When it comes to making a good secure messaging app, there is a hundred or so features that could be mentioned that are essential when it comes to making these apps. Of these, they can be put into three groups: The technical parts, such as the encryption strength or the perfect forward secrecy. There is then the philosophical parts, such as the companies approach to privacy and how contracts are managed. And finally, the user-focused side. Because let’s be honest, if a messaging app is hard to use, regardless of it is secure or not, you are unlikely to use it.
So to make this list of what goes into making a good secure messaging app, the list has been organised into these three parts. Now, whilst we do think that the best secure messaging app available is SKY ECC, we are not going to make this all about SKY ECC, and in fact, there are many good apps available for you. There are even some apps that whilst they do not have all the functions looked for (such as being user funded) they fill much of the other criteria.
Features that determine that it “can only run on a secure managed device” or “it can only run on certain devices alongside tamper-resistance” have been omitted from this list. These sorts of features do make SKY ECC a much more secure option compared to other secure messaging solutions, but there is a variety of secure solutions to get around this that you can obtain on most devices from various app stores.
Behind a smooth design and presentation, the tech that powers it must be equally smooth and well designed. The following are a few tech aspects that you want to see:
- Strong end-to-end encryption: Whilst it seems redundant to say this (as who would want a weak encryption?), there is different levels of encryption strength. For example, iMessage sits at 1280 bit RSA, Telegram at 2048 RSA. Both of these are much weaker then the encryptions used by Threema, WhatsApp or Signal, which stands at 128 ECDH (which works out, roughly, to 3072 bit RSA). SKY ECC with its 521 bit ECDH is stronger then these, with has the equivalent of 15,360 bit RSA, giving you the strongest encryption for a messaging app. End-to-end encryption (E2EE) is something needed as a default at all times. This is not something where you can settle for second best. If it is not encrypted, then it is not secure.
- Perfect forward secrecy: Each message is encrypted by a unique session key, which is based from your secret key. This means that if your secret key were to be compromised, then each of your messages would be secure as you would need the unique session key to decrypt any of them. Each time you load up the app, the app creates and destroys these, so obtaining information off them is virtually impossible. For a better understanding on this, follow this link
- Brute force protections: Every phone has some form of protections, including brute force protections. However, you need a secure app to have additional layers in case someone would attempt to force their way into the app. 3 to 10 attempts are allowed with SKY ECC before the app will reset itself and all data will be delated. A CAPTCHA word is required on the final attempt, making any chances of automated password cracking extremely challenging.
- Shielded/protected from malware: Information should not be able to flow freely out of a secure messaging app. For example, with SKU ECC, you can copy and paste information from inside the app, but you cannot then paste it out of the app. The app needs to be walled off from the rest of the device. Watertight, so to speak.
- Protected network connections: When it comes to protecting your information, it is essential that not just messages, but all communications coming and going to your device are protected. A lot of information is passed from device to device when they interact, such as IP address, password and usernames. These are needed to be exchange so the communication can happen. This information needs to be protected. If not, someone could find your location or start a man-in-the-middle attack on you.
From secure tunnels to sending combinations encrypted data through mobile networks via VPNs, we make sure that your information and data is properly protected, even before you send anything. To learn more on this, check out our article on network protections!
- Spoofing/impersonation protections: No one wants to be impersonated. A secure messaging app needs more protection to stop this then just a username and account. Our way of doing this is to make sure that each device has one account associated with it. Essentially, the account is locked to it. That means that a second SKY ECC account would not be able to be on the same device and you cannot have SKY ECC on two different devices. Some other apps have protections, such as WhatsApp, but is sadly not often enough
- Secure storage: Insecure storage means your files are at risk. Media file jacking is likely if using local file storage. A secure section is needed inside the app if any app has some form of media storage feature. The protections of the device is often not enough to make sure attachment data is kept safe.
- Metadata encryption: When in transit, each message should be encrypted, along with the metadata, such as the timestamp. This is to make sure the network connection is kept safe. Once they have arrived, they can be decrypted, but in transit they must remain unreadable. Your metadata tells a lot more about you then you may realise
- Privacy protections: When it comes to secure messaging, you should be able to know that your account is not tied in anyway to your phone number or email address. If in the case that your app does need either of these, then it should be securely protected and undiscoverable from anything else.
- No backups: Message backups as a feature are far too risky for us. Making sure that you have a store of your chats is sacrificing your privacy as well as the privacy of the people that you have communicated with. With a new SKY ECC device, you only get your contact list, everything else is gone. It is not as convenient, but convenience and security do not always match up perfectly. And security is far more important to us.
User interface and experience
An ideal app has features that help the privacy, usability and privacy, boosting a user’s experience with the app and finding it smooth and easy to operate.
- Easy to use: As mentioned above, an app needs to be easy to use. It should be simple for anyone to figure out how to open the app and ho then to use it. Throwing exchange keys, encryption keys or just chat at the start do not help. Whenever a secure messaging app is shown to be hard to use, people do not use it. Ease of use is always a winner. For this you, need an app that is intuitive, such as SKY ECC. Whilst a few neat features may skip you by at first glance, like the calculator mode, the rest is easy and most importantly, just makes sense.
- Control over shared attachments and messaging: When it comes to messaging, you need to be able to revoke messages, along with attachments, decide when messages automatically expire and be able to make sure that only the people you want can access the files and images that you send. Having these controls is something needed when it comes to protecting your privacy.
- Control of contacts: You should have control over who contacts you. Random users who you do not know should not be able to randomly start chatting with you. Everyone who contacts you must be people you want to be able to contact you. The only way that they should know your contact details is that you have purposely given them your user ID.
- Anonymity: Similar to the point above, if you wish to be anonymous whilst using the app then you should have the option to. Whilst this can be inconvenient for app makers such as ourselves, it means that you never have to put in your real name, images of yourself or anything that may be used to identify you. This is something essential to true privacy.
Philosophical company beliefs
It is all good for companies to lord praise on how secure their messaging app is, but their company beliefs must match too. If the company is willing to let security agencies install backdoors into servers or apps, then it is clear that this company does not value your privacy and security. For us, we believe that making sure our user’s rights to security and privacy is one of our core tenants. These following points are core actions and beliefs that really make communication solutions secure
- A strong defence of protecting personal privacy: When it comes to personal privacy, the company needs to hold a strong stance on it, making it at the core of the very business. Even if it means at the cost of convenience (like backing up messages in a server), they should put personal privacy before everything else. At SKY ECC, we make sure that the privacy of our customers is always protected. Personal information is never gathered, and users can be anonymous should they wish to be.
- No encryption backdoors: To us, the idea that a secure backdoor can be secure is a fantasy. Even whilst other apps, like WhatsApp deal with continuous pressure from governments to submit to adding backdoors into their apps, we will always resist.
Encryption with a “backdoor” is called “in the clear”
— FirmWarez (@FirmWarez) January 18, 2020
- Zero advertising in the app: This may seem like something very simple and clear, but for big companies like WhatsApp and Facebook, it is a line they are all to willing to cross, at the expense of your privacy. With adverts inside the app, it is harvesting user data and thus going against everything we stand for. You cannot have a privacy first standpoint and have ads. This is before even getting to the technical side of this, like how many ads link to malicious websites or advert tracking: it is clear that secure messaging and adverts cannot exist together.
- Next to no data on the servers: When it comes to secure messaging servers, they should just be replays for the client devices and nothing else. There is quite a bit of information that should not be kept. This includes the location, carrier, type of device and even identifiable information. No true secure messaging solution should ever keep any of this information, even if it is encrypted. With it sitting there on servers, it is a liability and compromises the user’s security. With SKY ECC, the only information that we will ever store within in our servers is your encrypted contact list. Should you ever need to wipe your device, only the contact list will be available to you. We make sure that we keep nothing on our servers other then what is needed to get a message from the sender to the receiver and that is it. And once it has sent, we make sure it is delated. This also means that as we do not have information on what ECC ID’s match up to individual users, it means that should we ever receive a request from law enforcement looking for information on a user, we can help to the full extent without ever compromising our beliefs in privacy and security, or the promise to the customer of the same values.
- User funded: Free apps sound great at the first. You have to spend nothing and get as service for it. Great! However, the longer you look at a free secure messaging app, the more you see the flaws. How is it going to make money? At the end of the day, everything requires money to run and that has to come from somewhere. So if your secure messaging app is going for free, how will you find that money? From outside funding? From adverts? The last point proved why that is not a good idea. Whilst you have to spend, you know with a payed app that it has money to keep it running, to have patches ready quickly, that help is there when you need it. When you pay, there is a range of benefits that come with it. A good app does not form out of thin air. At SKY ECC we have a large team working on the product, providing support and managing the servers. All of this cost’s money. Seeing where an apps money comes from is vital when deciding what secure messaging app to use.
Choosing your secure messaging app matters
At SKY ECC, we see people being able to communicate securely and privately as a vital part of our democracy and freedoms, something all should be able to do. Regardless of if it is whistle-blowers and journalists, helping uncover corruption or companies and medical corporations trying to protect cutting edge advancements from corporate thieves and sabotage, secure messaging solutions are essential to helping.
That is why we made sure that each feature listed here is implemented in SKY ECC. We make sure to go that bit further for our customers, so that we can guarantee the security and privacy they deserve.
When using a device with SKY ECC, you have the most secure and strongest messaging solution available at your disposal. This is what we promise to you and every user of our devices. If you would like to find out more, get in touch today