Everything You Need To Know About Private Messaging Apps
Individuals are increasingly turning to private messaging applications that enable end-to-end encryption to secure the contents of their discussions, whether they’re discussing sensitive information or brainstorming business ideas with a colleague.
Data that is sent over the Internet frequently travel via several different networks before arriving at its actual destination. Apps like WhatsApp, which is owned by social media behemoth Meta (formerly Facebook), offer a level of anonymity that even prevents government authorities from accessing encrypted chats.
However, with the applications’ security and privacy rules changing all the time, are the communications still safeguarded from being decrypted?
Dr Arash Shaghaghi of the UNSW School of Computer Science and Engineering and the UNSW Institute for Cyber Security compares encryption to have a private chat with another individual.
“To keep our information away from prying eyes, we rely on cryptographic algorithms to encrypt our data. Encryption involves converting human-readable plaintext into an encoded format and the data can only be read after it’s been decrypted,” he says.
“Encryption involves using a key to lock a message, while decryption is using a key to unlock a message.”
“In theory, if an outsider observed an encrypted conversation, they could not make sense of it, and they will need the appropriate key to decrypt it. Interestingly, with some end-to-end encryption protocols, such as Signal, even if someone steals the encryption keys and taps over the connection, they cannot decrypt messages already sent. In crypto parlance, this is termed as forwarding secrecy.”
Are Our Messages Completely Safe With Private Messaging Apps?
Modern encryption techniques have undergone rigorous testing and have been found to be completely secure. Even if it can still be cracked, doing so takes high computational tools and might take a very long time. Quantum computers, if developed enough, will be capable of breaking most of today’s encryption.
Attackers frequently go against endpoints and their weaknesses. This is far simpler than cryptanalysis, which is the procedure used to attack cryptographic security systems.
For one, hackers exploited a flaw in WhatsApp’s image filter capabilities last year. This vulnerability was prompted when a user opened an attachment that contained an image file that had been specially created to be malicious. There have been reports of both significant and minor vulnerabilities affecting WhatsApp clients operating on iOS and Android.
Dr Shaghaghi says when you back up your messages on some of the messaging platforms, your messages are pushed to the cloud. This means that all your messages are now stored on someone else’s computer.
“The service provider’s implementation of end-to-end encryption plays a significant role in the security and privacy of a messaging app against the provider and attackers,” he says.
“WhatsApp used to keep a backup of the messages in an unencrypted format over iCloud for Apple users and Google Drive for those who used WhatsApp in Android. Even though WhatsApp adopted an end-to-end encryption model in 2016, unencrypted backups were vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees.”
In 2021, one of the private messaging apps called WhatsApp rolled out an option for users to enable end-to-end encryption of their backups. While this was welcomed as a positive step forward, it should be the default for all users – not offered as an option, says Dr Shaghaghi.
“Users concerned about the security and privacy of their data must make sure to enable the end-to-end encryption backup for WhatsApp and other messaging platforms.”
What about Signal and Telegram?
Telegram, unlike WhatsApp and Signal, does not enable end-to-end encryption by default. Telegram uses the MTProto protocol, an open-source and custom-developed protocol by the messaging provider, only when the’secure chat’ capability is activated.
“As far as we know, Signal, Telegram and WhatsApp are secure in providing end-to-end encryption, if the option is enabled,” says Dr Shaghaghi.
“However, Signal is built with privacy and security as the primary motivation. Signals’ endpoint source code is also available to the public – this allows anyone to inspect the code and identify vulnerabilities.
“I believe the consensus is that Signal is a more secure and privacy-friendly messaging solution when compared to WhatsApp, Telegram, or Facebook Messenger.”
With so many messaging platforms available on the market, Dr Shaghaghi says there are some simple steps to take to help safeguard a user’s privacy.
“Messaging platforms contain a lot of private information so it’s worth ensuring that the platform we use has a good reputation for ensuring the security and privacy of its users,” he says.
“It is also worth spending a few extra minutes to enable some of the more advanced security features these platforms provide, such as end-to-end backup encryption or multi-factor authentication.
“And whichever platform you decide to use, it’s best practice to ensure we use the latest version of the apps and avoid downloading apps from third-party stores.”
Moderating Content Exchanged Over End-to-end Encrypted Messaging Platforms
Different government agencies have made strong appeals for these apps to have backdoors that would allow authorities to obtain information when necessary.
Recent FBI disclosures revealed that, even with a subpoena, powerful government bodies have limited access to messages transmitted through applications that utilize end-to-end encryption.
Numerous people worry that this approach is the first step away from the encrypted communications standards on which they rely to safeguard the security and privacy of their data.
This matter has sparked heated debate both in Australia and overseas.
“From a security engineering perspective, implementing a backdoor is never a good idea”, says Dr Shaghaghi.
“There is no guarantee that malicious hackers do not find out about these backdoors too and exploit them. However, those in favour of a solution allowing access for law enforcement agencies argue that they need access given the increasing usage of these platforms by criminals.”
Some messaging providers and tech companies have responded by making changes to the functionality of the platform.
“To meet regulatory requirements, WhatsApp now allows users to flag a message to be reviewed by their moderators. This needs to be initiated by a user and when a message is flagged, the few messages before it is also forwarded to WhatsApp moderators,” says Dr Shaghaghi.
“Apple has promoted encrypted messaging across its ecosystem and have fought off law enforcement agencies looking for records.
“In 2021, they announced child safety features that include detecting sexually explicit pictures over iMessage, another platform using end-to-end encryption. To implement this feature, Apple plans to implement the detection on the device and not through an encryption backdoor.
“I think we can balance the need for moderating criminal content and security and privacy requirements by breaking down the problem into more specific use-cases and developing innovative solutions.”