The majority of cybersecurity experts claim that the most popular global messengers are not secure at all and many users agree. Nonetheless, we still entrust our conversations to highly vulnerable apps mostly because we do not see any other option. Yet there is an alternative to the messengers we use day-to-day. Data privacy is the most important aspect in any IT solution nowadays. Then again, most of the current messengers often fail to provide it. With this in mind, let us look more into the subject.
Least secure messengers: behold and beware
According to the 2015 survey by Kaspersky Lab, 62% of respondents do not trust messengers and 60% of the surveyed users admitted avoiding any kinds of live video chats. Nonetheless, 37% of consumers continue to use messengers. This means that messaging apps are the most popular platform among all the others.
In 2014, EFF (Electronic Frontier Foundation) released a Secure Messaging Scorecard that evaluated messengers on several criteria. The least secure messaging apps, according to the scorecard are, Skype, AIM and Blackberry Messenger – they got only one checkmark out of seven possible. Viber, Google Hangouts, Facebook Messenger and Snapchat received two checks. Telegram (five checkmarks) and Apple iMessage (four checkmarks) took first and second place, respectively. Unfortunately, none of the evaluated apps managed to score 7/7. Four years later, Appthority reported on the riskiest apps to use. Their top two were WhatsApp and Facebook Messenger.
Despite the surveys' results, the tech industry is on the constant move. For instance, WhatsApp is considered to use end-to-end encryption and this is a big deal. To give an illustration, ICQ stored the information in .txt so there was no chance to keep it safe. However, even today there are reasons to question the popular messengers’ data security.
The good encryption, bad encryption routine
It is not news that several up-to-date messengers are based on E2EE or end-to-end encryption. Keeping things private is the latest trend and if we look closer to these apps, we will see E2EE mentioned among other features. This kind of encryption secures all the messages in a way only the communicating users can read them. No third parties are able to decipher the stored data. Moreover, even if the database is hacked, the conversations remain secured. Simply said, E2EE prevents eavesdropping. However, we cannot be 100% sure that E2EE is fully employed. With this in mind, let us look more into the matter. A Russian monthly periodical ‘Hacker’ published an article speculating on E2EE usage in messaging apps. Here are some key points made by ‘Hacker’:
- Signal is the only app fully based on E2EE, which makes it the gold standard of encrypted messaging
- WhatsApp’s security codes used in E2EE might change at times (Security Notifications must be turned on manually)
- Viber users need to turn on E2EE manually (the encryption is off by default)
- Telegram provides its users with E2EE in ‘secret chats’ only and the feature should be turned on manually
Telegram stores all undelivered messages, so the communication goes through client-server and then inter-server, which makes the data vulnerable to MITM or ‘man in the middle’ attacks.
To sum it up, it is reasonable to assume that E2EE is not what it seems in most of the popular messengers.
Group chats: a weak link in data security
IEEE (Institute of Electrical and Electronics Engineers) initiated the 3rd EuroS&P (European Symposium on Security and Privacy) in 2018. During that forum, the committee discussed the group chats’ privacy and its mechanisms. They later issued an article on E2EE implementation in the popular messengers' group chats such as Signal, WhatsApp and Threema. The main point of the article is that none of these messengers use E2EE to secure the group chats. Moreover, there is no such a protocol to make it possible. That is to say, a secure encryption for this kind of message exchange is still out there.
Privacy mode off
Unfortunately, no solid encryption protocol can guarantee 100% security. Any known messenger exists within the real world and cannot be fully protected. Even Signal can be hacked putting our privacy in danger. ‘Hacker’ issued an article on how any device may endanger our conversations. With this in mind, let us look closer at the main key points of the article:
- Supporting apps running both on smartphones and computers request various permissions excessively and sometimes contain Trojan, however, many users continue to trust their devices’ operating system
- SS7 network has some serious flaws, which allow cybercriminals to get hold of smartphones using an OTP (one-time passcode)
- Push notifications put the messengers at risk of MITM likewise, iMessage sends an encryption key to a server in order to enable push notifications
In other words, even a simple SMS can ruin our private life, so watch out for those OTPs.
To back up, or not to back up, that is the question
The recipient’s personal information is often more compromising rather than the conversations’ content. In the meantime, the messaging apps store metadata on their servers unsecured. Cybercriminals can easily learn names and other personal details using metadata, not to mention IPs.
What’s more, WhatsApp, Viber and other messengers backup our conversations both internal and cloud into an archive. Likewise, Telegram was forced to add this feature. All personal info such as pictures, videos, messages, contact lists, and geolocations can be downloaded due to an SMS interception for instance.
More weak links to enjoy
Not a day goes by that people discover new flaws in their messengers. To give an illustration, WhatsApp has a rather serious exploit that allows intercepting and changing any message. The flaw was discovered in August 2018 and has not been fixed yet. The same month a Habr user revealed that any ‘secret chat’ in Telegram was more hackable than any developer could admit. Honestly speaking, there are hardly any developers willing to fix these bugs. Nobody wants to waste their time and why would they? After all, the app functions and profits. However, many enthusiastic users are eager to discover and fix these flaws and even cooperate with the developers. On the other hand, no one can just ask for a code and get it to do whatever they want. Mostly because of a fraud possibility.
Many free messengers profit of advertising. There is hardly anyone unaware of ‘targeted ads’ and the way they function. Many apps collect their users' information and store it in the form of a personal account. Such data include hobbies, interests, friend lists and frequently used word structures. The advertisers use this information to generate an individual offer. Incidentally, Google has more than 2 million advertising partners.
Everyone hates ads, but it is only part of the trouble. Technically, we are being followed and without our consent. We are too busy to read ‘terms and conditions’ every time we download an app, so we just push ‘I accept’ button and by doing so we give up our personal data. To give an illustration, Google Voice stores not only our call history and phone numbers but also keeps voicemail and SMS messages. Not to mention other curious details of the Privacy & Terms section.
In other words, there is no such thing as a free lunch. Additionally, there is a series of articles considering rather intricate parts of popular user agreements.
Get private or get out
Yes, many developers take advantage of their customers' personal information. It has never been easy to find a solid IT solution for data privacy. So in order to make a convenient app, the developers have to make sacrifices.
Yet Telegram is best known for its successful PR-campaign ‘Taking back our right to privacy’. Nonetheless, all the mentioned above facts suggest quite the opposite. GQ interviewed Anton Rosenberg, ex-special areas director of LLC ‘Telegraph’, who had previously published a post on Medium about the conflict with Pavel and Nikolai Durov. Anton claimed that Telegram security was fraud and Pavel Durov, who had initially launched Telegram as the quickest messaging app, decided to kill two birds with one stone by also declaring Telegram ‘the most secure messenger’.
Indeed, let us look more into the subject. Telegram does not use E2EE by default. In 2018, Telegram deleted dozens of accounts due to Terms & Conditions violation, including extremism and plagiarism. Now, how could the Telegram team do that if they claim that nobody (even them) can read the conversations? Furthermore, the Telegram team says that DH (Diffie-Hellman key exchange) highly secures the users’ messages from interception. However, it is well known that DH is extremely vulnerable to MITM.
In addition, the Telegram team claims that their messenger is open and anyone can check their source code. Nonetheless, the source code is partly closed. To sum it up, the experts admit that it takes time for a repository to update. This means the repository will have been long outdated by the time a user gets to see it.
Above all, it is crucial to remember that the Telegram team welcomes anyone to try to hack their messenger. They even hold the Cracking Contest. The problem with this contest is that the simulated conditions provide a participant with only one encrypted message. However, there are far more ways to make a successful attack on the messenger. Over the years, there have been numerous reports on the matter. For instance, not only did hackers manage to download message archives but they also cracked a ‘secret chat’.
Blockchain: alive and kicking
The prospects may seem dark, but there is a way to make a solid messenger despite this. That is to say, blockchain – a database that is shared across a network of computers.
Once a record enters the chain, a cybercriminal will not get access to it. Let us say an intruder cracks the central server or your device. In this case, they will see nothing but an encrypted gibberish as encryption keys are never sent over the network. Above all, no up-to-date IT solution is capable of deciphering this kind of record. To that end, there is a messenger based on blockchain – ADAMANT. It was launched in 2017 and is now fully available.
What’s more, ADAMANT does not require any personal info, emails or phone numbers. It takes literally a second to create a profile or several if needed. To that end, an ADAMANT user can easily switch their accounts and use them via one device. Furthermore, chat history is safely stored in a decentralized system, which cannot be hacked or blocked within a particular country.
Apart from anonymity and data security, ADAMANT suggests other privacy control features listed in an article on Medium. Briefly, the messenger gives a user an identification code that can be used for both an e-wallet and nickname. In order to sign in, the user has to use a passphrase. Moreover, ADAMANT carefully covers the user’s IP. It is hidden for interlocutors. The repositories are open and available on GitHub. Finally, E2EE is turned on by default.
ADAMANT makes crypto transfers possible and safe. Such cryptocurrencies as ADM, ETH are already supported, as well as BNB. To that end, it is not just a messaging app but also a platform. The platform provides its users with a two-factor authentication, which is much safer and cheaper than SMS. The developers have come a long way. Firstly, they improved dPoS system and introduced a new approach – Fair dPoS. Secondly, the developers carried out an internal audit to make sure their cybersecurity operates to their expectations. Thirdly, ADAMANT initiated a Security Contest. The contest offers a reward of total 40 ETH. Try the platform via PWA or other app stores such as App Store on iOS. In a fraction of a second, you will get an account, welcome tokens and an exceptional blockchain-based chat.
Smile, you are being watched
Let us be honest, if any parties want to get hold of specific information, they will do it one way or another. Then again, in order to pursue such goals, social computing is more frequently used than any known IT solution.
Nonetheless, even if you do not have any valuable data stored in your device (or nobody knows you do), you are being watched. A government can collect your personal information. To give an illustration, NSA has been following and tracking down bitcoin users for many years now. The majority of the popular global messengers cooperate with the government for many reasons and, frankly speaking, we will hardly ever discover what exactly they are looking for. There is no such thing as a secure messenger. Yet if you care to use an open messenger that does not require an SMS identification as well as push notifications, collect your personal information and store it elsewhere for possible profit – you are on the right way to a better, more secure future.