in macOS iOS Open Source Privacy

Your Signal messages can leak via locked screen on macOS

If you are a security aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee or we need to talk with somebody in the other room. Since we are security aware, we always lock our screens (you do that, right?).

But what if all messages sent to you will be visible on your locked mac? Let's discuss about Signal (other messengers will probably behave this way too).

signal

Every mac application that uses notifications, by default will display them also on locked screen. This is how it looks on the newest (10.14.1) macOS Mojave:

default

What are Signal's devs going to do?

For now - Nothing. 😉 This is the response that I received from Signal's team:

[...]
Users who are concerned about screen lock notifications can also disable them in MacOS System Preferences.

This is not a vulnerability. Signal is following standard practices for macOS applications and notifications.
[...]

And you know what? They are really following standard practices for notifications.

So what I need to do?

WhatToDo

Go to the System Preferences -> Notifications and untick the "Show notification on lock screen" setting.

The standard practices

I read Apple's documentation, developed my simple app that uses notifications and I didn't find any way to set the "Show notification on lock screen" setting! It means that you cannot 'register' your app in the Notification Center with that setting unticked. So the only expected (which is not a walkaround described in the next paragraph) way stop the app from displaying notifications on locked screen is just to convince the user to manually untick that. If you know better solution - please tell me!

The radical solution for developers

If you develop desktop applications that may leak confidential data on lock screen you may:

  1. Detect if the screen is locked, add if statement that will not allow to display notifications on locked screen.
  2. If you use the new Notification class family you may be interested in lockScreenSetting property. Below is the piece of code that I prepared for you 😉
let notificationCenter = UNUserNotificationCenter.current()
let notificationSettings = notificationCenter.getNotificationSettings { (settings) in
if(settings.lockScreenSetting == .enabled)
    {
// That block tells you that user didn't disable "Show notifications on lock screen" setting.
// You may not allow to display any notifications.
    } else {
// Here the problematic setting is unticked. You are free to display notifications.
    }
            
}

Is that problematic on iOS?

It depends. If your iDevice uses FaceID, all the notifications are not previewed until you authenticate with your face. On the other hand, if your iDevice doesn't use FaceID but only TouchID - the situation is quite similar to described in this post.