Are encrypted messaging apps really secure?
What are the most secure encrypted messaging apps? This is one of the most common questions that users ask when they have to install a messaging app on their mobile devices.
The main feature that we consider when dealing with the security of messaging apps is the implementation of end-to-end encryption communication.
End-to-end encryption (E2EE) communication prevents third-parties from eavesdropping on data while it's transferred between the two interlocutors. In E2EE, the data is encrypted on the sender's device and it can be decrypted only on the recipient’s system.
What makes an encrypted messaging app secure?
Unfortunately, even if an app implements end-to-end encryption, it doesn’t mean that it is enabled by default. Some messaging apps require users to explicitly enable this feature, while others only encrypt messages in specific circumstances.
Another important factor to evaluate when analyzing encrypted messaging apps is the availability of their source code for audits. Open source apps allow security experts to review the code looking for vulnerabilities and hidden backdoors.
In order to consider encrypted messaging apps privacy-friendly and secure, it is important to examine other important features, such as how they collect metadata and how they store users’ backups.
Other features that could improve the security of the apps are the “Screenshot detection” and “Screen overlay protection.”
Signal: the most secure messaging app?
The messaging app that is considered most secure by privacy advocates and whistleblowers is, without any doubts, Signal.
It implements end-to-end encryption and its source code is open source allowing for auditing. The application allows messages to “disappear” after a certain period of time has elapsed and unlike other messaging apps, Signal only stores the metadata it uses to work (i.e. user’s phone number, random keys, and profile information).
The app also allows its users to set a password to add an additional level of protection and lock it, which means that the messages will still be protected if the phone is inspected by unauthorized people.
In February, the European Commission decided to adopt Signal for its staff communications. Politico reported the following:
The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications.Politico
The article also mentioned that “the instruction appeared on internal messaging boards in early February, notifying employees that ’Signal has been selected as the recommended application for public instant messaging.’”
Of course, Signal has to be used only to send non-classified, but sensitive information.
The list of messaging apps is long and includes other popular applications such as WhatsApp, Telegram, Wickr Me, and Dust.
Are encrypted messaging apps surveillance-proof?
Let me remind you that security is an instantaneous concept. An application that is considered secure now could be hacked due to the discovery of a zero-day vulnerability in its components. We can assume that an application is secure if the above features are implemented, apart from discovering a vulnerability in their code.
Major privacy and security shortcomings in encrypted messaging apps are related to the following:
- Use of unencrypted cloud backups
- Lack of transparency related to the app’s code that is not available in open source
- Use of proprietary encryption algorithms
- The optional setting of end-to-end encryption
Some apps, like WhatsApp, store unencrypted backups on Google Drive for Android phones.
This means that law enforcement agencies could obtain warrants to force Google to turn over users’ messages.
In the specific case WhatsApp users can disable message backups on Google Drive. Other apps like Telegram don’t use end-to-end encryption by default. To enable it, users have to enable the Secret Chat feature.
It’s strongly recommended to enable the Secret Chat feature on Telegram, to additionally avoid that chat data is saved on Telegram’s servers.
Another issue related to Telegram is the use of a proprietary protocol dubbed MTProto that lacks transparency in the way it protects communications.
On the whole, while some messaging apps could be considered surveillance-proof by default, other applications have to be properly used and configured. Clearly, there are also some applications that lack security and privacy by design and could expose users to surveillance activities.
Are encrypted messaging apps hack-proof?
The short answer is no.
This is because it’s always possible to discover a vulnerability in the code of any application. For this reason, those apps that open sourced their code and that run bug bounty programs are considered more secure. A hack-proof app is also an application that is managed by an organization that takes care of the vulnerability disclosure process.
Just to have an idea of the multiple vulnerabilities that could affect encrypted messaging apps, take a look at the list of issues addressed in the last year in most popular software:
- In May 2020, experts from the security firm Tenable discovered a vulnerability in Signal that could have allowed attackers to track a user’s location.
- In October 2019, Google Project Zero white-hat hacker Natalie Silvanovich discovered a logical flaw in Signal for Android that could have been exploited by a malicious caller to force a call to be answered at the recipient’s end without requiring his interaction. This means that the attacker could spy on the recipient through the microphone of his device. However, the Signal vulnerability can only be exploited if the recipient fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the recipient’s device.
- Telegram is not immune to security issues, either. In August 2019, a vulnerability in the popular app exposed the phone numbers of people participating in groups even if they had set the number as “private.” The issue was exploited by Chinese authorities to track activists in Hong Kong.
- What about WhatsApp? Earlier this month, the Facebook-owned company addressed six previously undisclosed flaws in its app and disclosed them on a new dedicated security advisory site. One of the flaws, tracked as CVE-2020-1894, is a stack write overflow that may have allowed arbitrary code execution when playing a specially crafted push to talk message.
Even if the above vulnerabilities have been patched immediately after their discovery, their presence demonstrates that every software, even the most secure, can be affected by flaws that pose severe risks for users’ privacy.
I leave you the decision of the app that you prefer. Obviously, the final choice is also influenced by the number of your contacts that use it.
In any case, be sure that E2EE is enabled by default and enable any feature that allows the app to store the backup in an encrypted way and doesn’t maintain any metadata on the device.