WhatsApp, Messenger, Facetime, iMessage, Allo, Telegram, Hangouts, Skype. You have dozens of mainstream messaging apps to choose from, each with tens—if not hundreds—of millions of users and more than enough features to fulfill your communication needs.
But not all of these messaging apps are equally reliable in ensuring your privacy and security—a commodity that is becoming increasingly expensive and rare. We now use messaging apps to exchange all sorts of sensitive information, whether personal, political or business-related. And we usually take the security of our communications for granted until disaster strikes.
And don’t say you have nothing to hide.
So whether you’re leaking top-notch information about a despotic regime, sending over company trade secrets to a colleague, or simply sending a picture of yourself you don’t want to share with the world, you have cause to be concerned about the security of the messaging app you’re using.
The <3 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Here are four benchmarks to evaluate the security of your favorite app.
Encryption
Encryption, the use mathematical algorithms to scramble data, is the best known way to prevent unwanted parties from making sense of the messages you send. All major messaging apps use some form of encryption to protect your privacy.
However, not all encryption is made equal. In fact, some services deliberately maintain hold of the keys to decrypt and access your messages. They usually analyze the information you create in order to serve better targeted ads or to feed their data-hungry machine learning algorithms.
But this also means that your data can be accessed by bad actors that might break into the service’s servers.
The most secure apps are those that use end-to-end encryption (E2EE), a form of encryption that makes sure that only the sender and recipient of a message can read its contents. With E2EE even if the service provider stores your messages on its servers, it won’t be able to decrypt and read them.
The current golden standard of end-to-end encryption is the Open Whisper Systems Signal Protocol, which is used in a namesake messaging app endorsed by Edward Snowden and famous cryptography expert Bruce Schneier. Other famous messaging apps such as Facebook Messenger, WhatsApp and Telegram also use the Signal encryption protocol.
Beware however. Some apps don’t enable E2EE by default. And others might forego giving key change warnings for the sake of user convenience. While these are not necessarily vulnerabilities, they nonetheless prove that the math behind end-to-end encryption alone is not enough.
Open-source
In recent years, transparency has emerged as a critical element of secure software development. Developers who open the source code of their applications to scrutiny and let others view it are more trustworthy.
Open-sourcing an application doesn’t make it inherently secure, but it gives security experts a chance to review the code and find potential bugs or backdoors.
Applications that use the walled-garden approach keep the rest of the world in the dark, and their users will have to trust the company to have tested and debugged its own code.
Telegram and Signal are two open source messaging apps.
Message deletion
If your phone falls into the wrong hands unlocked or your account becomes compromised, no amount of encryption will protect your sensitive information. That’s why being able to delete messages gives you an extra measure of security.
Most apps will allow you to delete individual messages or entire chat logs from your own accounts and devices. But secure messaging apps should enable senders to delete sensitive messages from the devices of all parties involved in a conversation.
Telegram, Signal and Wickr have a self-destruct message feature that, if set, will automatically delete messages from all devices after a certain amount of time elapses.
Minimum metadata storage
Aside from the content of your messages, every messaging service stores a set of information such as the time a message was sent, whom it was sent to, etc. That is called metadata, or “data about data.”
While at first glance the content of metadata might not be as sensitive and revealing than the actual message, quite a lot can be inferred from it, such as your contacts, usage patterns, location, and much else. And metadata is never encrypted or protected as strongly as message content is, primarily the functionality of most services depends on it.
In his keynote address to SOURCE Boston in 2014, Bruce Schneier said, “Metadata is far more intimate than our conversations. It shows where we go, our interests, our relationships—it shows who we are.”
Law enforcement relies largely on metadata to identify and catch criminals and terrorists. The military trusts metadata to the extent that it carries out airstrikes based on the information it gleans from metadata.
I guess that speaks to how important metadata is, and how damaging it can become if it falls into the wrong hands. Therefore, the less metadata a messaging app stores, the more secure it is. You should always review the metadata storage policies of your messaging app.
Signal stores only the last time each user connected to the server, which is the least among major messaging apps.
Thoughts to leave you with
You can now evaluate the trustworthiness of each of the messaging apps you’re using. This doesn’t mean that you should outright throw away any app that doesn’t fit the above criteria. What it means though is that you shouldn’t take your security for granted and only share as much with an app as you can trust it.
Also bear in mind that a chain is only as strong as its weakest link. This means that a secure messaging app will be of no use on an insecure device. Never forget to adhere to the principles of general cyber-hygiene. So keep your passwords strong, your system up to date, your device locked, and stay safe!
Get the TNW newsletter
Get the most important tech news in your inbox each week.