How secure are today’s private messaging apps? CEO Jason Volmut compares popular messaging apps and offers tips for evaluating messaging app security.
In recent years, tons of options for sending private messages have sprung up, such as WhatsApp, Telegram, and Signal. But if you care about security, one should immediately be concerned about the privacy of your conversations: Who has access to them, and what are they doing with that information?
If you are involved with sensitive long distance conversations involving business or finances, you may need to rely on digital messaging technology to convey confidential information. In this situation, you need to make sure you are using secure and reliable technology. But how do you know which options are really secure?
To help you answer that question, we’ve put together this brief guide which will teach you five key principles for evaluating private messaging app security. Then we’ll give our take on three of the top messaging apps, Facebook Messenger, WhatsApp, and Signal, and see how well they measure up based on our key principles.
Key Security Principles for Private Messaging Apps
If you need to engage in regular communications on an ongoing basis, you can use a secure private messaging app. However, you need to be careful when choosing a messaging app, because it turns out that many private messaging apps are not actually very secure. When you evaluate private messaging apps, you should look at four areas: End-to-end Encryption, code built on open source, message self-destruction, and the user data policies.
End-to-End Encryption
Encryption is the process of encoding messages so that they look like random data, unless you have a special “cryptographic key” that can be used to decipher the message. When you send a message over the internet, it passes through your Internet Service Provider, is routed through computers in the global internet, then passes through the Internet Service Provider on the receiver’s end. End-to-end encryption means that only the receiver of your message has the private key to decode it. If someone intercepts an encrypted message while it is traveling through the internet, it looks like meaningless nonsense.
Open Source Code
Software built on open-source code can be audited by security experts, which reduces the chance that the software will suffer from flaws that make it vulnerable to hackers.
Message Self-Destruction
Messages should be automatically deleted from the servers after an expiration period, and the information should be deleted from backup servers as well.
User Data Policies
Even if your data is transmitted using end-to-end encryption, messaging apps sometimes collect and sell the information known as user metadata, which can include phone numbers, IP addresses, message recipients, and number of messages exchanged or amount of time spent in conversation. Thus, in order to ensure full privacy, it is essential to use an app that does not collect and share your metadata.
Security History
You should also take a look at the companies behind various technology solutions. Ask yourself: Does this company have a good track record when it comes to security and privacy? Is this an organization I can trust to keep my confidential information safe?
Problem Apps: Facebook and WhatsApp
End-to-End Encryption
Facebook offers some End-to-End Encryption from their messenger app, but it is not fully implemented and cannot be relied on. WhatsApp is better on encryption than Facebook, but it appears that messages are not actually completely private as the internal “flagging” system appears to offer a workaround. Also, WhatsApp users have the option to back up data using Google Drive, but those backups are not encrypted. Finally, WhatsApp does not encrypt sensitive metadata, which it shares with its owner Meta (formerly Facebook).
Open Source Code
WhatsApp and Facebook both use closed-source code bases which have not been audited and verified by industry security experts, although WhatsApp does implement the open source Signal Protocol for encryption.
Message Self-Destruction
In recent years, WhatsApp has added a self-destruct option to their app, although it is not enabled by default. Facebook also now offers some options for self-destructing messages, but like encryption, it’s not a default feature and it’s not accessible from a browser.
User Data Policies
Unfortunately, Meta has a long history of harvesting and selling as much user metadata as possible, and as the owner of both Facebook Messenger and WhatsApp, users cannot rely on the company to protect their data in any way.
Security History
Security History is another area where both WhatsApp and Facebook have poor track records. In the case of WhatsApp, in the last year hackers claimed to have obtained information including phone numbers related to around 500 million accounts. In the case of Facebook, there have been several security incidents in the last few years, where user data, login credentials, or both were compromised.
A Better Choice: Signal Messaging App
Currently, our top choice for communicating securely is Signal messaging app.
End-to-End Encryption
Signal implements the open-source Signal Protocol for encryption, and from the very beginning, it was based on the idea of fully implementing end-to-end encryption, so that the messages you send are always private and secure.
Open Source Code
Signal runs on open source code, and is developed by the nonprofit Signal Foundation, whose stated mission is to “[Develop] open source privacy technology that protects free expression and enables secure global communication.”
Message Self-Destruction
Signal offers robust message self-destruction features: under the “disappearing messages” feature, you can set a self-destruct timer that begins either when a message is sent, or when it is received and read.
User Data Policies
Signal has a very strong privacy policy, and they do not collect user metadata such as IP addresses. According to its website, “Signal is designed to never collect or store any sensitive information. Signal messages and calls cannot be accessed by us or other third parties because they are always end-to-end encrypted, private, and secure.”
Security History
To date, Signal has not suffered from the kinds of massive breaches that have plagued companies like Facebook. The only incident our research turned up actually involved a breach of 1900 accounts on another app, Twilio, and it appears that Signal responded appropriately to the situation by notifying the users who were impacted of the steps they should take to maintain account security.
So, there you have it. At the moment, it appears that Signal is one of the best choices out there for secure messaging. But things change, or you may prefer one of the lesser known options out there. Either way, stick to apps that implement the key security principles we’ve outlined, and you can feel confident that you have selected a good solution.
Your privacy online matters, whether you’re an individual, a nonprofit, or a government entity. Contact us to schedule a cybersecurity assessment.