Research: nearly all of your messaging apps are secure

In recent research, the CyberNews Investigation team discovered that a chat service, most likely based in China, had leaked more than 130,000 extremely NSFW images, video and audio recordings of their users. While this messaging service was connected to a company that offered a “private social network,” and therefore with a small user base, we wanted to see the security features of larger messaging apps.

For users of these bigger messaging apps, we have some good news: 86% of the apps (11 of 13) we looked at were secure by default. Only two apps – Telegram and Facebook Messenger – did not have these secure features enabled by default. These results are generally promising, as it signifies that the secure messaging industry is heading in the right direction.

We also found that most of the apps used variations of RSA and AES for encryption and key hashes – which are some of the most secure encryption algorithms available today.

In general, this is good not only for your “late night” messages (NSFW or not), but also for other important activities. We’ve covered before how important it is for people participating in protests around the world – whether Black Lives Matter in the US or anti-Lukashenko in Belarus – to use secure messaging services to coordinate activities and provide support.

CyberNews tweet screenshot

Our research shows that those users would be wise to use the top secure messaging apps like Signal, Wire, Cyber Dust and others on our list.

Key takeaways

In order to perform our analysis, we looked at various aspects of 13 popular secure messaging apps:

  • Signal
  • Wickr Me
  • Messenger
  • WhatsApp
  • Telegram
  • Wire
  • Viber
  • Cyber Dust
  • iMessage
  • Pryvate
  • Qtox
  • Session
  • Briar

Our analysis included the various apps’ transport and encryption standards, keys-exchange principles, and cryptographic primitives.

These are the key results of our analysis:

  • 2 of the messaging apps were not secure by default, and users will have to turn on this security in the settings
  • 4 of the secure messaging apps use the industry-trusted Signal Protocol for encryption
  • Only two of the apps use P2P for their transport mechanism
  • iMessage does not encrypt messages if they are sent through GSM (used for 2G and 3G)
  • 3 out of 13 applications have paid plans that allow more users to access extra features
  • Most of the applications use RSA and AES, some of the most secure encryption algorithms available today, for encryption and key hashes
How to use Signal Private Messenger app
video screenshot

The nature of secure messaging apps

While most of the attention focuses on the most popular secure messaging apps, such as Signal, Messenger, Viber, Telegram and WhatsApp, we wanted to expand our analysis to understand the larger scope of the secure messaging industry. This includes looking at less-popular secure messaging services like Session, Briar, Wickr Me, Wire and Cyber Dust.

For the most part, we were not interested in ranking these apps in any way – rather, we wanted to investigate the applications’ encryption, transport and overall privacy.

What we found was largely positive: all but two of the apps offered security by default, and of those two apps, Telegram and Messenger, both could easily be made secure by changing user settings.

Four of the apps – Signal, Messenger, WhatsApp and Session – used the Signal protocol for end-to-end encryption. In end-to-end encryption, only the sender and the receiver will be able to view the messages, whereas without end-to-end encryption, the messaging app server that sits between the sender and receiver might be able to read the messages. The Signal protocol has become the industry standard for securing messaging, voice and video communications.

> Read next: How encrypted messaging changed the way we protest

One interesting aspect of our analysis was that Apple’s iMessage, which is used in iPhone, iPad, Apple Watch and Mac, only uses encryption on HTTPS. When messages are sent through GSM – a protocol for 2G and 3G devices – they are not encrypted.

Only two apps – Briar and Qtox – use a peer-to-peer (P2P) transport mechanism. P2P here means that there is no server sitting in the middle between the sender and receiver: the messages go directly from one device to the next. While Briar offers other transfer mechanisms, Qtox only uses its TOX P2P, and therefore it has no privacy policy – it doesn’t need it, since it never touches the user’s data.

While nearly all of the messaging services we looked at are free or have a free version, only Wired requires a subscription. That’s because this messaging service is built for corporate use – something like Slack or Microsoft Teams, but with end-to-end encryption.

Basically, what this means is that people are safe to talk to their families using their favorite programs. The only recommendation is this: if you’re using Facebook Messenger or Telegram, you should turn on these privacy and security settings.

"If you’re using Facebook Messenger or Telegram, we highly recommend you turn on these privacy and security settings."

Unfortunately, you’ll have to do this on a conversation-by-conversation basis in Messenger. To turn on encryption, hit the “i” button in the top right corner of any active conversation, and then select “Go to Secret Conversation.” A new end-to-end encrypted conversation will be created. But, of course, you’ll have to do this for each new or existing conversation.

This is similar in Telegram. On iOS, simply open the profile of the user you want to contact. Tap on ‘…’, then “Start Secret Chat.” For Android, you should swipe right to open the menu, then select “New secret chat.”

This offers not only great for security, but also for privacy, seeing as even Facebook and Telegram can’t read end-to-end encrypted conversations.

A caveat: what secure does and doesn’t mean in messaging apps

It’s important to note that there are some limitations when it comes to secure messaging services. This largely depends on what you want to do with the messaging service.

For general usage, it’s important that the messaging service you use has encryption enabled – preferably by default. For the NSFW media files we discovered on an unsecured Amazon bucket, the files were not encrypted, and so that messaging service simply was not a secure choice.

But beyond that, there are users who want as much security as possible – which means near or total anonymity: to not have their messages readable by others, to not be tracked by others, to not be named or connected to communications by others. In this light, most of these messaging services have failed or will fail. And that’s simply the nature of software – all programs have bugs, some more serious than others.

One famous example is WhatsApp, which has had numerous vulnerabilities throughout the years. This includes Israeli spyware that could install surveillance software on a target’s phone by simply calling them through WhatsApp. Messenger had its share of problems too, where attackers could see who you’ve been messaging with.

Even Signal, probably the messaging app most recommended by cybersecurity professionals, was victim to a rather complex attack where someone could listen in on your surroundings by making a sort of ghost call – calling you through Signal and then pressing mute without the call being seen, to eavesdrop on your conversations.

And that’s just usage by cybercriminals to attack individuals. Law enforcement has been using various methods throughout the years to spy on groups of people. In Hong Kong, a Telegram bug was reportedly exploited by the Chinese government to leak users’ phone numbers. German researchers also discovered that WhatsApp, Signal and Telegram were exposing users’ personal data via contact discovery.

Suffice it to say: none of these apps offer absolute security, and none ever will, since there will always be a workaround by a person or a group with enough time and resources. Even if an app were absolutely secure in and of itself, it wouldn’t be able to mitigate your mistakes. As Telegram’s FAQ nicely puts it:

“We cannot protect you from your own mother if she takes your unlocked phone without a passcode. Or from your IT-department if they access your computer at work. Or from any other people that get physical or root access to your phones or computers running Telegram.”

If you behave unsecurely, no secure messaging app will save you.

Summary table

In the image below, you’ll find all the details about the 13 messaging apps we looked at.

Our hand-picked digital services for online presence and privacy


Tara Dalrymple
prefix 2 years ago
Are more secure messaging apps going to implement QKD?
Leave a Reply

Your email address will not be published. Required fields are markedmarked