Does Signal Strip EXIF Metadata? Honest 2026 Answer
Signal is the messaging app that privacy people recommend by default — and for good reason. It is the only major messenger that strips EXIF metadata automatically, the only one that never stores the original on its servers, and the only one that ships this behavior with zero user configuration. But Signal also has one open bug, one escape hatch, and the same fundamental problem every undocumented privacy feature has: the platform owes you nothing if the behavior changes tomorrow.

Table of Contents
TL;DR — does Signal strip EXIF?
Yes for images, automatically — Signal is the only major messenger that does this by default. No for files — sending a photo via the file attachment menu preserves all EXIF. No server retention — unlike Instagram/Facebook/Discord, Signal does not keep the original on its servers. One known bug (Signal-Android #12075): the app may add new EXIF tags during processing. The safe habit: strip EXIF before sending, every time, every app.
The short answer
Signal is the messaging app that privacy-conscious users default to, and on the EXIF question it earns its reputation. Every major source — privacy blogs, the Signal community forum, GitHub issue trackers, and side-by-side comparisons with WhatsApp and Telegram — converges on the same conclusion: Signal strips EXIF metadata from photos sent as images by default, on both iOS and Android, with no user configuration required. GPS coordinates, camera make and model, timestamps, software version, and exposure settings are all removed before the photo is encrypted and transmitted.
More importantly, Signal does not retain photo metadata on its servers. Most platforms that strip EXIF do so for the version they show to other users while keeping the original metadata internally — Instagram, Facebook, and Discord all follow this pattern. Signal does not. The combination of end-to-end encryption and a no-retention policy means the platform itself cannot read what was sent, which is the strongest possible privacy guarantee for messaging photos. But Signal is not perfect: there is a known bug, an obvious loophole, and the same underlying problem every undocumented privacy feature has — if behavior changes tomorrow, you have no contract to fall back on.
What the evidence shows
Unlike Discord — where third-party reports converge but Signal has never formally documented its EXIF behavior either — Signal's privacy posture is reinforced from multiple directions: the company's public privacy commitments, the Signal Foundation's open-source codebase (which can be audited for the stripping logic itself), and an active GitHub issue tracker where users have surfaced both confirmations and bugs over the years.
The cross-reference of sources we mapped:
| Source | Claim about images | Claim about file mode |
|---|---|---|
| PrivacyStrip blog | Strips GPS, camera, timestamps | Preserves metadata |
| EditPrivacy tested | All EXIF removed | Behavior depends on mode |
| Fastio 2026 comparison | Strips by default, no server retention | Escape hatch via file mode |
| PrivacyGuides forum | Community-confirmed stripping | File mode = preserved |
| GitHub issue #1984 (iOS) | Historical bug, now fixed | N/A |
| GitHub issue #12075 (Android) | Adds new EXIF after stripping | N/A |
The convergence is strong: image-mode uploads strip EXIF, file-mode uploads preserve it. The only outlier is the Android issue #12075 (March 2022), which reports that Signal can add new EXIF tags during its processing pipeline — including to images that were already stripped clean before upload. The issue is marked closed but not formally resolved with documented fixes. For our purposes, that is one more reason to strip yourself: even an app that strips correctly can introduce new tags as a side effect of how it processes images.
Signal vs WhatsApp vs Telegram
The clearest way to see why Signal stands out is to put the three side-by-side on the questions that actually matter for metadata privacy.
| Question | Signal | Telegram | |
|---|---|---|---|
| Strips EXIF by default (image mode) | Yes | Yes | Only if compressed |
| File-mode bypass exists | Yes | Yes (document mode) | Yes |
| Retains metadata server-side | No | Yes (via E2E backups) | Yes (cloud chats) |
| End-to-end encrypted by default | Yes | Yes | No (secret chats only) |
| Open-source client (auditable) | Yes (iOS + Android) | No | Partially (client only) |
The two rows that matter most for metadata privacy: no server retention and open-source auditability. Signal wins both. WhatsApp strips EXIF for the recipient but it sits inside Meta's servers (and end-to-end encrypted backups can be a complicated edge case). Telegram only strips when you send the compressed image, defaulting to preserving everything for the file path, and most chats are not end-to-end encrypted at all. If metadata privacy is a hard requirement, Signal is the only one of the three that holds up under scrutiny.
The file attachment escape hatch
Signal's file attachment mode exists because users sometimes need to send a photo with its original quality, original format, and yes, original metadata intact — for example, when sending a high-resolution photo to a designer who needs the EXIF data for color management. In those cases the design choice is deliberate: the user explicitly asked for the original file.
The problem is the same one we covered in our Discord analysis: users routinely route through the file pipeline without realizing it. If you tap the "+" button in Signal and choose "Document" or pick a photo from your file manager rather than from the in-app photo picker, the photo travels with full EXIF. The recipient can save it and read your GPS in ten seconds with any free EXIF viewer.
The good news on Signal specifically is that the user interface clearly distinguishes "Photo" from "Document" in the share sheet — the visual separation is more explicit than on Discord or WhatsApp. The bad news is that none of these apps actually warn you about the privacy implication of choosing one over the other. It is on the user to know.
The Android bug that adds new EXIF
GitHub issue #12075 on Signal-Android (filed March 17, 2022) reports a surprising bug: even when Signal correctly strips EXIF from incoming images, it may add new EXIF tags during its own image processing pipeline. The reporter specifically warns that "new EXIF metadata gets added to images — including the ones which are stripped off of it" and recommends using ExifTool (rather than Android-based viewers) to verify the actual state of files after Signal touches them.
The issue is marked closed but the specific tags Signal adds are not formally documented in the public thread, and there is no maintainer-confirmed resolution PR. A related, earlier issue (#5968) about metadata removal had a fix attempt (PR #7542) that the reporter says "failed to solve" the original problem. The pattern across these issues is consistent: Signal's privacy posture is the strongest in the messaging space, but the implementation has had bugs over the years, and not all of them are fully closed out with public documentation.
For most users this is academic: any tags Signal adds during processing are likely benign (a Signal app version, perhaps a generic timestamp) and do not reveal anything sensitive. But for the privacy-paranoid use case — journalists, activists, anyone whose threat model includes nation-state actors — the principle matters: even an app you trust can introduce metadata you did not authorize.
Why no server retention matters
The single most important privacy property in the messaging-app space is not whether the app strips EXIF for the viewer — it is whether the app keeps the original data on its servers. This is where Signal is genuinely alone among the major messengers.
When you send a photo to Instagram, Facebook, or Discord, the platform receives the original file (with full EXIF, before any stripping happens at upload) and stores it. The public-facing version that other users see has the metadata removed, but Meta, Discord, and similar platforms still hold the original on their servers for analytics, recommendations, and (in Meta's case) advertising. A legal request, a data breach, or a future policy change can expose that retained metadata.
Signal's architecture is fundamentally different. End-to-end encryption means Signal's servers cannot decrypt the photo bytes you send — they relay encrypted payloads between devices without ever holding readable image data. Combined with Signal's public commitment not to retain metadata, this means there is nothing on Signal's servers that could leak even if you sent a photo with full EXIF intact. The only way your GPS coordinates end up exposed is if the recipient saves the file and reads them — which means the threat model is people, not the platform.
Why you should still strip first
Given everything above — Signal strips by default, never retains, is end-to-end encrypted — why bother stripping EXIF yourself? Three reasons, each independently strong.
- The file mode bypass. If you accidentally send via the document path (and people do, especially when sharing from outside the app), the original file with full EXIF goes through unchanged. The recipient extracts your GPS in seconds.
- The Android bug. Issue #12075 is closed but not transparently resolved. Even Signal's automatic stripping has had implementation bugs; defense in depth at the user level removes that risk entirely.
- Undocumented behavior changes. Signal has never published an official privacy guarantee about EXIF handling. The strong reputation is real but informal. If Signal changes the behavior in a future release for any reason, you will not know until someone tests and reports it.
The cost of stripping yourself is roughly thirty seconds per photo, and the benefit is that you no longer depend on any platform behavior at all — your photo arrives at the recipient with the EXIF you chose to include, regardless of how the messaging app processes it in between.
The 30-second fix
The same workflow works for every messaging app, including Signal. Open the SammaPix EXIF Viewer in your browser, drop the photo you plan to send, and review what tags are currently present. Remove the ones that matter (GPS coordinates and camera info are usually the headline concerns) with one click, save the cleaned file, and send that version through Signal — image mode or file mode, your choice no longer matters from a privacy standpoint.
The whole tool runs client-side. Your photo never gets uploaded to a server — not ours, not anyone's. That is the only architecture that makes sense for a privacy tool, and it is the same property that makes Signal trustworthy: the data never leaves the device in a form anyone else can read.
For broader context on how every major messaging platform handles metadata, see our full audit of 12 messaging apps, the deeper Discord analysis, and the general guide on removing EXIF to protect privacy. The pattern is consistent across the industry: most platforms have an inconsistent or undocumented EXIF behavior, the file attachment path almost always preserves everything, and the only reliable way to control your metadata is to control it yourself before upload.
FAQ
Does Signal strip EXIF metadata from photos?
Yes — Signal strips EXIF metadata from photos sent through the standard image flow on both iOS and Android. GPS coordinates, camera make and model, timestamps, software version, and exposure settings are all removed before the photo is encrypted and transmitted. Signal is the only major messaging app that performs this stripping automatically by default with no user configuration required.
Does Signal keep my photo metadata on its servers?
No. Signal does not retain photo metadata on its servers — unlike Instagram, Facebook, and most other platforms that strip EXIF for public viewers but keep the original metadata internally for analytics and advertising. Signal's end-to-end encryption combined with its no-retention policy means the company itself cannot read what was sent. This is the most important distinction between Signal and every other major messaging app.
Does Signal strip EXIF when I send a photo as a file?
Probably not. The file attachment mode in Signal is the documented escape hatch — when you explicitly send a photo as a file (rather than as an image through the photo picker), the file is transmitted as-is. This is the same pattern most messaging apps use: the photo-pipeline strips metadata, the file-pipeline preserves it. If you need full original quality on Signal without leaking GPS, strip the EXIF yourself first.
Are there bugs in Signal's EXIF handling?
Yes — at least one. GitHub issue #12075 on Signal-Android (filed March 2022) reports that Signal adds new EXIF metadata to images during processing, including to images that were already stripped clean before upload. The issue is marked closed but the specific tags Signal adds are not formally documented. The takeaway: even Signal's automatic stripping is not perfect, which is another reason to strip metadata yourself before sending sensitive photos.
How is Signal different from WhatsApp and Telegram on metadata?
Signal strips EXIF automatically by default and never stores it server-side. WhatsApp strips for the photo path but preserves everything when you send "as document" — the well-known document trap. Telegram preserves EXIF by default unless you explicitly compress, and keeps your full message history on its servers. Signal is the only one of the three with both automatic stripping and zero server retention, which makes it the safest choice for privacy-critical photo sharing.
Should I still strip EXIF before sending on Signal?
Yes. Even though Signal is the gold standard for messaging privacy, there are three reasons to strip metadata yourself first. First, the file attachment escape hatch preserves everything. Second, the Android bug that adds new EXIF tags is closed but not formally resolved. Third, undocumented behavior can change without notice. The safe habit is to strip with a browser-based EXIF tool before sending — once you have it, the rest is defense in depth.