Adding a Lock Screen to Signal Desktop
In this post, I will describe improvement steps that I have tried to make by contributing to the open source Signal Desktop project on GitHub, as well as creating my own application patch for Linux and MacOS.
I have recently been in full CON mode for DEF CON 28 SAFE MODE, which just ended yesterday. This year, all of the festivities took place on Discord and Twitch, and they pulled it off perfectly without a hitch. However, many of us reminisced about years past and the fun had in Las Vegas, which was the only thing missing this year. One of the upsides of this was not having to worry about your laptop or phone traffic being sniffed or getting hacked, as in years past, every precaution was taken — from bringing clean laptops with fresh and disposable Kali installations, to bringing burner phones — and all important communication between friends took place on Signal — the go-to app for private comms.
One of the coolest features of the Signal mobile app is the fact that you can enable an app-based lock screen, which adds a small additional layer of security and privacy, however, I realized this functionality did not exist in the desktop implementations of Signal. After trying unsuccessfully to implement this ability with wrapper applications on various platforms, I set out to look into the code myself and see if there was anything that I could do about it…
The official pull request
The unofficial patch
I took matters into my own hands for the serverside interaction needed in order to implement a fully-functioning application lock screen for Signal Desktop. There are three distinct downsides to going this route — 1) the host requires Node Package Manager (
npm) as a dependency, 2) every time Signal Desktop is updated, the patch script will need to be run again in order to update the new installation, and 3) it doesn’t work for Windows.
Believe me — I tried to get a version working for Windows and came extremely close, but the fact is that there is something that Windows just really doesn’t like about extracting ASAR archives, and I used every method I came across —
npx package, as well as patches for 7-Zip that work with ASAR archives — none of which were able to unpack and re-pack like they do flawlessly on Linux and MacOS. In my pull request, I referenced my patch and requested that if my official pull request was ever merged into the master branch, that the devs consider implementing the functionality of my patch later on down the line, so we will see what the future holds. If they do ever decide to merge my code, Windows users may just be stuck with the pseudo-lockscreen functionality unless a better functionality is released in the future.
Update 8/12/2020: I finally got the code working for Windows, so now all major desktop platforms are supported.
How it works
When you hit
Ctrl+L, the lock screen is activated (and it’s much prettier than simply hiding the UI, as seen in the official PR). While the lockscreen is activated, and you hit
Enter, a local XHR request is kicked off to retrieve the contents of your password file. It compares the contents of that file to the value in the password field, and if they match — bingo, bango — your screen is unlocked. It’s nothing revolutionary — and I wouldn’t say it improves security, but it does provide a small additional layer of privacy, and it implements a previously-missing functionality of Signal Desktop that was already present both the Android and iOS mobile apps.
Additionally, the patch can be run as many times as you want without messing anything up, and it is backward compatible with PR #4499, should that functionality ever merged into the master branch.
You can find this patch on my GitHub at https://github.com/phx/signal-desktop-lockscreen.
Edit 8/11/2020: I received the following response from the official Signal development team on my pull request:
Thank you for the pull request, while this is an artful solution to the lock-screen issue it doesn’t fully satisfy the requirements for security. We would also need some design resources on this to fully implement screen lock.
…so, it looks like the only way as of now to get full lock screen functionality in Signal Desktop is by implementing my patch until this issue is actually addressed within the official code at some point in the unforeseeable future.