ADVERTISEMENT

Are encrypted messaging apps really secure?

The logo for Signal, an encrypted-messaging app,
Pierluigi Paganini
Pierluigi Paganini Contributor
Sep 28, 2020 Updated: 18 May 2022 4 min read

What makes an encrypted messaging app secure?

Signal: the most secure messaging app?

The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications.
Politico
ADVERTISEMENT

Are encrypted messaging apps surveillance-proof? 

  • Use of unencrypted cloud backups
  • Lack of transparency related to the app’s code that is not available in open source
  • Use of proprietary encryption algorithms
  • The optional setting of end-to-end encryption
This means that law enforcement agencies could obtain warrants to force Google to turn over users’ messages. 

Are encrypted messaging apps hack-proof? 

  • In May 2020, experts from the security firm Tenable discovered a vulnerability in Signal that could have allowed attackers to track a user’s location.
  • In October 2019, Google Project Zero white-hat hacker Natalie Silvanovich discovered a logical flaw in Signal for Android that could have been exploited by a malicious caller to force a call to be answered at the recipient’s end without requiring his interaction. This means that the attacker could spy on the recipient through the microphone of his device. However, the Signal vulnerability can only be exploited if the recipient fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the recipient’s device.
  • Telegram is not immune to security issues, either. In August 2019, a vulnerability in the popular app exposed the phone numbers of people participating in groups even if they had set the number as “private.” The issue was exploited by Chinese authorities to track activists in Hong Kong. 
  • What about WhatsApp? Earlier this month, the Facebook-owned company addressed six previously undisclosed flaws in its app and disclosed them on a new dedicated security advisory site. One of the flaws, tracked as CVE-2020-1894, is a stack write overflow that may have allowed arbitrary code execution when playing a specially crafted push to talk message. 

Bottom line

ADVERTISEMENT