhone, which can be secured, or the Sotera SecurePhone, which runs a very secure (EAL 6+!) OS, but which only supports voice/text chat.  That is, it is very unlikely to be a replacement for a regular phone, but if you really need truly secure messaging and don’t want to carry an AN/PRC-148, it is about the only game in town.