Messaging applications are one of the most—if not the most—important apps that we use
every day. Whether it’s to stay in touch with family and friends across the
world, contact coworkers, or run business operations, messaging apps like
WhatsApp, iMessage, Skype and Facebook Messenger play an important part in our
daily communications.
We often share things such as personal pictures, business
secrets and legal documents on messaging apps, information that we don’t want
to make available to the wrong people. But how far can we trust your messaging
apps to protect all our confidential messages and sensitive information?
Following are some guidelines that will help you assess the
level of security that your favorite messaging app will provide.
A Few Words on Encryption
Of course, all messaging platforms profess to encrypt your data. Encryption uses mathematical equations to scramble your data in transition to prevent eavesdroppers from being able to read your messages.
Proper encryption makes sure that only the sender and the
recipient of a message will be aware of its content. However not all types of
encryption are made equal.
The most secure messaging apps are those that offer end-to-end encryption (E2EE). E2EE
apps store decryption keys on users’ devices only. E2EE not only protects your
communications against eavesdroppers, but also makes sure that the company that
hosts the application won’t be able to read your messages. This also means that
your messages will be protected against data breaches and intrusive warrants by
three-letter agencies.
More and more messaging applications are providing
end-to-end encryption. Signal was one of the first platforms to support E2EE.
In recent years, other applications have adopted Signal’s encryption protocol
or have developed their own E2EE technology. Examples include WhatsApp, Wickr
and iMessage.
Facebook Messenger and Telegram also support E2EE messaging,
though it’s not enabled by default, which makes them less secure. Skype also
added a “Private Conversation” option recently which gives you end-to-end
encryption on one conversation of your choice.
Google’s Hangouts does not support end-to-end encryption,
but the company provides Allo and Duo, text messaging and video conferencing
apps that are end-to-end encrypted.
Message Deletion
There’s more to security than just encrypting messages. What
if your device or the device of the person you’re chatting with gets hacked or
falls into the wrong hands? In that case, encryption will be of little use,
because the malicious actor will be able to see messages in their unencrypted
format.
The best way to protect your messages is to get rid of them
when you don’t need them anymore. This makes sure that even if your device
becomes compromised, malicious actors won’t get access to your confidential and
sensitive messages.
All messaging apps provide some form of message deletion,
but again, not all message removal features are equally secure.
For instance, Hangouts and iMessage enable you to clear your chat history. But while messages will be removed from your device, they will remain on the devices of the people you have been chatting with.
Therefore, if their devices become compromised, you’ll still lose hold of your sensitive data. To its credit, Hangouts has an option to disable chat history, which will automatically remove messages from all devices after each session.
In Telegram, Signal, Wickr and Skype, you can delete messages for all parties to a conversation. This can make sure that sensitive communications don’t remain in any of the devices involved in a conversation.
WhatsApp also added a “delete for everyone” option in 2017, but you can use it to delete only those messages you’ve sent within the last 13 hours. Facebook Messenger also added an “unsend” feature very recently, though it only works for 10 minutes after you send a message.
Signal, Telegram and Wickr also provide a self-destructing
message feature, which will immediately remove messages from all devices after
a configured period of time passes. This feature is especially good for
sensitive conversations, and saves you the effort of manually wiping messages.
Metadata
Every message comes with an amount of auxiliary information, also known as metadata, such as sender and receiver IDs, the time a message was sent, received and read, IP addresses, phone numbers, device IDs, etc.
Messaging servers store and process that kind of information to make sure messages are delivered to the right recipients and on time and to enable users to browse and organize their chat logs.
While metadata doesn’t contain message text, in the wrong hands, it can be very harmful and reveal a lot about users’ communication patterns such as their geographical location, the times they use their apps, the people they communicate with, etc.
In case the messaging service falls victim to a data breach, this kind of information can pave the way for cyberattacks such as phishing and other social engineering schemes.
Most messaging services collect a wealth of metadata and
unfortunately, there’s no sure way to know what type of information messaging
services store. But from what we know, Signal has the best track record.
According to the company, its servers only register the phone number with which
you created your account and the last date you logged in to your account.
Transparency
Every developer will tell you their messaging app is secure,
but how can you be sure? How do you know the app is not hiding a
government-implanted backdoor? How do you know the developer has done a good
job at testing the application?
Applications make the source code of
their application publicly available, also known as “open-source,” are more
reliable because independent security experts can examine and confirm whether
they’re secure or not.
Signal, Wickr and Telegram are open-source messaging apps,
which means they have been peer-reviewed by independent experts. Signal in
particular has the support of security experts such as Bruce Schneier and
Edward Snowden.
WhatsApp and Facebook Messenger are closed-source, but they
use the open-source Signal Protocol to encrypt their messages. This means that
you can at least rest assured that Facebook, which owns both apps, won’t be
looking into the content of your messages.
For fully closed-source applications such as Apple’s
iMessage, you must fully trust the developer to avoid making disastrous
security mistakes.
To be clear, open-source doesn’t mean absolute security. But
at least you can make sure that the app isn’t hiding anything nasty under the
hood.