Signal is generally viewed as the most secure encrypted communications app. So secure, that even the US Senate has approved it for staff use. And, to keep privacy experts on its side, Open Whisper Systems (the non-profit behind the app) has kept Signal open source and peer-reviewed. But, the developer is having to juggle robust privacy with all the popular features a chat app is expected to provide in this day and age. It's proven a tricky balancing act -- particularly in regards to access to user contacts. Just like its (now encrypted) rivals, Signal asks to import your phone contacts in order to tell you who's using the app. For the stricter privacy advocates, that's always been a niggling issue. But, Signal claims it has a fix. With its latest test, the app is trialling a completely private contact discovery service.
In other words, no one (whether nefarious actors, or even Signal itself) will be able to access that data, at least theoretically. To accomplish this task, it's utilizing an Intel processor feature known as Software Guard Extensions, or SGX. Originally designed for DRM, the tech essentially allocates a "secure enclave" in a processor that is kept isolated from the rest of a computer's operating system. The code running in that enclave is designated a unique key that only Intel can control.
In the case of the app, SGX will be fitted to Signal's servers. That way, when your contacts pass through them, they'll also be kept in this secure enclave for processing, and will vanish afterwards. If the test feature works as it should, Signal will basically be kept out of your information -- as will everyone else. The feature is expected to roll out over the next few months, once the test run is out of the way.
Although the new option sticks to Open Whisper System's privacy commitments, it is still in its early stages. And, as Wired reports, the server-side use of SGX is relatively untested. To ease concerns, OWS is making the private contact discovery service open source, allowing the security community to nitpick it for possible exploits. All the crypto heads out there can get the low-down on the tech by reading Signal's blog post.