A security-conscious guide to messaging apps – part 1
By now, we’ve all assimilated the idea that we’re being watched. Big corporations that own the infrastructure blocks of the web 2.0 ecosystem, like Google and Facebook, are essentially data collection, analysis and sale businesses. They’re selling you to their advertisers.
Meanwhile, governments arrogate to themselves the right to peer over your shoulder while you read, watch videos, share information and talk with family and friends.They need to know what your cousin had for dinner, how you feel about your boyfriend and which potentially embarrassing medical conditions you’re panicking about having, in case you’re a terrorist.
(The fact that there’s no evidence mass surveillance even works is apparently no reason to stop doing it, and if it’s against the law and we get caught, why, we’ll just change the law; you weren’t planning on using that Fourth Amendment, were you?)
All of this means you need to start taking care of your own privacy, because the businesses that depend on your purchases for their revenues and the governments that depend on you for their legitimacy are not on your side. They’re the threat.
(They’re not the only ones: Plenty of common-or-garden criminals use surveillance and data theft to steal from people online and worse.)
“Encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers. if you encrypt your laptop, and I hope you do, it protects your data if your computer is stolen. ” – Bruce Schneier, renowned security technologist on the importance of strong encryption and security.”
We know that Facebook spied on private Messenger messages, and we know that virus makers exploit the weak security of common messaging apps to steal people’s data from most of the ones that you, like me, probably already use.
The Virus is Capable of stealing information from the following applications:
- Skype
- Facebook Messenger
- Viber
- Telegram Messenger
- Line
- Tencent WeChat
- Walkie Talkie Messenger, etc.
So, if most of the commonly available messaging apps are leaky sieves or spyware in their own right, what should you be using?
1. Slack
With its ‘where work happens’ slogan, Slack isn’t trying to hide what it’s about: it’s a messaging app for businesses, for keeping teams in contact so they don’t have to rely on email or on Facebook groups to communicate.
And it works pretty well at that.
As Kunal Thakur observes:
Is it secure?
Not really.
It’s more secure than email, where all your messages are simply sent in plaintext across the internet; but Slack admin openly say in their policies that they can look at your conversations in certain circumstances.
Damian Bramanis explains:
However, Slack does have a feature called “Compliance exports” which is turned on for some teams on the Plus plan. This allows administrators to export not only public channel messages, but also messages in private channels. You can see if Compliance Exports are enabled for your team at my.slack.com/account/team
(If you use Slack but you’re an employee you should probably be aware that your managers can read your messages too.)
And the fact that it’s got a thriving third-party ecosystem of apps and bots means it’s certain to be attacked at some point and vulnerabilities in the API have already been detected. The ones we know about were fixed, but with 6 million users mostly in bigger businesses, it’s a target.
Bottom line? Slack lacks basic security features like end to end encryption, though there are bots that will add encryption to your Slack.
Use it for business communications if you’re OK with that. Don’t trust that it’s secure. It’s not.
2. WhatsApp
WhatsApp billed itself as a free-forever, encrypted messaging app.
Maybe that was the original plan. But in February 2014, Facebook bought the company.
In 2016 the service started sharing some information with Facebook, essentially in a bid to make money from a service that doesn’t run ads or charge users. Once again, the invisible value – data – is the coin of choice.
WhatsApp execs, including those who moved to facebook when the company was bought out, were also concerned that Facebook would weaken WhatsApp’s end-to-end encryption to make it easier for businesses to use the tool as a Slack-like team conference, file sharing and chat system.
What does this all mean for the user?
Facebook can match WhatsApp and Facebook user accounts (even though it told the EU it couldn’t, earning itself a $125m (£94m, €110m) fine). The default settings on WhatsApp changed in 2016 to include provisions that users’ ID would be shared with Facebook. That info would be used to let businesses like your bank or airlines talk to you on WhatsApp, though there are still no third party banner ads.
‘Facebook,’ reported the Guardian at the time, ‘will also use that data to make friend suggestions and combine that data with the reams of information it has already collected so that it can tailor ads even more specifically to your interests.’
And in light of what we know about Mark Zuckerberg’s reluctance to tell any more of the truth than he has to, we’d be fools not to treat any data sharing that happens through facebook as ‘the part we know about’ rather than ‘the whole picture.’
Bottom line: WhatsApp is a better choice than Slack for consumers and maybe for security-minded small businesses. It’s not as secure as it used to be, and it’s going to get less secure, not more secure, in the future. It does still offer end to end encryption, though, and a scandal concerning a potential exploit turned out to be overstated.
3. Discord
Slack’s for work; Discord’s for gamers. That’s the first big standout point. It’s built so you can call people in China suxxors without hanging or glitching, so it’s been carefully designed not to be a CPU hog. A bunch of features come as standard including a mobile app:
But is it secure?
Discord protects you from man in the middle attacks by using a client-server protocol to keep your IP hidden and your communications safe – including images and previews, which are proxied through Discord servers.
2FA and alerts if you log in from a new IP address help make Discord more secure. But it doesn’t use end to end encryption, and because all messages go through Discord servers they’re stored and can be theoretically accessed by law enforcement. In theory, Discord staff don’t view your messages, but they could.
Software assessment site Slant.co says Discord ranks #2 for gaming team chat, where WhatsApp comes #16, and the main reason its respondents placed it where they did was:
Discord follows the same type of interface design popularised by Slack, which is extremely clean and attractive, and doesn’t clutter the interface with unnecessary chrome and cruft.
Writing on Medium, Philip Oung agrees: ‘Simply put,’ he says, ‘Discord combines the key features from other chat apps and optimizes performance for gaming.’
Bottom line: Discord is fairly new, and it’s the cool kid on the block. But it’s not optimized for security. It’s less secure than WhatsApp.
4. Signal
Signal is from privacy researcher and campaigner Moxie Marlinspike, and it shows. End to end encryption? Check. Open Source? Check. Audited for backdoors? Check.
Endorsed by Edward Snowden?
Check.
The code for the tool is open source, and it’s constantly probed by independent security experts for backdoors and weaknesses. It’s free to use, with development costs covered by grants and donations. (More on this in a moment.)
Equally importantly, it’s available as an .apk file, meaning you can download and install it privately without going through the insecure Google Play or Apple App Store. Both those companies partner with the NSA and will modify applications on request and without telling the end user.
There’s no suggestion that Signal shares user data with third parties or any of the other common leaks. But the suggestion has been made by some that Signal might have a backdoor built in because it was created using a grant from the US government.
Specifically, Telegram founder Pavel Durov has suggested that there’s a backdoor lurking in Signal’s code:
Maybe. It’s certainly true that much of the privacy technology out there – including Tor and, yes, Signal – was developed for and by the spooky end of the military-industrial complex.
And Signal runs on Amazon Web Services – an NSA contractor – and while your messages might be invisible to Signal, you’re not. You still have to hand over your phone number and give the app unrestricted access to your address book.
Even with its flaws, though, Signal is still one of the best and most secure messaging apps out there.
Remember, encrypted messaging apps only encrypt your messaging. You need to protect yourself when you’re browsing too, and that means you need a VPN. Check out our guide to the best VPNs on the market!
Have a look at our second part of three part safe messaging app series called: Encrypted Messenger.