There are many apps that claim to be secure, but are they secure enough?
There is a long list of private chat apps available right now. One of the sites we often reference compares several of those out there, though not including a selection of choices, including SKY ECC. The options on offer are vast and can often be quite overwhelming, as you try to sift through all the details and features for each app. But what is evident from a first look is that not every app is equal.
What you must consider when choosing between end-to-end encrypted communication solutions is how ease of use and security are balanced in the app. Finding the middle ground of both these aspects is key to every part of computer security. While it may be convenient for a messaging app to use email and phone numbers to find friends and to allow for easier connection with contacts, it allows for security to be dropped, opening up a hole in its defences. This has become a known issue for phone number based messaging products and with WhatsApp users being at risk
If you take a look at what products are being offered in the messaging landscape, you can separate them out into several groups. There are the insecure, poorly protected apps, which you can obtain from most app stores. Next, you have the paid apps, also available to you through most app stores. And finally, the device-only apps. Secure messaging is a continuum of these groupings and we will explain each group and the advantages and disadvantages to them.
There are many different degrees to how secure something is, and whilst technically yes, if something is not 100% secure it is insecure, there is a balance between convenience and security, and this is what lies in the middle of this continuum.
On the left is email and SMS, the most insecure tools for communication on the list. At the other end on the right is the most secure options. Each of the options on the far right side are made with secure communications alone in mind and are apps installed onto a device.
The middle contains secure communication apps which are free to download from app stores onto any device. Each is extremely easy to find and install.
To the right side, communications may take an extra steps, but none major and with the reassurance of security to your messages.
iMessage, Facebook Messenger and WhatsApp: Well-known but insecure
Among the most popular private chat apps in the world, used by millions. High likeliness is that someone you know has one of these. In your family or group of friends. If you are in an office or workspace, ask how many people have any of these three. Good chance is you could be looking at nearly 50%, if not more. Easy to get, free and simple. However, this deal is not without its catches.
WhatsApp has only recently begun to encrypt messages as a default. Previously neither messages nor their backups were. To add to this, whilst messages are now encrypted, the metadata that surrounds it is not. With Facebook Messenger, it is not until you switch into “Private chat mode” that your messages become end-to-end encrypted. Without doing this anyone, including advertising algorithms can fully access and read all of your messages. Ads have been inserted into group conversations, marked as adverts, but with targeted marketing, fully based on what was being discussed in the conversation.
All of this is less then reassuring. As previously talked about on this blog, the metadata is as vital and important as the message. To add to this, Facebook has announced plans to insert advertising into WhatsApp, using messaging and personal metadata, by 2020. This is rumoured to be among the reasons as to why the founders of WhatsApp decided to leave Facebook.
Meanwhile, iMessage, Apple’s private chat app, has always used end-to-end encryption for its messaging, and the data is supposedly unable to be read by Apple. But private keys for messaging are all stored in Apple servers and could be stolen. As previous iCloud hacks have proven, if you save onto iCloud, it can easily be retrieved with your password.
These apps are fine for talking with friends, but do not be fooled. They are not private chat apps, they will not keep your conversations protected.
Once something is saved and stored to the internet, it will be there forever. An important point to remember. There is no guarantee of fully deleting something from the internet, as much as we would all there to be. WhatsApp, iMessage and Facebook Chats exist somewhere on the internet, out there. And if you can recover them, then so can someone else.
Signal, Telegram and Wickr: They are free, but what is the real cost?
With end-to-end encrypted software apps, amongst the popular choices is Signal, Telegram and Wickr. Signal is famously used by Edward Snowden, who has recommended the app for anyone who wants to have a secure messaging solution. The other two both hold followings, though with Telegram, concerns on how secure it actually is and if the messaging is actually private from the company have been raised.
Like those in the previous section, they are free to use, quickly downloaded and easily started up. Friends and contacts can be found using email addresses and phone numbers. For the most part, these are secure communication apps.
While it may sound like a positive at first, the major issue with these apps is the price. Being free is a fantastic way to gain traction and to build a large mass of users quickly, but how do you support and help the users? How is the app going to be developed or fixed, should it need it? When you are relying on volunteers to patch problems, can you guarantee how quick the fix will take?
For us, we believe you need support is essential and should be available whenever you need it. Whilst it does not mean an end for any of these apps, it should be consider as to who is spending the money to keep the app going and why. Donors, foundations and investors may not be keen to remain as the source of income. And if the money goes and the app requires money to keep going, how long will that app carry on before it stops?
Threema: How secure is the device you install to?
When we performed our own test, comparing secure messaging apps, Threema scored highly. With paying a fee, you know that the money is going to support the app and keep it updated, as well as showing the device has a source of income. Providing secure messaging, Threema is a fine solution for business messaging.
But, much like the apps previously mentioned, one glaring, and potentially fatal, flaw exists – the device it is stored on. If a malicious app, such as a key logger intercepts and captures your communications, then how secure your app is becoming pointless. The messages are already compromised and it is no longer private as you would like.
This flaw is not something that Threema is at fault for, nor something they can control. While there are steps that can be taken so that the risk can be mitigated, such as VPNs, any app built to be downloaded to a device via an app store can be undone by what is already on the device.
Device-based: Not always for everyone, but ultra-secure
In the third group we find hardware dedicated to secure messaging solutions. Devices offered by ourselves – SKY ECC – and our competitors offer users the largest degree of protection. However, two devices are needed. For these solutions, a custom built or off-the-shelf phone is taken and tailored to be used with secure communications in mind. This includes managing features, such as Bluetooth, so that they remain disabled, leveraging on-chip tamper resistance, having the app pre-installed into a secure container, in the phone and making sure the network is properly secured.
For high value executives who travel repeatedly outside of North America and Europe, government officials and anyone who wishes to make sure their privacy is fully protected, this level of security is essential.
Whilst still smartphones, devices like these are protected so that social media and email cannot be used, as well as preventing installing new apps and restricting internet usage. Each of these functions deals a large risk to the device in terms of security, with spam, malware, mobile viruses and phishing all potential threats. Having each of these features may not be convenient, but it allows the device to be secure. And that is the aim. Whilst it comes at a trade-off, it allows the device to be better protected. Going with a device-based solution is purchasing the hardware, a secure device, as well as the software.
Having a second device is a deal breaker for many and that is completely understandable. But for those who needs cannot be matched by what they may be able install on to their devices, the hassle of two devices is minimal to making sure that valuable information and messages does not find itself in the wrong hands.
Approaching private chat apps – The SKY ECC way
To make sure we can be put in the conversation of providing the most secure phone anywhere, we do things a little differently at SKY ECC.
We make sure that we know how and where the devices use were made and through rigorous testing, we make sure the platform’s security, alongside leveraging the strengths for Android or iOS without customizing the OS, as to allow for updates (Once customized, an OS is unable to be updated or patched directly). We also make sure that whenever Android or iOS updates, our users can also update immediately, with any new security holes fixed.
Customized versions of Android need to wait for our competitors to complete the patch with ‘custom’ phones. This potential could take anywhere from a few days up to a few weeks, dependant on the nature of the update. If the problem at hand severely compromises security, then a patch is needed as quick as possible. Leaving our customers at the mercy of high risk flaws whilst waiting for a patch is something we do not believe in. For the secure container and app, we use standardized Mobile Device Management software, with the manufacturer making sure it is well tested and well supported.
We can never be 100% certain that our devices are invulnerable to dangers and threats, but we make sure that we take great lengths to help protect the devices, the private chat app and the network from threats.
The array of different types of secure messaging apps may seem daunting at first, but it is not as complex as it would first seem. Each messaging solution lies somewhere along the continuum, between convenience and security. With the more secure it is, the less convenient it will be and vice versa. Each of the applications is often used by many people for different purposes: iMessage and SMS is used for messages and texts, for communicating in groups, WhatsApp and more secure devices and apps for extremely sensitive and private communication.
No single communication app is the right for each person, but what is important to remember is the advantages and disadvantages of each choice you make. For a better understanding, have a look at the right chat apps.
Not every message requires a second device. But when you do, you require a solution that will leave you information and messages secure. At SKY GLOBAL, we believe private communications is something everyone has a right to. When you put your trust in us to protect your communications, we take that responsibility for our main mission. Any friends yet to be convinced, then our posts on 7 reasons why your team should use secure messaging and 7 myths about encrypted messages to stop believing now should help.