How to choose a secure encrypted messaging app

How to choose a secure encrypted messaging app
Photo by Fizkes, Bigstock

Whether it’s a message to your mum, medical health details, or some juicy office gossip, we would all like to keep the contents of our text messages safe from prying eyes. The last thing anyone wants is for an unknown third party to access private messages, steal personal information, and use it for something like advertising, identify theft or worse.

That’s why, in today’s hyper-connected, digital world, it’s so critical to use an end-to-end encrypted (E2EE) messaging app – especially when you consider mobile malware’s increasing share of all malware incidents. Unless you’re using an E2EE messaging app, you’re essentially leaving all your private conversations out for the taking.

But which messaging app should you choose? With so many apps on the market claiming to be safe and secure, it can be hard to tell which platforms you can actually rely on. The recent cyber-breach of the world’s most popular messaging platform, WhatsApp, has sparked further security concerns. To help you out, the team at ESET has some advice to help you evaluate the merits of your messaging apps, and to maintain mobile security best practice.

mobile security best practice
Photo by Daniel Korpai, Unsplash

What is end-to-end encryption?

Communications encryption involves “scrambling” data – such as a text message or a file, or a digitised audio or video stream – in order to make it unreadable by any third parties who may be able to intercept the data as it is sent across a communications network. The scrambling is done in a way that allows only the valid recipients to “unscramble” the data and recover the original content. When two people communicate via an encrypted channel, rather than seeing the original data, anyone who can intercept the communication channel will see apparently random data.

Sounds secure, right? The problem with simple communications encryption schemes is that while they protect your message as it traverses the network connections between you and the recipient, your message may be decrypted at various intermediary points in that network. The operators of these systems assume that they can maintain the security of those servers and you have to accept that in using these services.

This is how SMS messaging works – your messages are sent over an encrypted channel from your phone to a server where they are decrypted, possibly saved indefinitely and at some point forwarded, via an encrypted channel, to either another server (which repeats this part of the cycle) or the eventual recipient.

At the points where the message is decrypted (and possibly stored) it can be intercepted by an unscrupulous network operator, a hacker who has compromised the network operator, or law enforcement with a warrant. So, even though strong encryption may be used across all the communications links in the network, such communications are not entirely safe from prying eyes at every point along the route.

Traditional internet email also works this way; actually, it is somewhat worse! SMS text messaging has encrypted communication channels by design, so at least your message is encrypted and undecipherable by anyone intercepting the traffic at the network level. The notion of adding encrypted channels for sending email only really arose in the late 1990s and still has not been fully implemented. According to data from Google, about 93% of email traffic between servers is currently encrypted, up from 30—50% in early 2014 when Google started collecting such data.

Why is end-to-end encryption important?

E2EE provides a mechanism to encrypt data on the sender’s device and to only decrypt that data when it arrives at the recipient’s device. Hence, as it says on the tin, with E2EE the data remains encrypted from entering one end of the communications channel until after it arrives on the recipient’s device. There is no point en route where anyone with legitimate or unscrupulous access to the communications channel can access a decrypted version of the data.

Today, many apps use some form of encryption to scramble messages and prevent unauthorized parties from reading them. However, not all forms of encryption are equally secure from cyber-breaches and a surprising range of popular apps, such as Slack and Instagram chat still don’t provide true end-to-end encryption. Facebook Messenger gives users the option to use “secret” end-to-end encrypted messaging, but this isn’t enabled by default.

Facebook Messenger
Photo by Jeshoots, Unsplash

Unlike Android users, Apple iPhone owners can use iMessage, which has default end-to-end encryption – but Information like mobile numbers, contact lists, timestamps and IP addresses are still stored in plain text. For Skype users, Microsoft introduced end-to-end encryption at the beginning of 2018, but it is easy to be cynical about what that might really mean due to a history of cooperation between Microsoft and US three-letter agencies, as disclosed by Edward Snowden.

As you can see, there are a lot of messaging apps on the market, but not all of them are as secure as they say. Here are some things to check for when choosing a messaging app…

End-to-end encryption

This is the most important thing you want to look for, as described above. However, there are design and implementation considerations that mean not all E2EE systems are equally secure or privacy maintaining. For example, some messaging apps encrypt your messages in transmission and at rest, but also keep copies of the encryption keys on their servers, which means that third parties, such as the service operators or intruders, may be able to decrypt your supposedly “secret” messages.

Telegram falls into this basket, as its default messaging mode is implemented using a cloud model, wherein you can access all of your messages from any device. Telegram’s operators claim technical measures implemented in their infrastructure prevent an individual (such as a Telegram staff member) from decrypting a user’s messages, either of their own volition or should law enforcement serve Telegram with warrants to decrypt messages.

These claims cannot be independently verified as Telegram does not make its server source code available for review (most of its official client source code has been open sourced). For ultimate security, you (or your device) should be the only one with your encryption keys, making it solely your responsibility to maintain the security of access to your keys. In its defence, Telegram offers a full E2EE mode, but which lacks some of the convenience factors of the default cloud mode.

E2EE designs is the encryption protocols
Photo by Christian Wiediger, Unsplash

Another difference between E2EE designs is the encryption protocols they use. Computer security is hard, and much (unfortunate) experience teaches us that cryptography is probably by far the hardest part of computer security to get right. Over the years many cryptographic protocols and products have been found to be faulty. This is especially true of so-called “roll your own” encryption schemes and again, Telegram falls into this basket. Its developers claim that an especially talented mathematician designed Telegram’s proprietary encryption scheme. Further, we should just trust that they know better than the world’s collected cryptographic specialists, as their protocols have not been thoroughly, independently audited, or submitted to widespread cryptographic review.

Data collection & policies

Another thing you should check is how your messaging app stores and uses metadata, the information that records the details of your digital activities, from call logs and contacts to sender and receiver IDs. Most popular messaging apps will collect some level of user activity, but there is quite a degree of variation in what is collected. Decide what you feel comfortable with, and whether you trust the app provider in question.

Developer transparency

You should check to see if independent security experts have audited the design of the encryption protocols used by, and the implementation of them and other security features of the messaging service and its apps. Open-source platforms – where developers have made the source code available to the public for full transparency – are more likely to have sustained some level of auditing, even if it was not officially requested by the developers.

the messaging service and its apps
Photo by Rami Al-zayat, Unsplash

Message deletion

Another key security feature that may be of interest in a messaging app is the ability to delete messages after they’ve been sent. Removing your messages from both your and the recipient’s device ensures that if one of the devices is compromised, your sensitive communications cannot be exposed.

User-friendly features

At the end of the day, even the most secure messaging platform will have some flaws, and won’t protect you from yourself. Choose an app with a good user experience (UX) that you feel comfortable with, in order to minimise the risk of human error, but don’t be taken in by “bells and whistles”. Convenience factors are not necessarily security features, and having to accept using a service with centrally stored messages so you can have the “pink flying elephant” feature might not be a smart privacy or security trade-off.

Despite this, the overall level of UX often seems to dictate how popular a messaging app is – which is kind of important if you want to be able to message people. You could have the most secure app in the world, but no one to message (which would actually be the most secure approach, but also a little lonely).

Maintaining total messaging security

As well as choosing a secure encrypted app for your private messages, it’s also important to maintain good cybersecurity habits. Avoid installing apps from unknown companies or unofficial app stores, set a screen lock on your phone, avoid opening suspicious attachments or links, and please don’t over share sensitive information online.

Mobile devices play a huge role in our personal and professional lives, so it makes sense to defend them well. ESET provides a wide array of award-winning malware protection, anti-theft and privacy protection features.