Adding a Lock Screen to Signal Desktop

Adding a Lock Screen to Signal Desktop

In this post, I will describe improvement steps that I have tried to make by contributing to the open source Signal Desktop project on GitHub, as well as creating my own application patch for Linux and MacOS.

I have recently been in full CON mode for DEF CON 28 SAFE MODE, which just ended yesterday. This year, all of the festivities took place on Discord and Twitch, and they pulled it off perfectly without a hitch. However, many of us reminisced about years past and the fun had in Las Vegas, which was the only thing missing this year. One of the upsides of this was not having to worry about your laptop or phone traffic being sniffed or getting hacked, as in years past, every precaution was taken — from bringing clean laptops with fresh and disposable Kali installations, to bringing burner phones — and all important communication between friends took place on Signal — the go-to app for private comms.

One of the coolest features of the Signal mobile app is the fact that you can enable an app-based lock screen, which adds a small additional layer of security and privacy, however, I realized this functionality did not exist in the desktop implementations of Signal. After trying unsuccessfully to implement this ability with wrapper applications on various platforms, I set out to look into the code myself and see if there was anything that I could do about it…

Under the hood, Signal Desktop is an Electron application, written in serverside Node.js and clientside JavaScript. I have some basic knowledge of Node.js, and have even made a few significant contributions to the Standard Notes server project, from fixing/re-writing the Docker implementation, to resolving some high and critical vulnerabilities in their Node.js ecosystem. That being said, Signal is an application with literally millions of users, and their open source contribution requirements are significant. It would have taken me weeks to figure out how the entire application works, and even then, it would take a significant re-write of multiple source files in order to implement the specific functionality that I was going for. So I went about this in two separate steps — 1) an official pull request to implement a “pseudo-lockscreen” that solved the use-case need at its most basic level, as well as an unofficial patch script, which implements the full functionality of what I was looking for, without going through the official channels.


The official pull request

I opened Pull Request #4499 to the official Signal Desktop development branch (Pseudo-Lockscreen Functionality Using Keybindings to Hide UI), which uses clientside JavaScript keybindings to hide and show the user interface — I mean, it’s better than nothing, right? But I knew that I could do better, and not having enough experience with the existing project’s Node.js source code, I opted instead for a quick fix in the form of a patch, which would implement the full scope of the original functionality that I was looking for.


The unofficial patch

I took matters into my own hands for the serverside interaction needed in order to implement a fully-functioning application lock screen for Signal Desktop. There are three distinct downsides to going this route — 1) the host requires Node Package Manager (npm) as a dependency, 2) every time Signal Desktop is updated, the patch script will need to be run again in order to update the new installation, and 3) it doesn’t work for Windows.

Believe me — I tried to get a version working for Windows and came extremely close, but the fact is that there is something that Windows just really doesn’t like about extracting ASAR archives, and I used every method I came across — npm‘s asar package, npm‘s npx package, as well as patches for 7-Zip that work with ASAR archives — none of which were able to unpack and re-pack like they do flawlessly on Linux and MacOS. In my pull request, I referenced my patch and requested that if my official pull request was ever merged into the master branch, that the devs consider implementing the functionality of my patch later on down the line, so we will see what the future holds. If they do ever decide to merge my code, Windows users may just be stuck with the pseudo-lockscreen functionality unless a better functionality is released in the future.

Update 8/12/2020: I finally got the code working for Windows, so now all major desktop platforms are supported.


How it works

In a nutshell, the script runs and asks you for a passphrase that you would like to use specifically for unlocking the lockscreen, and it saves this passphrase as a file in your Signal configuration directory. Ideally, I would have preferred using an environment variable, but since the core functionality is implemented in clientside JavaScript, that wasn’t an option.

When you hit Ctrl+L, the lock screen is activated (and it’s much prettier than simply hiding the UI, as seen in the official PR). While the lockscreen is activated, and you hit Enter, a local XHR request is kicked off to retrieve the contents of your password file. It compares the contents of that file to the value in the password field, and if they match — bingo, bango — your screen is unlocked. It’s nothing revolutionary — and I wouldn’t say it improves security, but it does provide a small additional layer of privacy, and it implements a previously-missing functionality of Signal Desktop that was already present both the Android and iOS mobile apps.

Additionally, the patch can be run as many times as you want without messing anything up, and it is backward compatible with PR #4499, should that functionality ever merged into the master branch.

You can find this patch on my GitHub at https://github.com/phx/signal-desktop-lockscreen.

Edit 8/11/2020: I received the following response from the official Signal development team on my pull request:

Thank you for the pull request, while this is an artful solution to the lock-screen issue it doesn’t fully satisfy the requirements for security. We would also need some design resources on this to fully implement screen lock.

…so, it looks like the only way as of now to get full lock screen functionality in Signal Desktop is by implementing my patch until this issue is actually addressed within the official code at some point in the unforeseeable future.

Leave a Reply