One messenger, predominantly used in China, has leaked more than 130,000 highly explicit images, videos and audio recordings of its users. Although this messaging service was associated with a company that offered a supposedly "private social network" and therefore had a small user base.
The guys from CyberNews in their new study evaluated the security features of large messaging applications, we have translated it and invite you to take a look.
We have good news for users of the most popular messengers: 11 out of 13 apps, all except Telegram and Facebook Messenger, have security features enabled by default. This looks promising and the messenger industry is clearly heading in the right direction.
The researchers also found that most applications use RSA and AES encryption and key hashing, which are the most secure and efficient encryption methods available today.
In general, encryption is needed not only to protect "private" messages. Such secure messengers allow activists from all over the world to fight injustice and authoritarian rule without fear of being persecuted, such as the anti-Lukashenko protests in Belarus.
Objects of analysis
To conduct the analysis, the researchers looked at various aspects of 13 popular secure messaging apps:
- Signal
- Wickr Me
- Messenger
- Telegram
- Wire
- Viber
- Cyber Dust
- iMessage
- Private
- Qtox
- Session
- Briar
Key Findings
The analysis included the communication protocols used and encryption standards of various applications, key exchange principles and cryptographic primitives.
- 2 applications do not use security features by default, the user needs to activate them themselves in the settings
- 4 Apps Use Industry Standard Signal Encryption
- only 2 apps use P2P protocol for data exchange
- iMessage does not encrypt messages if they are sent over GSM (using 2G and 3G networks)
- 3 out of 13 apps have a subscription that allows you to use advanced features
- most applications use RSA and AES, some of the most secure encryption algorithms available today, for encrypting and hashing keys
How secure messengers work
While the focus is on the most popular messaging apps such as Signal, Messenger, Viber, Telegram, and WhatsApp, the researchers expanded the analysis to include other messaging apps to provide comprehensive insights into the industry itself. We will also talk about Session, Briar, Wickr Me, Wire and Cyber Dust.
What was found is mostly encouraging: all but two of the apps provided security by default, and Telegram and Messenger could easily be secured by changing user settings.
Four applications – Signal, Messenger, WhatsApp, and Session – used the Signal protocol for end-to-end encryption. With end-to-end encryption, only the sender and recipient can view messages, while without end-to-end encryption, the messaging application server that sits between the sender and recipient can read the messages. The Signal protocol has become the industry standard for secure messaging, voice and video communications.
An interesting aspect in the case of the iMessage app, which is used on Apple devices, is that it only encrypts data when it is sent over HTTPS. When sending via GSM (2G and 3G), the data is not encrypted.
Only two applications, Briar and Qtox, use the P2P protocol to transfer data over a peer-to-peer network. P2P allows you to transfer data directly from user to user without using the server as an intermediary. While Briar offers other transfer protocols, Qtox only uses its own P2P TOX. That is why they do not have a privacy policy, because they do not have access to user data.
All reviewed messengers are free or have a free version, only Wire requires a paid subscription. The reason is that it is made for corporate needs, like Slack or Microsoft Teams, only supports end-to-end encryption.
In general, the researchers concluded that you can communicate securely using these messengers, just remember that for Facebook Messenger or Telegram, you need to enable security features in the settings of the application or a separate chat.
This is necessary not only for security, but also to maintain privacy, because the Facebook and Telegram servers will also not be able to view your messages.
What is meant by security in messengers, and what do they not provide security for?
It is important to understand that there are some limitations when we talk about security in messengers. In the long run, it depends on how exactly you are going to use them.
For normal use, it is important that your messenger encrypts data, preferably by default. But beyond that, there are users who want as much security as possible, which means complete, or almost complete, anonymity. So that no one but them can view messages, track their exchange, or even know their names. In light of this, most of these services fail. At least because the applications are not perfect, just like the people who write them. An app can use all of the strongest security features, but no app is immune to a bug.
One of the clearest examples of this is WhatsApp, which has had vulnerabilities for many years. For example, Israeli spyware allowed the installation of spyware only by calling the victim via WhatApp. Facebook Messenger also had vulnerabilities that allowed hackers to secretly listen in on your conversations without much effort.
Even Signal, which is recommended by cybersecurity professionals, fell victim to a sophisticated hack that allowed them to eavesdrop on you with some kind of ghost call. They made a call and immediately pressed the mute button. The call was not visible, but they could have eavesdropped on your surroundings.
And these are just cases where hackers use vulnerabilities to attack individuals. Over the years, government and law enforcement agencies have used various methods to spy on entire groups of people. In Hong Kong, the Chinese government reportedly used a Telegram bug to obtain users’ phone numbers. German researchers also found that WhatsApp, Signal, and Telegram exposed users’ personal data through contacts.
None of these applications offer absolute security and never will, as a person or group of people with enough time and resources will always find a workaround. Even if the application were completely safe on its own, it could not fix your own mistakes.
As well said in the Telegram FAQ:
“We can’t protect you from your own mother if she takes your unlocked phone without a password. Or from your IT department if they have access to your computer at work. Or from any other people who get physical or root access to your phones or computers that have Telegram installed."
If you’re acting insecure, no secure messaging app can save you.
Results table
In the image below, you will find all the details about the 13 messaging apps we reviewed in this article.
According to CyberNews.