Messaging apps are one of the most – if not most – important apps we use every day. Whether it’s connecting with family and friends around the world, communicating with colleagues, or running business, messaging apps like WhatsApp, iMessage, Skype, and Facebook Messenger play an important role in our daily communication.
We often share things like personal photos, trade secrets, and legal documents in messaging apps, information that we don’t want to share with the wrong people. But how much can we trust your messaging apps to protect all of our confidential messages and sensitive information?
Below are some guidelines to help you assess the level of security offered by your favorite messaging application.
A few words about encryption
Of course, all messaging platforms claim to encrypt your data Encryption uses mathematical equations to encrypt your data in transit to prevent attackers from reading your messages.
Proper encryption ensures that only the sender and recipient of a message will know about its content. However, not all encryption types are created equal.
The most secure messaging apps are the ones that offer end-to-end encryption (E2EE) E2EE applications store decryption keys only on users’ devices. E2EE not only protects your communications from eavesdroppers, but it also ensures that the company hosting the application cannot read your messages. It also means your messages will be protected from data breaches and intrusive three-letter agency demands.
More and more messaging apps provide end-to-end encryption. Signal was one of the first platforms to support E2EE. In recent years, other applications have adopted the Signal encryption protocol or developed their own E2EE technology. Examples include WhatsApp, Wickr, and iMessage.
Facebook Messenger and Telegram also support E2EE messaging, although it is not enabled by default, making them less secure. Skype has also recently added a Private Conversation option that provides end-to-end encryption for one conversation of your choice.
Google Hangouts doesn’t support end-to-end encryption, but the company does provide Allo and Duo apps, as well as end-to-end encrypted text messaging and video conferencing apps.
Delete the message
Security isn’t just about encrypting messages. What if your device, or the device of the person you are talking to, gets hacked or falls into the wrong hands? In this case, encryption will be of little use, because an attacker would be able to see messages in their unencrypted format.
The best way to protect your messages is to get rid of them when you no longer need them. This ensures that even if your device is compromised, attackers will not gain access to your sensitive and confidential messages.
All messaging apps provide some form of message deletion, but again, not all message deletion features are created equal.
For example, Hangouts and iMessage let you clear your chat history. But although messages will be deleted from your device, they will remain on the devices of the people with whom you spoke.
Therefore, if their devices are jailbroken, you will still lose your sensitive data. Hangouts has the ability to turn off chat history, which automatically deletes messages from all devices after each session.
In Telegram, Signal, Wickr and Skype, you can delete messages for all participants in the conversation. This can ensure that no sensitive messages remain on any of the devices participating in the conversation.
In 2017, WhatsApp also added a “delete for all†feature, but you can only use it to delete messages that you sent within the last 13 hours. Facebook Messenger recently added an “Undo Send†feature, although it only works for 10 minutes after the message was sent.
Signal, Telegram, and Wickr also provide a message self-destruct feature that immediately deletes messages from all devices after a specified period of time. This feature is especially good for confidential conversations and saves you the hassle of manually erasing messages.
Metadata
Each message contains some amount of supporting information, also known as metadata, such as sender and recipient IDs, message sent, received and read times, IP addresses, phone numbers, device IDs, etc.
Messaging servers store and process this information to ensure that messages are delivered to the right recipients on time and to enable users to view and organize their chat logs.
Although metadata does not contain the text of the message, in the wrong hands it can be very harmful and tell a lot about the communication patterns of users, such as their geographic location, the time they use their apps, the people they communicate with, etc.
In the event that a messaging service falls victim to a data breach, such information could open the way for cyberattacks such as phishing and other social engineering schemes.
Most messaging services collect a lot of metadata, and unfortunately there is no reliable way to find out what types of information services are stored. But as far as we know, Signal has the best track record. According to the company, its servers only log the phone number with which you created your account and the date you last logged into your account.
Transparency
Every developer will tell you that their messaging app is safe, but how can you be sure? How do you know the app doesn’t hide a government-implanted backdoor? How do you know the developer did a good job testing the application?
Applications make the source code of their application publicly available, also known as “open source”, is more reliable because independent security experts can check and confirm whether they are safe or not.
Signal, Wickr and Telegram are open source messaging apps, which means they’ve passed peer review by independent experts. In particular, Signal is backed by security experts such as Bruce Schneier and Edward Snowden.
WhatsApp and Facebook Messenger are closed source, but they use the open source signaling protocol to encrypt their messages. This means that you can at least be sure that Facebook, which owns both applications, will not check the content of your posts.
For completely closed source apps like Apple iMessage, you must completely trust the developer to avoid serious security bugs.
To be clear, open source doesn’t mean absolute security. But at least you can make sure that the app isn’t hiding anything nasty under the hood.
–