Cybersecurity 101: How To Choose and Use An Encrypted Messaging App

    Christy McNee
    cybersecurity 101 vol 5

    Text messaging has been around since the dawn of cellular technology, and sparked its own unique language. But it’s time to put sending regular SMS messages out to pasture.

    If you have an iPhone, you’re already on your way. iPhones (as well as iPads and Macs) use iMessage to send messages between Apple devices. It’s a data-based messaging system reliant on 3G, 4G, and Wi-Fi, rather than SMS messaging, which uses an old, outdated but universal 2G cellular network. iMessage has grown in popularity, but has left Android devices and other computers out in the dark.

    That’s where other messaging services have filled a gap in the market.

    Apps like Signal, WhatsApp,  Wire and Wickr are also data-based and work across platforms. Best of all, they’re end-to-end encrypted, which means sent messages are scrambled on one end of the conversation — the device — and unscrambled at the other end on the recipient’s device. This makes it near-impossible for anyone — even the app maker — to see what’s being said.

    Many popular apps, like Instagram, Skype, Slack and Snapchat don’t offer end-to-end encryption at all. Facebook Messenger has the option to use “secret” end-to-end encrypted messaging, but isn’t enabled by default.

    Here’s what you need to know.

    Why hate on SMS messaging?

    SMS, or short messaging service, is more than three decades old. It’s generally reliable, but it’s outdated, archaic and expensive. There are also several reasons why SMS messaging is insecure.

    SMS messages aren’t encrypted, meaning the contents of each text message are viewable to mobile carriers and governments, and can even be intercepted by organized and semi-skilled hackers. That means even if you’re using SMS to secure your online accounts using two-factor authentication, your codes can be stolen. Just as bad, SMS messages leak metadata, which is information about the message but not the contents of the message itself, such as the phone number of the sender and the recipient, which can identify the people involved in the conversation.

    SMS messages can also be spoofed, meaning you can never be completely sure that a SMS message came from a particular person.

    And a recent ruling by the Federal Communications Commission now gives cell carriers greater powers to block SMS messages. The FCC said it will cut down on SMS spam, but many worry that it could be used to stifle free speech.

    In all of these cases, the answer is an encrypted messaging app.

    What are the best encrypted messaging apps?

    The simple answer is Signal, an open source, end-to-end encrypted messaging app seen as the gold standard of secure consumer messaging services.

    Signal supports and encrypts all of your messages, calls and video chats with other Signal users. Some of the world’s smartest security professionals and cryptography experts have looked at and verified its code, and trust its security. The app uses your cell phone number as its point of contact — which some have criticized, but it’s easy to set the app up with a dedicated phone number without losing your own cell number. Other than your phone number, the app is built from the ground up to collect as little metadata as possible.

    A recent government demand for Signal’s data showed that the app maker has almost nothing to turn over. Not only are your messages encrypted, each person in the conversation can set messages to expire — so that even if a device is compromised, the messages can be set to already disappear. You can also add a separate lock screen on the app for additional security. And the app keeps getting stronger and stronger. Recently, Signal rolled out a new feature that masks the phone number of a message sender, making it better for sender anonymity.

    But actually, there is a far more nuanced answer than “just Signal.”

    Everyone has different needs, wants and requirements. Depending on who you are, what your job is, and who you talk to will determine which encrypted messaging app is best for you.

    Signal may be the favorite app for high-risk jobs — like journalism, activism, and government workers. Many will find that WhatsApp, for example, is good enough for the vast majority who just want to talk to their friends and family without worrying about someone reading their messages.

    You may have heard some misinformed things about WhatsApp in recent years, sparked largely by incorrect and misleading reporting that claimed there was a “backdoor” to allow third parties to read messages. Those claims were unsubstantiated. WhatsApp does collect some data on its 1.5 billion users, like metadata about who is contacting whom, and when. That data can be turned over to police if they request it with a valid legal order. But messages cannot be read as they are end-to-end encrypted. WhatsApp can’t turn over those messages even if it wanted to.

    Although many don’t realize that WhatsApp is owned by Facebook, which has faced a slew of security and privacy scandals in the past year, Facebook has said it’s committed to keeping WhatsApp messages end-to-end-encrypted by default. That said, it’s feasibly possible that Facebook could change its mind in the future, security researchers have said. It’s right to remain cautious, but WhatsApp is still better to use for sending encrypted messages than not at all.

    The best advice is to never write and send something on even an end-to-end encrypted messaging app that you wouldn’t want to appear in a courtroom — just in case!

    Wire is also enjoyed by many who trust the open-source cross-platform app for sharing group chats and calls. The app doesn’t require a phone number, instead opting for usernames, which many who want greater anonymity find more appealing than alternative apps. Wire also backed up its end-to-end encryption claims by asking researchers to conduct an external audit of its cryptography, but users should be aware that a trade-off for using the app on other devices means that the app keeps a record of everyone you’ve ever contacted in plain text.

    iMessage is also end-to-end encrypted and are used by millions of people around the world who likely don’t even realize their messages are encrypted.

    Other apps should be treated with care or avoided altogether.

    Apps like Telegram have been criticized by experts for its error-prone cryptography, which has been described as “being like being stabbed in the eye with a fork.” And researchers have found that apps like Confide, once a favorite among White House staffers, don’t properly scramble messages, making it easy for the app’s makers to secretly eavesdrop on someone’s conversation.

    How to verify someone’s identity

    A core question in end-to-end encrypted messaging is: how do I know a person is who they say they are?

    Every end-to-end encrypted messaging app handles a user’s identity differently. Signal calls it a “safety number” and WhatsApp calls it a “security code.” Across the board, it’s what we call “key verification.”

    Every user has their own unique “fingerprint” that’s associated with their username, phone number or their device. It’s usually a string of letters and numbers. The easiest way to verify someone’s fingerprint is to do it in person. It’s simple: you both get your phones out, open up a conversation on your encrypted messaging app of choice, and you make sure that the fingerprints on the two sets of devices are exactly the same. You usually then hit a “verify” button — and that’s it.

    Verifying a contact’s fingerprint remotely or over the internet is tricker. Often it requires sharing your fingerprint (or a screenshot) over another channel — such as a Twitter message, on Facebook, or email — and making sure they match. (The Intercept’s Micah Lee has a simple walk-through of how to verify an identity.)

    Once you verify someone’s identity, they won’t need to be reverified.

    If your app warns you that a recipient’s fingerprint has changed, it could be an innocuous reason — they may have a new phone number, or sent a message from a new device. But that could also mean that someone is trying to impersonate the other person in your conversation. You would be right to be cautious, and try to reverify their identity again.

    Some apps don’t bother to verify a user’s identity at all. For example, there’s no way to know that someone isn’t secretly snooping on your iMessage conversations because Apple doesn’t notify you if someone is secretly monitoring your conversation or hasn’t somehow replaced a message recipient with another person.

    There are some other tips you should know:

    Encrypted message backups are usually not encrypted in the cloud:A very important point here — often, your encrypted messages are not encrypted when they are backed up to the cloud. That means the government can demand that your cloud provider — like Apple or Google — to retrieve and turn over your encrypted messages from its servers. You should not back up your messages to the cloud if this is a concern.

    Beware of desktop apps: One of the benefits to many encrypted messaging apps is that they’re available on a multitude of platforms, devices and operating systems. Many also offer desktop versions for responding faster. But over the past few years, most of the major vulnerabilities have been in the buggy desktop software. Make sure you’re on top of app updates. If an update requires you to restart the app or your computer, you should do it straight away.

    Set your messages to expire: Encryption isn’t magic; it requires awareness and consideration. End-to-end encrypted messaging won’t save you if your phone is compromised or stolen and its contents can be accessed. You should strongly consider setting an expiry timer on your conversations to ensure that older messages will be deleted and disappear.

    Keep your apps updated: One of the best ways to make sure you stay secure (and get new features!) is to make sure that your desktop and mobile apps are kept up-to-date. Security bugs are found often, but you may not always hear about them. Keep your apps updated is the best way to make sure you’re getting those security fixes as soon as possible, lowering your risk that your messages could be intercepted or stolen.

    source:  TechCrunch