Today we have a large number of messaging apps like WhatsApp, Signal, Telegram, Facebook Messenger (and Messenger Lite), Skype, Snapchat, Viber Messenger, iMessage, Band, Discord, Kik, Slack, Wickr Me, Dust, etc; and the list is growing by the day. In the recent past, we have also witnessed the proliferation of customised and proprietary messaging apps mushrooming on the web. The Indian Army has also announced the release of an app “Secure Application for the Internet (SAI)” for its users.
Users do question as to which among the available messaging app, is most secure or that which cannot be snooped. The users of these apps seem to be fascinated by the tagline “End-to-end encryption (E2EE)”. Does this imply that the message being exchanged by the users cannot be eavesdropped upon, or cannot be seen by a third-party/agencies (including the company itself and the government agencies).
What is Privacy?
For this we consider the dichotomy between “public” and “private”. What is not “Public” is what is “Private”. The concept of being a Private communication is also a social convention, but privacy isn’t a state of a particular set of data. It’s a practice and a process, an idealised state of being. It is hence obvious that “Privacy” is negotiable. What is Private to one can be Public to Some.
What is End-to-End Encryption (E2EE)?
End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while it’s transferred from one end system or device to another. In E2EE, the data is encrypted on the sender’s system or device and only the recipient is able to decrypt it. This is performed by using the public key encryption methodology.
The Myth that E2EE is completely secure is a matter of perception. It is to be understood that E2EE is not enabled by default, also we see that the sender has no control on the confidentiality once the message or data reaches the receiver. Further, it should also be understood that encryption is carried out only in specific circumstances. Also, is the data on any of the intermediate storage encrypted, is there vulnerability in the encryption algo or the exposure of the Keys.
Can we trust the Privacy and E2EE of the Messaging App in use?
The most important aspect that bothers a User of Messaging App, is the truthfulness and commitment that the service provider offers of what its publics. The other question that users ask; is about the limits of Zeroday Vulnerabilities that is inherent to the application and also the ability to plug the zeroday within the period of exposure with least or no damage. The question with regard to the robustness of the application, wherein no other third-party application when installed or intrude into the device does not easily snoop/intrude into the messaging app. Theft of Source Code is also a concern, and this inturn will lead to a massive breach of trust and loss of data and details to an attacker (this can be both State and Non-State actors).
Are encrypted messaging apps surveillance-proof?
It is a known fact that the service provider is bound by the laws of the state where the data is managed as also to the state where the consumer is situated. The mandated collection and storage of metadata of chats or exchange is a vital artefact that can be used to extract the chat and other related logs. This then is also kept to abide by Law Enforcement Agencies (LEA) requirements in many countries.
Some concerns beyond the control of Users
There are other concerns that is beyond the control of the users. No application is completely secure of is 100% hack-proof. Some of the privacy and security shortcomings in almost all the messaging apps of today that worry users are:
Encrypt by default or only support encryption
implementation of end-to-end encryption communication
Use of unencrypted cloud backups
The optional setting of end-to-end encryption
The storage of metadata
The binding factor of State Laws and the enforcement by LEAs
The truthfulness of reporting
Lack of transparency related to the app’s code that is not available in open source
Use of proprietary encryption algorithms
lacking security and privacy by design thereby leading to users being exposed to surveillance activities
Vulnerability that exist from unmatched hardware configuration
Vulnerabilities created by other third-party software that are co-located with the messaging app
So, what next?
There are many apps to choose from among the different messaging solutions. One of the decisive factors is the number of your common users is using the particular app. The trust one has on the service provider, etc.
Remember, encryption which is being offered is for the data in transit, as also if one has enabled the feature for the sender device; the data in the intermediate stages and the one at the receiver, is beyond one’s control. Also, be sure that E2EE is enabled by default and enable any feature that allows the app to store the backup in an encrypted way and doesn’t maintain any metadata on the device.
Another aspect that needs special attention is the fact that: both private and secure conversations is not just a matter of technology or coding or encryption; but is also a commitment by the service provider. Hence, we leave the decision of ‘Which App’ and ‘How Much One Can Trust”, to you the User and we at Cyber Secure India cannot sit in judgement at this juncture.