As you well know internet privacy has become one of the dominant trends of this decade. The attacks on servers, personal data, and on big companies and names helped raise the internet security awareness. One of the targeted platforms of cyber attacks are messaging apps. These companies use encryption to safeguard their costumers’ data and in result their brand. The companies with end-to-end encryption (E2EE) are overcoming these security conflicts.
Messaging apps provide us with platforms to send and receive messages. One of the most important features they can offer is the security of our messages. Encryption of the data of their users are what they all offer to insure security. But the level of encryption and when and where these data are encrypted are different.
Most of messaging apps encrypt the data sent to their servers only in the period the data is in transit from the user to the messaging server. Finally the data are decrypted when they reach the server to be stored. These companies expect the users to trust the security of their server considering the data safety. It is worth saying that the companies without E2EE have access to all your data and can potentially use, modify or give them to other third parties. End-to-end encryption is the safer way to encrypt data and keep them from surveillance or criminal use.
What is End-to-end Encryption?
End-to-end encryption is a way of communication in which only the sender and the receiver have access to the decrypted data. In this method of encryption the third party cannot read the original data. The third party here can be the internet service provider, app server, and/or attackers that might have access to the stored data. Cryptographic keys can decrypt the messages and none of the third parties have access to the keys.
How does E2EE work?
In a E2EE context of messaging each user have a public key and a private key. Let’s say I, Gabriel, want to send a message to my friend Joe, on say WhatsApp. I have to use Joe’s public key to encrypt the message. The message goes to the WhatsApp servers as encrypted data. Joe receives my message and uses his private key to decrypt the message. Cryptographic keys here are exclusive to endpoints and are in theory impenetrable.
Risks and Challenges
Man-in-the-middle Attacks
As mentioned before, each endpoint has a public and private key. Hackers can impersonate these cryptographic keys. They can either do this in the key exchange or substitute their public key for the receiver’s public key. In result the messages use encryption with a key that the hacker knows. After seeing the original data the hacker can encrypt the message with the receiver’s key and send the message and avoid detection.
Manual Activation
Not all end-to-end encrypted messaging apps have this encryption option on default. Unfortunately, on these apps you should enable data encryption manually. Consequently, you have to go to the setting and turn on this feature. Moreover, this feature is not always for all messages. Some apps only encrypt certain scenarios so you should be sure of what the app offers. Encryption of the messages is still a relatively new notion and exposing to the keyword “encryption” needs more research and is not enough.
Backdoors
A backdoor is a secret method that bypasses the usual security mechanism to get access to a system or encrypted data. Backdoors are there to help find out the weak-spots and vulnerabilities. Like many other useful methods backdoors had been used for not accepted reasons. The leaked information by Edward Snowden about Skype confirmed the mal use of backdoors. Skype had a backdoor from which Microsoft gave their users’ messages to NSA. The tricky part is that they were end-to-end encrypted messages.
Open Source
Developers of apps provide open source to ensure transparency and to keep their apps up to date. Like backdoors, an app with open source can guarantee integrity to itself and the users. Open source gives opportunity for experts to inspect the app through the right channels. This auditing can help the app massively.
Outstanding E2EE Messaging Apps
Here we go through some of the outstanding end-to-end encrypted messaging apps. We will mention their security measures and risks one by one.
Signal
Signal is one of the most superb apps following the standard of messaging security. This app, previously known as TextSecure Private Messenger, is free on both iOS and Android as a messaging platform. Signal uses its own data infrastructure in sending messages through.
Security Measures
- End-to-end encryption : Beside instant messages, the voice calls and video calls use encryption protection.
- Open Source
- Disappearing Messages: You have the ability to send and receive messages that will disappear after a certain time period.
- Password Security: You can set a password for your account.
Risks
There are no security concerns and risks as long as the open source feature helps the app improve the vulnerabilities.
Wickr Me
Wickr is another secure platform for messaging. The offer two services under the names, Wickr Me and Wickr Pro. Wickr Me is for personal use and free. Wickr Pro is a paid service for business use. They both are available on iOS and Android.
Security Measures
- End-to-end Encryption: Both Wickr Me and Wickr Pro offer video and voice call encryption.
- Screenshot Detection: Are you worried that people might screenshot your message? Wickr offers this feature that sends you a notification when someone takes a screenshot from your messages.
- Secure Shredder: Wickr deletes unnecessary and temp files periodically. It also has a feature with which you can erase information you do not want to be recovered by reviving technologies.
Risks
Wickr is considered pretty safe and sound though they did not have open source until they released their cryptographic protocols.
Dust
Dust is available on iOS and Android. The messages sent in this app as the name suggests turn into dust after being read privately.
Security Measures
- End-to-end Encryption: Their encryption method is available for the public. The voice and video calls do NOT have encryption protection.
- No permanent storage: The messages are not saved on your phone. The messages are stored on app’s RAM until the receiver gets them. You can delete your messages on others’ devices.
- Screenshot alerts: On android devices when you want to take a screenshot the name of the sender of the message erases. But on iOS a notification goes to the person whose message is being screenshot.
Risks
No security issues has been related to the app. The only problem is that the app does not have open source policy.
Last but not least; WhatsApp with more than 1 billion users and over 60 billion messages sent per day is one of the most popular messaging app. The absence of adds has helped in this app’s popularity. The app is available on both iOS and Android for free.
Security Measures
- End-to-end Encryption: WhatsApp applied a secure encryption protocol that gave access to the message only to the two endpoints. Video and voice calls have encryption protection. Moreover, the encryption of all messages are by default.
- Two-step Verification: As added layer of security, you can enable this feature. If you enable this feature you will need a PIN when registering your phone number with WhatsApp again.
- Messages Won’t Be Store: Your messages are stored on the app server only from the time you send it until it is delivered. If your message doesn’t go through it gets stored for a month and then will disappear from the server.
Risks
- Backups are not encrypted: Messages on WhatsApp have backups on iCloud and Google Drive. Since 2016 iCloud backups have encrepted protection. However, media and messages you back up are not protected by WhatsApp end-to-end encryption while in Google Drive.
The good news is that you can disable the Google Drive Backup withing the app.
Time needed: 1 minute.
Here’s how:
- Login and go to settings
- Click on Chats
- Go to Chats Backup
- Choose the option “Back up to Google Drive”
- Choose one of the limiting and/or disabling options
- Facebook Related Privacy Problems: WhatsApp was bought by Facebook that claims that there is no way to access the encrypted messages. While Facebook reassures the users of their privacy, WhatsApp announced that they sharing metadata with Facebook.
