Signaling without exposing your private phone number

in Anonymity / Privacy / Security / Communication on Signal, Secure-communication, Phone-number, Privacy, Anonymity

The situation

I wanted a way to avoid revealing my private phone number when using Signal. There can be many reasons for this. E.g.

  • Privacy
  • Safety
  • Annoyance over why it is necessary in the first place when using Signal

End goal

Accomplishing the above will be considered a success when:

  • I’m able to use the Signal Desktop application both with my private phone number and my public phone number. On the same computer
  • Linking the Signal Desktop application can happen without using a secondary phone or needing to uninstall and install the Signal mobile application (as this would result in a need to be verified by my private contacts)
  • Getting a public phone number should be as cheap as possible
  • If possible, avoiding the registration of my address
  • I should be able to hold onto the public phone number for as long as I want

Findings

Using Signal Desktop with both phone numbers on the same computer

The Signal Desktop application is not multi-instance capable in the non-development version. Therefore one need to run the general available version and the beta version side-by-side.

More on that here

Linking without a secondary phone

This proved to be possible even though it required some nice nerdy magic

As cheap as possible & registration

I spent a lot of hours on different vendor pages. Vendors selling virtual phone numbers and the like. Twilio ended up being the vendor I chose. As with them it is possible to acquire an US phone number for 1$ a month. With an initial top-up of 20$. Therefore giving you 20 months of Twilio.

Twilio also makes it possible to use Paypal as a payment service. Limiting the number of stakeholders that will get parts of my personal information.

Holding onto the phone number

Using a prepaid mobile phone card is not an option. Even though it nicely comes with no registration. As the phone number falls out of my control at some point. Per say, you’re leasing it.

Again Twilio makes this possible. As long as I pay my dues.

Guidance on achieving the above

Parts of the below, have for documentation purposes, been copied from Shields Up: Using Signal Without Giving Your Phone Number

  1. Sign-up for Twilio
    1. Verify your account as asked
    2. Top-up the account via Paypal with the required 20$
    3. Choose an American phone-number, with voice and SMS capabilities
    4. In Twilio, navigate to “All Products and Services” > “Runtime” > “TwiML Bins”
    5. Create two TwiML bins
      1. One for SMS, that should contain the following code
        <?xml version="1.0" encoding="UTF-8"?>
 <Response>
 <Message to="YOUR PHONE NUMBER">
     : 
 </Message>
 </Response>
      1. And the one for voice
        <?xml version="1.0" encoding="UTF-8"?>
 <Response>
 <Dial>
     YOUR PHONE NUMBER
 </Dial>
 </Response>

      N.B. In the above, insert your phone number. When doing so, it should contain the country code it belongs to. Pre-fixed with the plus character.

    6. Now navigate to “All Products & Services” > “Phone Numbers” > “Manage Numbers” > “Active Numbers”
      1. Click on your Twilio phone number. Change the “A call comes in” field from “Webbook” to “TwiML” and switch to your custom voice forwarding settings by selecting the appropriate bin name (e.g., “my voice forwarding”). Do the same for the messaging settings.
  2. Install the beta of Signal
    1. Windows: First, download this file and look for the url property that specifies the location for the latest beta installer. Download the installer by constructing a final URL that looks like this: https://updates.signal.org/desktop/<installer location>. Then run the installer
    2. macOS: First, download this file and look for the url property that specifies the location for the latest beta installer. Download the installer by constructing a final URL that looks like this: https://updates.signal.org/desktop/<package location>. Then unzip that package and copy the .app file into the /Applications folder using Finder
    3. Linux: Follow the production instructions to set up the APT repository and run apt install signal-desktop-beta
  3. If it isn’t already install the official, general available version of Signal. As you will have to run the Beta and the Official one side-by-side. A further guide on how-to install the Official one would be the one on Signal’s homepage
  4. Install signal-cli which is a command-line interface for Signal and will be used for registering, linking and testing Signal with the acquired public phone number. Get it from Signal-cli download
  5. You are now ready and prepped for registering Signal with your phone number provided by Twilio. So change directory to the folder whereto you installed signal-cli and…
    1. Execute: ./bin/signal-cli -u PHONE_NUMBER_AKA_USERNAME register
    2. Execute: ./bin/signal-cli -u PHONE_NUMBER_AKA_USERNAME verify THE_CODE_YOU_RECEIVED_ON_YOUR_PHONE
    3. To test that the new Signal account with the Twilio phone number works, execute: ./bin/signal-cli -u PHONE_NUMBER_AKA_USERNAME send -m "crazy stuff" PHONE_NUMBER_AKA_USERNAME_TO_PRIVATE_ACCOUNT
    4. Optionally execute: ./bin/signal-cli -u PHONE_NUMBER_AKA_USERNAME_TO_PRIVATE_ACCOUNT receive if you want to send a message the other way. Meaning, from your private phone number to the Signal account with the Twilio phone number
    5. Now we want to link the Signal account with the Twilio phone number, but without using a secondary phone
      1. Ensure that Signal Beta is started, you must see the QR code screen in the application
      2. Scan the QR code with a QR scanner on your phone, to derive the URI that it contains
      3. Get the URI to your computer in one way or the other
      4. Now with signal-cli execute: ./bin/signal-cli addDevice -u PHONE_NUMBER_AKA_USERNAME --uri "tsdevice:/?uuid=....
        1. In the Signal Beta application you should now be prompted to name the device
        2. Name it and proceed, Signal Beta will load users and groups and finally …. after some loading your are in :+1:

Optionally heighten the security of your new Signal Twilio phone number account by setting a Registration Lock pin. Here’s how:

  1. Execute: ./bin/signal-cli -u PHONE_NUMBER_AKA_USERNAME setPin PIN_BETWEEN_4_20_CHARS

And make sure to read the Registration Lock article by Whisper Systems. As there is some pointers to be aware of. Namely that the pin expires if there are no activity on the account for more than 7 days.

Readings I found useful

  • Does Signal send my number to my contacts? read Whisper Systems notes on that here
  • How to Use Signal Without Giving Out Your Phone Number read The Intercept article on that here
  • How to install and use Signal messenger without a smartphone read that guide here

Thank you for reading along.

Over and out :dash:

© 2022. All rights reserved.

Powered by Hydejack v7.5.0