How secure is your chosen Messaging Application?


News

WhatsApp, Snapchat, Facebook Messenger, Tiger Text, iMessage, Skype, Telegram, Hangouts, Wickr… Text Message?

As a smart device user, you have literally hundreds of communication methods to choose from, each with tens—if not hundreds—of millions of users and across each, more than enough features and functionality to enable you to communicate however you choose.

We now use messaging apps to exchange all sorts of sensitive information, whether personal, financial, political or business-related. However, not all of these communications platforms are equally reliable in ensuring the privacy and security of that information…

We want our followers to think carefully about the type of information that they share through messaging platforms and just stop and think about the security of their chosen communication methods.

So… we wanted to spell out four benchmark themes that will enable you to evaluate the security of the different applications and make an educated, informed choice on which you trust to send and receive sensitive information.

 


1. Encryption

Encryption (the use of mathematical algorithms to scramble data) is the best known way to prevent unwanted parties from making sense of the messages you send. All of the major messaging apps use some form of encryption to protect your privacy.

However, not all encryption is made equal. In fact, some services deliberately maintain hold of the keys to decrypt and access your messages. There are many reasons for this including the analysis of information within messages in order to deliver better targeted adverts to the user or to feed their system machine learning algorithms.

The most secure apps are those that use true End to End Encryption (E2EE) that makes sure that only the sender and recipient of a message can read its contents. With true E2EE even if the service provider stores your messages on their servers, it won’t be able to decrypt and read them.

The current perceived golden standard of E2EE is the Open Whisper Systems Signal Protocol, which is used in a namesake messaging app endorsed by Edward Snowden and famous cryptography expert Bruce Schneier. Other famous messaging apps such as Facebook Messenger, WhatsApp and Telegram also use the Signal encryption protocol.

Other E2EE systems are available (such as the post quantum encryption standard used in our own ENIGMA messaging platform) with the leading solutions offering higher and higher levels of complexity on the E2EE systems.

Beware however because;

  • Some of the leading communications apps don’t enable E2EE by default
  • Other platforms sometimes may forego giving key change warnings about their E2EE for the sake of user convenience.

While the above are not necessarily vulnerabilities of E2EE as they can be easily maintained through good user discipline, they nonetheless prove that E2EE alone is not enough to offer a truly secure messaging platform.

 


2. Open Source

In recent years, transparency has emerged as a critical element of secure software development. Developers who open the source code of their applications to scrutiny and let others view it are regularly viewed as being more trustworthy.

Open-sourcing an application doesn’t make it inherently secure, but it does gives security experts a chance to review the code and find potential bugs or backdoors and therefore enables a community approach to security.

Applications that use the walled-garden approach (keeping the rest of the world in the dark) ultimately make the decision that their users will have to trust the company and their employees to have tested and debugged its own code.

Telegram and Signal are two open source messaging apps.

 


3. Message Deletion

If your phone falls into the wrong hands unlocked or your account becomes compromised, no amount of encryption will protect your sensitive information. That’s why being able to delete messages gives you an extra measure of security.

Most apps will allow you to delete individual messages or entire chat logs from your own accounts and devices. But secure messaging apps should enable senders to delete sensitive messages from the devices of all parties involved in a conversation.

Telegram, Signal, Tiger Text and Wickr all have self-destruct message features that, if set, will automatically delete messages from all devices after a certain amount of time elapses.


4. Minimum Metadata Storage

Aside from the content of your messages, every messaging service will additionally store a significant set of information such as the time a message was sent, whom it was sent to, etc. This information is called metadata, or “data about data.”

While at first glance the content of metadata might not be as sensitive and revealing than the actual message, quite a lot can be inferred from it, such as your contacts, usage patterns, location, and much else.

It is often the case that metadata is not encrypted or protected as strongly as message content is, primarily as a result of the functionality of most services depends on it.

“Metadata is far more intimate than our conversations. It shows where we go, our interests, our relationships—it shows who we are.”
– Bruce Schneit (2014)

This demonstrates how important metadata is, and how damaging it can become if it were to fall into the wrong hands. Therefore, the less metadata a messaging app stores, the more secure it is!

 

So What?!

You can now evaluate the trustworthiness of each of the messaging apps you’re using. This doesn’t mean that you should outright throw away any app that doesn’t fit the above criteria.

What it means though is that you shouldn’t take your security for granted and only share as much with an app as you can trust it.

Also bear in mind that a chain is only as strong as its weakest link. This means that a secure messaging app will be of no use on an insecure device. Never forget to adhere to the principles of general cyber awareness!

 

Original story courtesy of The Next Web