We rely increasingly on messaging apps to carry out our daily communications, whether for personal use or to do business. And there are literally tons of them on the internet and app stores, each sporting different features and social reach.
Having messaging apps have become an inherent part of our lives, we often use them to exchange sensitive information without regard to how capable they are of keeping that information secure. With messaging apps, we share personal information and photos, or report on sensitive issues in countries where the internet is strictly controlled and monitored by autocratic regimes.
So just how secure and trustworthy is your favorite messaging app? Here are four criteria that will help you decide.
The most important component of any messaging application is encryption, or the use of mathematics to protect plain text from people with malicious intents. Parties involved in a conversation use encryption keys to scramble their messages beyond recognition when transmitting them, and to restore them to their normal state when they want to access them.
Nowadays, you’ll virtually find no messaging app that won’t encrypt your messages.
But keep in mind that not every form of encryption is secure. The integrity of encryption technology is reliant on the cipher algorithm and the protocol used to generate, exchange and store the keys.
In terms of algorithms, the topic is a bit technical and better left for another post (you can find a good explainer here), but AES with 256 bit keys will keep you protected from most bruteforce attacks.
As for protocols, you should be more careful what you buy into. Some messaging apps such as Google Hangouts and Skype store encryption keys in their own servers. This means that anyone who gains access to those servers or unlawfully breaks into to your account will be able to read your messages. This also accounts for governments with search warrants.
Moreover, it means that data is encrypted after it reaches the server, so if your message is intercepted in transition over an insecure connection (non-HTTPS), it will be open to anyone who’s eavesdropping on your internet traffic.
End-to-end encryption (E2EE) is by far the most secure type of encryption. E2EE generates and stores keys on endpoint devices, which makes it resilient to data breaches and account takeovers from other devices. Only the sender and receiver of the message have the key and will be able to read the message. You’ll find E2EE encryption in messaging apps such as WhatsApp and Signal (my personal favorite).
There’s one more caveat. Some apps have E2EE, but don’t have it turned on by default. You’ll find this in apps like Telegram and Allo, created by data-hungry Google. Make sure you have it turned on if you value your privacy.
Being able to clear your messaging history is another important fundamental of secure messaging, even if it has end-to-end encryption enabled. If you can’t delete your messages, someone with access to your phone or computer will be able to read them.
The amount of control you have on deletion is important as well.
Some apps will only let you delete messages or conversations from your own inbox, which isn’t a good thing, because there will still be a copy of the messages on devices owned by other parties involved in the conversation.
Other applications, such as the little-known Gliph, will let you delete message from both sending and receiving devices. Signal offers a timeout feature, which will automatically delete messages from all devices after a certain amount of time passes.
The last thing to consider is that while message deletion is a nifty feature to cleanup your history and to avoid leaving something unwanted behind, it doesn’t mean that someone who’s viewing the conversation won’t be able to store away a copy for later use. So you should still be careful of what you say if you’re chatting with an untrusted party.
Most messaging apps store metadata about your messages, i.e. information other than the text, such as the time, sender and receiver, contact list, device information, etc. Metadata often gives a gold mine’s worth of information to hackers when they can’t circumvent messaging encryption.
Always do a little research to see what kind of information your messaging app stores about you.
In this regard, again Signal is a frontrunner. The app stores next to nothing about its users, just the last time that you connected to the server, and the precision is reduced to the day.
No matter how secure an app is advertised to be, if you can’t look into it, you’ll never be sure of what’s hiding behind its flashy user interface. With government agencies vehemently pursuing backdoor installation in communications and tech firms having a track record of cooperating with three-letter agencies, the only way developers can prove the security of their apps is through transparency.
In the domain of software, transparency translates to open-source, where programmers offer the source code of their applications for everyone to see. This allows experts and other developers to examine the software for potential security bugs or intentionally implanted backdoors.
Signal is an open-source application, and its code has been vetted and approved by security experts such as Bruce Schneier and Ed Snowden.
Other things to consider
While the app you’re using might be secure, you should also consider the environment in which it is being deployed. If a mobile device or computer you’re using has been infected with a trojan or a virus, there’s a likely chance that your unencrypted messages, display screen or keyboard taps are being recorded and sent elsewhere.
Therefore you should also think beyond the confines of your app and also take care you adopt basic cyber hygiene, such as keeping your system, software and antivirus solution updated.
Over to you
These are the basic fundamentals of secure messaging. While enjoying your favorite messaging app, you can use these guidelines to determine how safe you are and be able to choose what application to choose for each conversation.
I’ve made my pick of secure messaging app clear (Signal if you haven’t noticed). What’s yours and why? Share with us in the comments.